diff --git a/src/security/intel/txt/getsec.c b/src/security/intel/txt/getsec.c
index af9b7bb471..cd2292745f 100644
--- a/src/security/intel/txt/getsec.c
+++ b/src/security/intel/txt/getsec.c
@@ -9,6 +9,7 @@
 #include <cpu/x86/mp.h>
 #include <cpu/x86/msr.h>
 #include <types.h>
+#include <rules.h>
 
 #include "txt_register.h"
 #include "txt_getsec.h"
@@ -24,16 +25,26 @@ static bool getsec_enabled(void)
 	/*
 	 * Check if SMX and VMX is supported by CPU.
 	 */
-	if (!(ecx & CPUID_SMX) || !(ecx & CPUID_VMX))
+	if (!(ecx & CPUID_SMX) || !(ecx & CPUID_VMX)) {
+		printk(BIOS_ERR, "SMX/VMX not supported by CPU\n");
 		return false;
-
+	}
 	/*
-	 * Check if SMX, VMX and GetSec instructions haven't been disabled.
+	 * This requirement is not needed for ENTERACCS, but for SENTER (see SDM).
+	 * Skip check in romstage because IA32_FEATURE_CONTROL cannot be unlocked
+	 * even after a global reset e.g. on Sandy/IvyBridge. However the register
+	 * gets set properly in ramstage where all CPUs are already initialized.
 	 */
-	msr_t msr = rdmsr(IA32_FEATURE_CONTROL);
-	if ((msr.lo & 0xff06) != 0xff06)
-		return false;
-
+	if (!ENV_ROMSTAGE_OR_BEFORE) {
+		/*
+		* Check if SMX, VMX and GetSec instructions haven't been disabled.
+		*/
+		msr_t msr = rdmsr(IA32_FEATURE_CONTROL);
+		if ((msr.lo & 0xff06) != 0xff06) {
+			printk(BIOS_ERR, "GETSEC not enabled in IA32_FEATURE_CONTROL MSR\n");
+			return false;
+		}
+	}
 	/*
 	 * Enable SMX. Required to execute GetSec instruction.
 	 * Chapter 2.2.4.3
diff --git a/src/security/intel/txt/romstage.c b/src/security/intel/txt/romstage.c
index 63db10f8c3..98308b7ba1 100644
--- a/src/security/intel/txt/romstage.c
+++ b/src/security/intel/txt/romstage.c
@@ -5,6 +5,7 @@
 #include <cf9_reset.h>
 #include <console/console.h>
 #include <cpu/intel/common/common.h>
+#include <cpu/x86/cr.h>
 #include <cpu/x86/msr.h>
 #include <southbridge/intel/common/pmbase.h>
 #include <timer.h>
@@ -83,14 +84,22 @@ static void print_memory_is_locked(void)
 void intel_txt_romstage_init(void)
 {
 	/* Bail early if the CPU doesn't support TXT */
-	if (!is_txt_cpu())
+	if (!is_txt_cpu()) {
+		printk(BIOS_ERR, "TEE-TXT: CPU not TXT capable.\n");
 		return;
+	}
 
-	/* We need to use GETSEC here, so enable it */
-	enable_getsec_or_reset();
+	/*
+	 * We need to use GETSEC here, so enable it.
+	 * CR4_SMXE is all we need to be able to call GETSEC[CAPABILITIES]
+	 * or GETSEC[ENTERACCS] for SCLEAN.
+	 */
+	write_cr4(read_cr4() | CR4_SMXE);
 
-	if (!is_txt_chipset())
+	if (!is_txt_chipset()) {
+		printk(BIOS_ERR, "TEE-TXT: Chipset not TXT capable.\n");
 		return;
+	}
 
 	const uint8_t txt_ests = read8((void *)TXT_ESTS);