Name of user not set #1002424 has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/33162
Change subject: Add option to disable CPU AES ......................................................................
Add option to disable CPU AES
Added an option(CPU_DISABLE_HW_AES) to cpu/Kconfig to allow to disable CPU hardware-accelerated AES.
For Intel CPUs, this is named "AES-NI", and it's controlled via a Model Specific Register(MSR) called MSR_FEATURE_CONFIG. I have modified some Intel CPU's code to disable AES-NI if that Kconfig option is checked in.
Change-Id: I61da765b4c6efc73b2379c075c3ab46d16764dc4 Signed-off-by: Vladocb vladocb@protonmail.com --- M src/cpu/Kconfig M src/cpu/intel/fsp_model_406dx/model_406dx_init.c M src/cpu/intel/haswell/finalize.c M src/cpu/intel/model_2065x/finalize.c M src/cpu/intel/model_206ax/finalize.c M src/soc/intel/apollolake/cpu.c 6 files changed, 55 insertions(+), 6 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/62/33162/1
diff --git a/src/cpu/Kconfig b/src/cpu/Kconfig index 6078022..5d5b338 100644 --- a/src/cpu/Kconfig +++ b/src/cpu/Kconfig @@ -223,3 +223,10 @@ microcode binary files to include, separated by spaces.
If unsure, leave this blank. + +config CPU_DISABLE_HW_AES + bool "Disable CPU hardware-accelerated AES cryptographic instructions" + default n + help + Check this in to disable AES cryptographic hardware acceleration on the CPU. + diff --git a/src/cpu/intel/fsp_model_406dx/model_406dx_init.c b/src/cpu/intel/fsp_model_406dx/model_406dx_init.c index efa8693..e923e50 100644 --- a/src/cpu/intel/fsp_model_406dx/model_406dx_init.c +++ b/src/cpu/intel/fsp_model_406dx/model_406dx_init.c @@ -56,16 +56,26 @@ msr.lo = 0; msr.hi = 0; wrmsr(IA32_THERM_INTERRUPT, msr); + + /* AES_NI */ +#if CONFIG(CPU_DISABLE_HW_AES) + /* disable AES-NI, and lock feature bit using mask 11b=0x3 */ + msr.lo = 0x3u; + msr.hi = 0x0u; + wrmsr(MSR_FEATURE_CONFIG, msr); +#else + /* enable AES-NI */ + msr_set_bit(MSR_FEATURE_CONFIG, 0); +#endif }
static void configure_mca(void) { msr_t msr; - int i;
- msr.lo = msr.hi = 0; + msr.lo = msr.hi = 0x0u; /* This should only be done on a cold boot */ - for (i = 0; i < 6; i++) + for (int i = 0; i < 6; i++) wrmsr(IA32_MC0_STATUS + (i * 4), msr); }
diff --git a/src/cpu/intel/haswell/finalize.c b/src/cpu/intel/haswell/finalize.c index cc2d1a4..3a18eda 100644 --- a/src/cpu/intel/haswell/finalize.c +++ b/src/cpu/intel/haswell/finalize.c @@ -51,8 +51,16 @@ msr_set_bit(MSR_PKG_CST_CONFIG_CONTROL, 15);
/* Lock AES-NI only if supported */ - if (cpuid_ecx(1) & (1 << 25)) + if (cpuid_ecx(1) & (1 << 25)) { +#if CONFIG(CPU_DISABLE_HW_AES) + /* disable AES-NI, and lock feature bit using mask 11b=0x3 */ + const msr_t myMsr = { 0x3u, 0x0u }; + wrmsr(MSR_FEATURE_CONFIG, myMsr); +#else + /* keep AES-NI enabled */ msr_set_bit(MSR_FEATURE_CONFIG, 0); +#endif + }
#ifdef LOCK_POWER_CONTROL_REGISTERS /* diff --git a/src/cpu/intel/model_2065x/finalize.c b/src/cpu/intel/model_2065x/finalize.c index 5b85601..ced5ee3 100644 --- a/src/cpu/intel/model_2065x/finalize.c +++ b/src/cpu/intel/model_2065x/finalize.c @@ -49,8 +49,15 @@ msr_set_bit(MSR_PKG_CST_CONFIG_CONTROL, 15);
/* Lock AES-NI only if supported */ - if (cpuid_ecx(1) & (1 << 25)) + if (cpuid_ecx(1) & (1 << 25)) { +#if CONFIG(CPU_DISABLE_HW_AES) + /* disable AES-NI, and lock feature bit using mask 11b=0x3 */ + const msr_t myMsr = { 0x3u, 0x0u }; + wrmsr(MSR_FEATURE_CONFIG, myMsr); +#else msr_set_bit(MSR_FEATURE_CONFIG, 0); +#endif + }
/* Lock TM interrupts - route thermal events to all processors */ msr_set_bit(MSR_MISC_PWR_MGMT, 22); diff --git a/src/cpu/intel/model_206ax/finalize.c b/src/cpu/intel/model_206ax/finalize.c index 30b00bb..0e370b7 100644 --- a/src/cpu/intel/model_206ax/finalize.c +++ b/src/cpu/intel/model_206ax/finalize.c @@ -49,8 +49,16 @@ msr_set_bit(MSR_PKG_CST_CONFIG_CONTROL, 15);
/* Lock AES-NI only if supported */ - if (cpuid_ecx(1) & (1 << 25)) + if (cpuid_ecx(1) & (1 << 25)) { +#if CONFIG(CPU_DISABLE_HW_AES) + /* disable AES-NI, and lock feature bit using mask 11b=0x3 */ + const msr_t myMsr = { 0x3u, 0x0u }; + wrmsr(MSR_FEATURE_CONFIG, myMsr); +#else + /* keep AES-NI enabled */ msr_set_bit(MSR_FEATURE_CONFIG, 0); +#endif + }
#ifdef LOCK_POWER_CONTROL_REGISTERS /* diff --git a/src/soc/intel/apollolake/cpu.c b/src/soc/intel/apollolake/cpu.c index aad0f6b..96f9d9f 100644 --- a/src/soc/intel/apollolake/cpu.c +++ b/src/soc/intel/apollolake/cpu.c @@ -60,12 +60,21 @@ #endif /* Disable C1E */ REG_MSR_RMW(MSR_POWER_CTL, ~POWER_CTL_C1E_MASK, 0), +#if CONFIG(CPU_DISABLE_HW_AES) + /* + * Disable and Lock the Advanced Encryption Standard (AES-NI) + * feature register + */ + REG_MSR_RMW(MSR_FEATURE_CONFIG, FEATURE_CONFIG_RESERVED_MASK, + FEATURE_CONFIG_LOCK), +#else /* * Enable and Lock the Advanced Encryption Standard (AES-NI) * feature register */ REG_MSR_RMW(MSR_FEATURE_CONFIG, ~FEATURE_CONFIG_RESERVED_MASK, FEATURE_CONFIG_LOCK), +#endif REG_SCRIPT_END };