vboot2: Introduce vb2ex_hwcrypto API

This patch extends the vboot2 API by three callback functions that the
platform firmware may implement to offer hardware crypto engine support.
For now we only support this for hash algorithms, and we will only allow
it for firmware body hashes (not the keyblock or preamble which are too
small to matter execution-time-wise anyway). The API is similar to the
vb2api_*_hash() functions used to start body hashing in the first place,
but we still take this round trip through vboot to allow it to do
key/signature management and retain full control of the verification
process. We also add a new preamble flag to explicitly disable this
feature, so that we can later return to a solely software-based
verification path through a firmware update in case a hardware crypto
engine turns out to be insecure.

CQ-DEPEND=CL:236435
BRANCH=None
BUG=chrome-os-partner:32987
TEST='make runtests VBOOT2=1'. Manually booted on Pinky with and without
HW crypto support and with the preamble flag set to confirm expected
behavior. lib21/ parts untested except for compiling and new unit tests.

Change-Id: I17c7d02f392089875a5942a5aafcf6a657354863
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/236453
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/261730
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

14 files changed, 326 insertions, 53 deletions

diff --git a/firmware/2lib/2api.c b/firmware/2lib/2api.c
index 7f971819..70cb8a30 100644
--- a/firmware/2lib/2api.c
+++ b/firmware/2lib/2api.c
@@ -119,7 +119,10 @@ int vb2api_extend_hash(struct vb2_context *ctx,
 
 	sd->hash_remaining_size -= size;
 
-	return vb2_digest_extend(dc, buf, size);
+	if (dc->using_hwcrypto)
+		return vb2ex_hwcrypto_digest_extend(buf, size);
+	else
+		return vb2_digest_extend(dc, buf, size);
 }
 
 int vb2api_get_pcr_digest(struct vb2_context *ctx,
diff --git a/firmware/2lib/2sha_utility.c b/firmware/2lib/2sha_utility.c
index 47581ea4..6f76b4e7 100644
--- a/firmware/2lib/2sha_utility.c
+++ b/firmware/2lib/2sha_utility.c
@@ -84,6 +84,7 @@ int vb2_digest_init(struct vb2_digest_context *dc,
 		    enum vb2_hash_algorithm hash_alg)
 {
 	dc->hash_alg = hash_alg;
+	dc->using_hwcrypto = 0;
 
 	switch (dc->hash_alg) {
 #if VB2_SUPPORT_SHA1
diff --git a/firmware/2lib/2stub.c b/firmware/2lib/2stub.c
index 01084c94..3a5fa16c 100644
--- a/firmware/2lib/2stub.c
+++ b/firmware/2lib/2stub.c
@@ -28,6 +28,7 @@ int vb2ex_tpm_clear_owner(struct vb2_context *ctx)
 	return VB2_ERROR_EX_TPM_CLEAR_OWNER_UNIMPLEMENTED;
 }
 
+__attribute__((weak))
 int vb2ex_read_resource(struct vb2_context *ctx,
 			enum vb2_resource_index index,
 			uint32_t offset,
@@ -36,3 +37,24 @@ int vb2ex_read_resource(struct vb2_context *ctx,
 {
 	return VB2_ERROR_EX_READ_RESOURCE_UNIMPLEMENTED;
 }
+
+__attribute__((weak))
+int vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg,
+			       uint32_t data_size)
+{
+	return VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED;
+}
+
+__attribute__((weak))
+int vb2ex_hwcrypto_digest_extend(const uint8_t *buf,
+				 uint32_t size)
+{
+	return VB2_ERROR_SHA_EXTEND_ALGORITHM;	/* Should not be called. */
+}
+
+__attribute__((weak))
+int vb2ex_hwcrypto_digest_finalize(uint8_t *digest,
+				   uint32_t digest_size)
+{
+	return VB2_ERROR_SHA_FINALIZE_ALGORITHM; /* Should not be called. */
+}
diff --git a/firmware/2lib/include/2api.h b/firmware/2lib/include/2api.h
index a07d2c44..69f4ddec 100644
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -394,4 +394,33 @@ int vb2ex_read_resource(struct vb2_context *ctx,
 			uint32_t size);
 
