cpu/intel/common: add a Kconfig to control AES-NI locking

Add a Kconfig to be able to disable locking of AES-NI for e.g debugging,
testing, ...

Change-Id: I4eaf8d7d187188ee6e78741b1ceb837c40c2c402
Signed-off-by: Michael Niewöhner <foss@mniewoehner.de>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46277
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>

src/cpu/intel/common/Kconfig

@@ -19,6 +19,14 @@ config SET_IA32_FC_LOCK_BIT
 	  However, leaving the lock bit unset will break Windows' detection of
 	  VMX support and built-in virtualization features like Hyper-V.
 
+config SET_MSR_AESNI_LOCK_BIT
+	bool "Lock the AES-NI enablement state"
+	default y
+	help
+	  This config sets the AES-NI lock bit, if available, to prevent any
+	  further change of AES-NI enablement. This may be disabled for e.g.
+	  testing or debugging.
+
 config CPU_INTEL_COMMON_TIMEBASE
 	bool
 

src/cpu/intel/common/common_init.c

@@ -270,6 +270,9 @@ void set_aesni_lock(void)
 {
 	msr_t msr;
 
+	if (!CONFIG(SET_MSR_AESNI_LOCK_BIT))
+		return;
+
 	if (cpu_get_feature_flags_ecx() & CPUID_AES)
 		return;