Nico Huber has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/42745 )

Change subject: soc/intel: Configure PAVP at compile-time ......................................................................

Patch Set 7:

I don't think it's worth to reason about the default states. The option is not documented, doesn't say what it actually does, nor how it works together with the respective ME configuration options.

Generally, I feel safe when it's disabled in the ME. Here is why I think it's not a good idea to always enable it: The internal graphics is deeply integrated into the chip. It has its own IOMMU which doesn't seem to be as secure as the generic one. PAVP just adds more variables on top of this. Intel is so closed about the topic (and I guess has to be by contracts), that there seems to be zero knowledge about security implications, hence I assume the worst as with all DRM tech.

Now the FSP option was mostly already enabled, so a `default n` would be wrong as it would change that. But not for Jasper Lake. So it should at least be mentioned in the commit message that CB:41763 is effectively reverted.