 void vb2ex_printf(const char *func, const char *fmt, ...);
+
+/**
+ * Initialize the hardware crypto engine to calculate a block-style digest.
+ *
+ * @param hash_alg	Hash algorithm to use
+ * @param data_size	Expected total size of data to hash
+ * @return VB2_SUCCESS, or non-zero error code (HWCRYPTO_UNSUPPORTED not fatal).
+ */
+int vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg,
+			       uint32_t data_size);
+
+/**
+ * Extend the hash in the hardware crypto engine with another block of data.
+ *
+ * @param buf		Next data block to hash
+ * @param size		Length of data block in bytes
+ * @return VB2_SUCCESS, or non-zero error code.
+ */
+int vb2ex_hwcrypto_digest_extend(const uint8_t *buf, uint32_t size);
+
+/**
+ * Finalize the digest in the hardware crypto engine and extract the result.
+ *
+ * @param digest	Destination buffer for resulting digest
+ * @param digest_size	Length of digest buffer in bytes
+ * @return VB2_SUCCESS, or non-zero error code.
+ */
+int vb2ex_hwcrypto_digest_finalize(uint8_t *digest, uint32_t digest_size);
+
 #endif  /* VBOOT_2_API_H_ */
diff --git a/firmware/2lib/include/2crypto.h b/firmware/2lib/include/2crypto.h
index e930de84..559a8ed1 100644
--- a/firmware/2lib/include/2crypto.h
+++ b/firmware/2lib/include/2crypto.h
@@ -28,4 +28,35 @@ enum vb2_crypto_algorithm {
 	VB2_ALG_COUNT
 };
 
+/* Algorithm types for signatures */
+enum vb2_signature_algorithm {
+	/* Invalid or unsupported signature type */
+	VB2_SIG_INVALID = 0,
+
+	/*
+	 * No signature algorithm.  The digest is unsigned.  See
+	 * VB2_GUID_NONE_* above for key GUIDs to use with this algorithm.
+	 */
+	VB2_SIG_NONE = 1,
+
+	/* RSA algorithms of the given length in bits (1024-8192) */
+	VB2_SIG_RSA1024 = 2,  /* Warning!  This is likely to be deprecated! */
+	VB2_SIG_RSA2048 = 3,
+	VB2_SIG_RSA4096 = 4,
+	VB2_SIG_RSA8192 = 5,
+};
+
+/* Algorithm types for hash digests */
+enum vb2_hash_algorithm {
+	/* Invalid or unsupported digest type */
+	VB2_HASH_INVALID = 0,
+
+	/* SHA-1.  Warning: This is likely to be deprecated soon! */
+	VB2_HASH_SHA1 = 1,
+
+	/* SHA-256 and SHA-512 */
+	VB2_HASH_SHA256 = 2,
+	VB2_HASH_SHA512 = 3,
+};
+
 #endif /* VBOOT_REFERENCE_VBOOT_2CRYPTO_H_ */
diff --git a/firmware/2lib/include/2return_codes.h b/firmware/2lib/include/2return_codes.h
index a8b61a3b..7b54f6db 100644
--- a/firmware/2lib/include/2return_codes.h
+++ b/firmware/2lib/include/2return_codes.h
@@ -458,6 +458,9 @@ enum vb2_return_code {
 	/* TPM clear owner not implemented */
 	VB2_ERROR_EX_TPM_CLEAR_OWNER_UNIMPLEMENTED,
 
+	/* Hardware crypto engine doesn't support this algorithm (non-fatal) */
+	VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED,
+
 
         /**********************************************************************
 	 * Errors generated by host library (non-firmware) start here.
diff --git a/firmware/2lib/include/2sha.h b/firmware/2lib/include/2sha.h
index 58792369..221d1856 100644
--- a/firmware/2lib/include/2sha.h
+++ b/firmware/2lib/include/2sha.h
@@ -78,6 +78,9 @@ struct vb2_digest_context {
 
