Nico Huber has submitted this change. ( https://review.coreboot.org/c/coreboot/+/46277 )
Change subject: cpu/intel/common: add a Kconfig to control AES-NI locking ......................................................................
cpu/intel/common: add a Kconfig to control AES-NI locking
Add a Kconfig to be able to disable locking of AES-NI for e.g debugging, testing, ...
Change-Id: I4eaf8d7d187188ee6e78741b1ceb837c40c2c402 Signed-off-by: Michael Niewöhner foss@mniewoehner.de Reviewed-on: https://review.coreboot.org/c/coreboot/+/46277 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Tim Wawrzynczak twawrzynczak@chromium.org Reviewed-by: Nico Huber nico.h@gmx.de --- M src/cpu/intel/common/Kconfig M src/cpu/intel/common/common_init.c 2 files changed, 11 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Nico Huber: Looks good to me, approved Tim Wawrzynczak: Looks good to me, approved
diff --git a/src/cpu/intel/common/Kconfig b/src/cpu/intel/common/Kconfig index 064e67b..01f2721 100644 --- a/src/cpu/intel/common/Kconfig +++ b/src/cpu/intel/common/Kconfig @@ -19,6 +19,14 @@ However, leaving the lock bit unset will break Windows' detection of VMX support and built-in virtualization features like Hyper-V.
+config SET_MSR_AESNI_LOCK_BIT + bool "Lock the AES-NI enablement state" + default y + help + This config sets the AES-NI lock bit, if available, to prevent any + further change of AES-NI enablement. This may be disabled for e.g. + testing or debugging. + config CPU_INTEL_COMMON_TIMEBASE bool
diff --git a/src/cpu/intel/common/common_init.c b/src/cpu/intel/common/common_init.c index fc5360d..4568014 100644 --- a/src/cpu/intel/common/common_init.c +++ b/src/cpu/intel/common/common_init.c @@ -270,6 +270,9 @@ { msr_t msr;
+ if (!CONFIG(SET_MSR_AESNI_LOCK_BIT)) + return; + if (cpu_get_feature_flags_ecx() & CPUID_AES) return;