cpu/intel/common: add a Kconfig to control AES-NI locking

Add a Kconfig to be able to disable locking of AES-NI for e.g debugging,
testing, ...

Change-Id: I4eaf8d7d187188ee6e78741b1ceb837c40c2c402
Signed-off-by: Michael Niewöhner <foss@mniewoehner.de>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/46277
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>

2 files changed, 11 insertions, 0 deletions

diff --git a/src/cpu/intel/common/Kconfig b/src/cpu/intel/common/Kconfig
index 064e67b6db..01f2721b59 100644
--- a/src/cpu/intel/common/Kconfig
+++ b/src/cpu/intel/common/Kconfig
@@ -19,6 +19,14 @@ config SET_IA32_FC_LOCK_BIT
 	  However, leaving the lock bit unset will break Windows' detection of
 	  VMX support and built-in virtualization features like Hyper-V.
 
+config SET_MSR_AESNI_LOCK_BIT
+	bool "Lock the AES-NI enablement state"
+	default y
+	help
+	  This config sets the AES-NI lock bit, if available, to prevent any
+	  further change of AES-NI enablement. This may be disabled for e.g.
+	  testing or debugging.
+
 config CPU_INTEL_COMMON_TIMEBASE
 	bool
 
diff --git a/src/cpu/intel/common/common_init.c b/src/cpu/intel/common/common_init.c
index fc5360d001..45680146ad 100644
--- a/src/cpu/intel/common/common_init.c
+++ b/src/cpu/intel/common/common_init.c
@@ -270,6 +270,9 @@ void set_aesni_lock(void)
 {
 	msr_t msr;
 
+	if (!CONFIG(SET_MSR_AESNI_LOCK_BIT))
+		return;
+
 	if (cpu_get_feature_flags_ecx() & CPUID_AES)
 		return;