 	/* Current hash algorithm */
 	enum vb2_hash_algorithm hash_alg;
+
+	/* 1 if digest is computed with vb2ex_hwcrypto routines, else 0 */
+	int using_hwcrypto;
 };
 
 /**
diff --git a/firmware/2lib/include/2struct.h b/firmware/2lib/include/2struct.h
index 2f297767..3339a30d 100644
--- a/firmware/2lib/include/2struct.h
+++ b/firmware/2lib/include/2struct.h
@@ -9,37 +9,7 @@
 #ifndef VBOOT_REFERENCE_VBOOT_2STRUCT_H_
 #define VBOOT_REFERENCE_VBOOT_2STRUCT_H_
 #include <stdint.h>
-
-/* Algorithm types for signatures */
-enum vb2_signature_algorithm {
-	/* Invalid or unsupported signature type */
-	VB2_SIG_INVALID = 0,
-
-	/*
-	 * No signature algorithm.  The digest is unsigned.  See
-	 * VB2_GUID_NONE_* above for key GUIDs to use with this algorithm.
-	 */
-	VB2_SIG_NONE = 1,
-
-	/* RSA algorithms of the given length in bits (1024-8192) */
-	VB2_SIG_RSA1024 = 2,  /* Warning!  This is likely to be deprecated! */
-	VB2_SIG_RSA2048 = 3,
-	VB2_SIG_RSA4096 = 4,
-	VB2_SIG_RSA8192 = 5,
-};
-
-/* Algorithm types for hash digests */
-enum vb2_hash_algorithm {
-	/* Invalid or unsupported digest type */
-	VB2_HASH_INVALID = 0,
-
-	/* SHA-1.  Warning: This is likely to be deprecated soon! */
-	VB2_HASH_SHA1 = 1,
-
-	/* SHA-256 and SHA-512 */
-	VB2_HASH_SHA256 = 2,
-	VB2_HASH_SHA512 = 3,
-};
+#include "2crypto.h"
 
 /*
  * Key block flags.
diff --git a/firmware/lib20/api.c b/firmware/lib20/api.c
index 87cd985e..55c59ead 100644
--- a/firmware/lib20/api.c
+++ b/firmware/lib20/api.c
@@ -100,6 +100,24 @@ int vb2api_init_hash(struct vb2_context *ctx, uint32_t tag, uint32_t *size)
 	if (size)
 		*size = pre->body_signature.data_size;
 
+	if (!(pre->flags & VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO)) {
+		rv = vb2ex_hwcrypto_digest_init(key.hash_alg,
+						pre->body_signature.data_size);
+		if (!rv) {
+			VB2_DEBUG("Using HW crypto engine for hash_alg %d\n",
+				  key.hash_alg);
+			dc->hash_alg = key.hash_alg;
+			dc->using_hwcrypto = 1;
+			return VB2_SUCCESS;
+		}
+		if (rv != VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED)
+			return rv;
+		VB2_DEBUG("HW crypto for hash_alg %d not supported, using SW\n",
+			  key.hash_alg);
+	} else {
+		VB2_DEBUG("HW crypto forbidden by preamble, using SW\n");
+	}
+
 	return vb2_digest_init(dc, key.hash_alg);
 }
 
@@ -139,7 +157,10 @@ int vb2api_check_hash(struct vb2_context *ctx)
 		return VB2_ERROR_API_CHECK_HASH_WORKBUF_DIGEST;
 
 	/* Finalize the digest */
-	rv = vb2_digest_finalize(dc, digest, digest_size);
+	if (dc->using_hwcrypto)
+		rv = vb2ex_hwcrypto_digest_finalize(digest, digest_size);
+	else
+		rv = vb2_digest_finalize(dc, digest, digest_size);
 	if (rv)
 		return rv;
 
diff --git a/firmware/lib20/include/vb2_struct.h b/firmware/lib20/include/vb2_struct.h
index 136ce91a..ec28e719 100644
--- a/firmware/lib20/include/vb2_struct.h
+++ b/firmware/lib20/include/vb2_struct.h
@@ -124,6 +124,8 @@ struct vb2_keyblock {
 /* Flags for VbFirmwarePreambleHeader.flags */
 /* Reserved; do not use */
 #define VB2_FIRMWARE_PREAMBLE_RESERVED0 0x00000001
+/* Do not allow use of any hardware crypto accelerators. */
+#define VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO 0x00000002
 
