From 2ffd2198863fe8e971b56fc146339cc4dbd56295 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Niew=C3=B6hner?= Date: Sun, 11 Oct 2020 16:59:13 +0200 Subject: cpu/intel/common: add a Kconfig to control AES-NI locking MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a Kconfig to be able to disable locking of AES-NI for e.g debugging, testing, ... Change-Id: I4eaf8d7d187188ee6e78741b1ceb837c40c2c402 Signed-off-by: Michael Niewöhner Reviewed-on: https://review.coreboot.org/c/coreboot/+/46277 Tested-by: build bot (Jenkins) Reviewed-by: Tim Wawrzynczak Reviewed-by: Nico Huber --- src/cpu/intel/common/Kconfig | 8 ++++++++ src/cpu/intel/common/common_init.c | 3 +++ 2 files changed, 11 insertions(+) diff --git a/src/cpu/intel/common/Kconfig b/src/cpu/intel/common/Kconfig index 064e67b6db..01f2721b59 100644 --- a/src/cpu/intel/common/Kconfig +++ b/src/cpu/intel/common/Kconfig @@ -19,6 +19,14 @@ config SET_IA32_FC_LOCK_BIT However, leaving the lock bit unset will break Windows' detection of VMX support and built-in virtualization features like Hyper-V. +config SET_MSR_AESNI_LOCK_BIT + bool "Lock the AES-NI enablement state" + default y + help + This config sets the AES-NI lock bit, if available, to prevent any + further change of AES-NI enablement. This may be disabled for e.g. + testing or debugging. + config CPU_INTEL_COMMON_TIMEBASE bool diff --git a/src/cpu/intel/common/common_init.c b/src/cpu/intel/common/common_init.c index fc5360d001..45680146ad 100644 --- a/src/cpu/intel/common/common_init.c +++ b/src/cpu/intel/common/common_init.c @@ -270,6 +270,9 @@ void set_aesni_lock(void) { msr_t msr; + if (!CONFIG(SET_MSR_AESNI_LOCK_BIT)) + return; + if (cpu_get_feature_flags_ecx() & CPUID_AES) return; -- cgit v1.2.3