diff --git a/src/soc/intel/apollolake/Kconfig b/src/soc/intel/apollolake/Kconfig
index 6769af0..b37cde6 100644
--- a/src/soc/intel/apollolake/Kconfig
+++ b/src/soc/intel/apollolake/Kconfig
@@ -36,6 +36,7 @@
 	select NO_FIXED_XIP_ROM_SIZE
 	select NO_XIP_EARLY_STAGES
 	select PARALLEL_MP
+	select PARALLEL_MP_AP_WORK
 	select PCIEXP_ASPM
 	select PCIEXP_COMMON_CLOCK
 	select PCIEXP_CLK_PM
diff --git a/src/soc/intel/apollolake/chip.c b/src/soc/intel/apollolake/chip.c
index 171e01e..a24ca33 100644
--- a/src/soc/intel/apollolake/chip.c
+++ b/src/soc/intel/apollolake/chip.c
@@ -21,6 +21,7 @@
 #include <cbmem.h>
 #include <console/console.h>
 #include <cpu/cpu.h>
+#include <cpu/x86/mp.h>
 #include <device/device.h>
 #include <device/pci.h>
 #include <fsp/api.h>
@@ -499,11 +500,26 @@
 	.final = &soc_final
 };
 
+static void drop_privilege_all(void)
+{
+	/* Drop privilege level on all the CPUs */
+	if (mp_run_on_all_cpus(&enable_untrusted_mode, 1000) < 0)
+		printk(BIOS_ERR, "failed to enable untrusted mode\n");
+}
+
 void platform_fsp_notify_status(enum fsp_notify_phase phase)
 {
-	/* Hide the P2SB device to align with previous behavior. */
-	if (phase == END_OF_FIRMWARE)
+	if (phase == END_OF_FIRMWARE) {
+		/* Hide the P2SB device to align with previous behavior. */
 		p2sb_hide();
+		/*
+		 * As per guidelines BIOS is recommended to drop CPU privilege
+		 * level to IA_UNTRUSTED. After that certain device registers
+		 * and MSRs become inaccessible supposedly increasing system
+		 * security.
+		 */
+		drop_privilege_all();
+	}
 }
 
 /*
diff --git a/src/soc/intel/apollolake/cpu.c b/src/soc/intel/apollolake/cpu.c
index 8b8f963..ff300bc 100644
--- a/src/soc/intel/apollolake/cpu.c
+++ b/src/soc/intel/apollolake/cpu.c
@@ -53,7 +53,7 @@
 	REG_SCRIPT_END
 };
 
-static void enable_untrusted_mode(void)
+void enable_untrusted_mode(void)
 {
 	msr_t msr = rdmsr(MSR_POWER_MISC);
 	msr.lo |= ENABLE_IA_UNTRUSTED;
@@ -70,8 +70,6 @@
 	 * implemented in microcode.
 	*/
 	enable_pm_timer_emulation();
-	/* Drop privilege level */
-	enable_untrusted_mode();
 }
 
 static struct device_operations cpu_dev_ops = {
diff --git a/src/soc/intel/apollolake/include/soc/cpu.h b/src/soc/intel/apollolake/include/soc/cpu.h
index db9d3dd..b4c8684 100644
--- a/src/soc/intel/apollolake/include/soc/cpu.h
+++ b/src/soc/intel/apollolake/include/soc/cpu.h
@@ -24,6 +24,7 @@
 
 void apollolake_init_cpus(struct device *dev);
 void set_max_freq(void);
+void enable_untrusted_mode(void);
 #endif
 
 #define CPUID_APOLLOLAKE_A0	0x506c8