 /* Premable block for rewritable firmware, vboot1 version 2.1.
  *
diff --git a/firmware/lib21/api.c b/firmware/lib21/api.c
index beed98bc..7c1aa014 100644
--- a/firmware/lib21/api.c
+++ b/firmware/lib21/api.c
@@ -47,7 +47,7 @@ int vb2api_init_hash2(struct vb2_context *ctx,
 	struct vb2_digest_context *dc;
 	struct vb2_workbuf wb;
 	uint32_t hash_offset;
-	int i;
+	int i, rv;
 
 	vb2_workbuf_from_ctx(ctx, &wb);
 
@@ -93,6 +93,23 @@ int vb2api_init_hash2(struct vb2_context *ctx,
 	if (size)
 		*size = sig->data_size;
 
+	if (!(pre->flags & VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO)) {
+		rv = vb2ex_hwcrypto_digest_init(sig->hash_alg, sig->data_size);
+		if (!rv) {
+			VB2_DEBUG("Using HW crypto engine for hash_alg %d\n",
+				  sig->hash_alg);
+			dc->hash_alg = sig->hash_alg;
+			dc->using_hwcrypto = 1;
+			return VB2_SUCCESS;
+		}
+		if (rv != VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED)
+			return rv;
+		VB2_DEBUG("HW crypto for hash_alg %d not supported, using SW\n",
+			  sig->hash_alg);
+	} else {
+		VB2_DEBUG("HW crypto forbidden by preamble, using SW\n");
+	}
+
 	return vb2_digest_init(dc, sig->hash_alg);
 }
 
@@ -131,7 +148,10 @@ int vb2api_check_hash(struct vb2_context *ctx)
 		return VB2_ERROR_API_CHECK_HASH_WORKBUF_DIGEST;
 
 	/* Finalize the digest */
-	rv = vb2_digest_finalize(dc, digest, digest_size);
+	if (dc->using_hwcrypto)
+		rv = vb2ex_hwcrypto_digest_finalize(digest, digest_size);
+	else
+		rv = vb2_digest_finalize(dc, digest, digest_size);
 	if (rv)
 		return rv;
 
diff --git a/firmware/lib21/include/vb2_struct.h b/firmware/lib21/include/vb2_struct.h
index d9921d94..62e1a080 100644
--- a/firmware/lib21/include/vb2_struct.h
+++ b/firmware/lib21/include/vb2_struct.h
@@ -291,6 +291,12 @@ struct vb2_keyblock {
 #define VB2_FW_PREAMBLE_VERSION_MAJOR 3
 #define VB2_FW_PREAMBLE_VERSION_MINOR 0
 
+/* Flags for vb2_fw_preamble.flags */
+/* Reserved; do not use */
+#define VB2_FIRMWARE_PREAMBLE_RESERVED0 0x00000001
+/* Do not allow use of any hardware crypto accelerators. */
+#define VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO 0x00000002
+
 /*
  * Firmware preamble
  *
diff --git a/tests/vb20_api_tests.c b/tests/vb20_api_tests.c
index 8da3c4bb..90141a9b 100644
--- a/tests/vb20_api_tests.c
+++ b/tests/vb20_api_tests.c
@@ -30,6 +30,12 @@ const int mock_sig_size = 64;
 
