cpu/intel/common: add a Kconfig to control AES-NI locking

Add a Kconfig to be able to disable locking of AES-NI for e.g debugging,
testing, ...

Change-Id: I4eaf8d7d187188ee6e78741b1ceb837c40c2c402
Signed-off-by: Michael Niewöhner <foss@mniewoehner.de>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46277
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
This commit is contained in:
Michael Niewöhner 2020-10-11 16:59:13 +02:00 committed by Nico Huber
parent 469a99b5c8
commit 2ffd219886
2 changed files with 11 additions and 0 deletions

View file

@ -19,6 +19,14 @@ config SET_IA32_FC_LOCK_BIT
However, leaving the lock bit unset will break Windows' detection of
VMX support and built-in virtualization features like Hyper-V.
config SET_MSR_AESNI_LOCK_BIT
bool "Lock the AES-NI enablement state"
default y
help
This config sets the AES-NI lock bit, if available, to prevent any
further change of AES-NI enablement. This may be disabled for e.g.
testing or debugging.
config CPU_INTEL_COMMON_TIMEBASE
bool

View file

@ -270,6 +270,9 @@ void set_aesni_lock(void)
{
msr_t msr;
if (!CONFIG(SET_MSR_AESNI_LOCK_BIT))
return;
if (cpu_get_feature_flags_ecx() & CPUID_AES)
return;