2 files changed, 19 insertions, 10 deletions

diff --git a/src/security/intel/txt/Kconfig b/src/security/intel/txt/Kconfig
index b1d0475edf..d3ef2a64db 100644
--- a/src/security/intel/txt/Kconfig
+++ b/src/security/intel/txt/Kconfig
@@ -40,6 +40,12 @@ config INTEL_TXT_DPR_SIZE
 	  the MRC does not have an input to specify the size of DPR, so this
 	  field is only used to check if the programmed size is large enough.
 
+config INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE
+	bool "Test BIOS ACM calling code with NOP function"
+	help
+	  Run a NOP function of the BIOS ACM to check that the ACM calling code
+	  is functioning properly. Use in pre-production environments only!
+
 config INTEL_TXT_LOGGING
 	bool "Enable verbose logging"
 	help
diff --git a/src/security/intel/txt/ramstage.c b/src/security/intel/txt/ramstage.c
index 00e9ce72a2..c39194ba47 100644
--- a/src/security/intel/txt/ramstage.c
+++ b/src/security/intel/txt/ramstage.c
@@ -151,17 +151,20 @@ static void init_intel_txt(void *unused)
 		return;
 	}
 
-	printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
+	if (CONFIG(INTEL_TXT_TEST_BIOS_ACM_CALLING_CODE)) {
+		printk(BIOS_INFO, "TEE-TXT: Testing BIOS ACM calling code...\n");
 
-	/*
-	 * Test BIOS ACM code.
-	 * ACM should do nothing on reserved functions, and return an error code
-	 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
-	 * Use special function "NOP" that does 'nothing'.
-	 */
-	if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
-		printk(BIOS_ERR, "TEE-TXT: Error calling BIOS ACM with NOP function.\n");
-		return;
+		/*
+		 * Test BIOS ACM code.
+		 * ACM should do nothing on reserved functions, and return an error code
+		 * in TXT_BIOSACM_ERRORCODE. Tests showed that this is not true.
+		 * Use special function "NOP" that does 'nothing'.
+		 */
+		if (intel_txt_run_bios_acm(ACMINPUT_NOP) < 0) {
+			printk(BIOS_ERR,
+				"TEE-TXT: Error calling BIOS ACM with NOP function.\n");
+			return;
+		}
 	}
 
 	if (status & (ACMSTS_BIOS_TRUSTED | ACMSTS_IBB_MEASURED)) {