 /* Mocked function data */
 
+static enum {
+	HWCRYPTO_DISABLED,
+	HWCRYPTO_ENABLED,
+	HWCRYPTO_FORBIDDEN,
+} hwcrypto_state;
+
 static int retval_vb2_load_fw_keyblock;
 static int retval_vb2_load_fw_preamble;
 static int retval_vb2_digest_finalize;
@@ -74,6 +80,10 @@ static void reset_common_data(enum reset_type t)
 		(cc.workbuf + sd->workbuf_preamble_offset);
 	pre->body_signature.data_size = mock_body_size;
 	pre->body_signature.sig_size = mock_sig_size;
+	if (hwcrypto_state == HWCRYPTO_FORBIDDEN)
+		pre->flags = VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO;
+	else
+		pre->flags = 0;
 
 	sd->workbuf_data_key_offset = cc.workbuf_used;
 	sd->workbuf_data_key_size = sizeof(*k) + 8;
@@ -117,13 +127,51 @@ int vb2_unpack_key(struct vb2_public_key *key,
 	return VB2_SUCCESS;
 }
 
+int vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg,
+			       uint32_t data_size)
+{
+	switch (hwcrypto_state) {
+	case HWCRYPTO_DISABLED:
+		return VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED;
+	case HWCRYPTO_ENABLED:
+		if (hash_alg != mock_hash_alg)
+			return VB2_ERROR_SHA_INIT_ALGORITHM;
+		else
+			return VB2_SUCCESS;
+	case HWCRYPTO_FORBIDDEN:
+	default:
+		return VB2_ERROR_UNKNOWN;
+	}
+}
+
+int vb2ex_hwcrypto_digest_extend(const uint8_t *buf,
+				 uint32_t size)
+{
+	if (hwcrypto_state != HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
+
+	return VB2_SUCCESS;
+}
+
+int vb2ex_hwcrypto_digest_finalize(uint8_t *digest,
+				   uint32_t digest_size)
+{
+	if (hwcrypto_state != HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
+
+	return retval_vb2_digest_finalize;
+}
+
 int vb2_digest_init(struct vb2_digest_context *dc,
 		    enum vb2_hash_algorithm hash_alg)
 {
+	if (hwcrypto_state == HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
 	if (hash_alg != mock_hash_alg)
 		return VB2_ERROR_SHA_INIT_ALGORITHM;
 
 	dc->hash_alg = hash_alg;
+	dc->using_hwcrypto = 0;
 
 	return VB2_SUCCESS;
 }
@@ -132,6 +180,8 @@ int vb2_digest_extend(struct vb2_digest_context *dc,
 		      const uint8_t *buf,
 		      uint32_t size)
 {
+	if (hwcrypto_state == HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
 	if (dc->hash_alg != mock_hash_alg)
 		return VB2_ERROR_SHA_EXTEND_ALGORITHM;
 
@@ -142,6 +192,8 @@ int vb2_digest_finalize(struct vb2_digest_context *dc,
 			uint8_t *digest,
 			uint32_t digest_size)
 {
+	if (hwcrypto_state == HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
 	return retval_vb2_digest_finalize;
 }
 
@@ -268,12 +320,14 @@ static void extend_hash_tests(void)
 	TEST_EQ(vb2api_extend_hash(&cc, mock_body, 0),
 		VB2_ERROR_API_EXTEND_HASH_SIZE, "hash extend empty");
 
-	reset_common_data(FOR_EXTEND_HASH);
-	dc = (struct vb2_digest_context *)
-		(cc.workbuf + sd->workbuf_hash_offset);
-	dc->hash_alg = mock_hash_alg + 1;
-	TEST_EQ(vb2api_extend_hash(&cc, mock_body, mock_body_size),
-		VB2_ERROR_SHA_EXTEND_ALGORITHM, "hash extend fail");
+	if (hwcrypto_state != HWCRYPTO_ENABLED) {
+		reset_common_data(FOR_EXTEND_HASH);
+		dc = (struct vb2_digest_context *)
+			(cc.workbuf + sd->workbuf_hash_offset);
+		dc->hash_alg = mock_hash_alg + 1;
+		TEST_EQ(vb2api_extend_hash(&cc, mock_body, mock_body_size),
+			VB2_ERROR_SHA_EXTEND_ALGORITHM, "hash extend fail");
+	}
 }
 
