Hello build bot (Jenkins),
I'd like you to reexamine a change. Please visit
https://review.coreboot.org/c/coreboot/+/33162
to look at the new patch set (#10).
Change subject: cpu: Add option to disable CPU AES ......................................................................
cpu: Add option to disable CPU AES
Hardware-accelerated AES instructions are a security risk. Hackers can track those instructions very easily and place a function hook just a few lines before they are executed to steal all your passwords & keys.
Also, they represent a problem for many computers having highly-privileged binary blobs: they could use them to perform industrial or government espionage.
So I have added an option CPU_DISABLE_HW_AES to cpu/Kconfig to allow to disable CPU hardware-accelerated AES instructions.
For Intel CPUs, this is named "AES-NI", and it's controlled via a Model Specific Register called MSR_FEATURE_CONFIG. I have modified some Intel CPU's code to disable AES-NI if that Kconfig option is checked in.
Change-Id: I61da765b4c6efc73b2379c075c3ab46d16764dc4 Signed-off-by: Vlado CB vladocb@protonmail.com --- M src/cpu/Kconfig M src/cpu/intel/fsp_model_406dx/model_406dx_init.c M src/cpu/intel/haswell/finalize.c M src/cpu/intel/model_2065x/finalize.c M src/cpu/intel/model_206ax/finalize.c M src/soc/intel/apollolake/cpu.c 6 files changed, 71 insertions(+), 9 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/62/33162/10