 static void check_hash_tests(void)
@@ -338,6 +392,21 @@ static void check_hash_tests(void)
 int main(int argc, char* argv[])
 {
 	phase3_tests();
+
+	fprintf(stderr, "Running hash API tests without hwcrypto support...\n");
+	hwcrypto_state = HWCRYPTO_DISABLED;
+	init_hash_tests();
+	extend_hash_tests();
+	check_hash_tests();
+
+	fprintf(stderr, "Running hash API tests with hwcrypto support...\n");
+	hwcrypto_state = HWCRYPTO_ENABLED;
+	init_hash_tests();
+	extend_hash_tests();
+	check_hash_tests();
+
+	fprintf(stderr, "Running hash API tests with forbidden hwcrypto...\n");
+	hwcrypto_state = HWCRYPTO_FORBIDDEN;
 	init_hash_tests();
 	extend_hash_tests();
 	check_hash_tests();
diff --git a/tests/vb21_api_tests.c b/tests/vb21_api_tests.c
index 8d01b150..dbc4750d 100644
--- a/tests/vb21_api_tests.c
+++ b/tests/vb21_api_tests.c
@@ -41,6 +41,16 @@ static const struct vb2_guid test_guid[4] = {
 };
 
 /* Mocked function data */
+
+static enum {
+	HWCRYPTO_DISABLED,
+	HWCRYPTO_ENABLED,
+	HWCRYPTO_FORBIDDEN,
+} hwcrypto_state;
+
+static struct vb2_digest_context hwcrypto_emulation_dc;
+
+static int retval_hwcrypto;
 static int retval_vb2_load_fw_keyblock;
 static int retval_vb2_load_fw_preamble;
 
@@ -74,6 +84,8 @@ static void reset_common_data(enum reset_type t)
 	vb2_secdata_create(&ctx);
 	vb2_secdata_init(&ctx);
 
+	memset(&hwcrypto_emulation_dc, 0, sizeof(hwcrypto_emulation_dc));
+	retval_hwcrypto = VB2_SUCCESS;
 	retval_vb2_load_fw_keyblock = VB2_SUCCESS;
 	retval_vb2_load_fw_preamble = VB2_SUCCESS;
 
@@ -84,6 +96,10 @@ static void reset_common_data(enum reset_type t)
 		(ctx.workbuf + sd->workbuf_preamble_offset);
 	pre->hash_count = 3;
 	pre->hash_offset = sig_offset = sizeof(*pre);
+	if (hwcrypto_state == HWCRYPTO_FORBIDDEN)
+		pre->flags = VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO;
+	else
+		pre->flags = 0;
 
 	for (i = 0; i < 3; i++) {
 		vb2_sign_data(&sig, mock_body, mock_body_size - 16 * i,
@@ -118,6 +134,47 @@ int vb2_load_fw_preamble(struct vb2_context *ctx)
 	return retval_vb2_load_fw_preamble;
 }
 
+int vb2ex_hwcrypto_digest_init(enum vb2_hash_algorithm hash_alg,
+			       uint32_t data_size)
+{
+	vb2_digest_init(&hwcrypto_emulation_dc, hash_alg);
+
+	switch (hwcrypto_state) {
+	case HWCRYPTO_DISABLED:
+		return VB2_ERROR_EX_HWCRYPTO_UNSUPPORTED;
+	case HWCRYPTO_ENABLED:
+		if (hash_alg != mock_hash_alg)
+			return VB2_ERROR_SHA_INIT_ALGORITHM;
+		else
+			return retval_hwcrypto;
+	case HWCRYPTO_FORBIDDEN:
+	default:
+		return VB2_ERROR_UNKNOWN;
+	}
+}
+
+int vb2ex_hwcrypto_digest_extend(const uint8_t *buf,
+				 uint32_t size)
+{
+	vb2_digest_extend(&hwcrypto_emulation_dc, buf, size);
+
+	if (hwcrypto_state != HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
+
+	return retval_hwcrypto;
+}
+
+int vb2ex_hwcrypto_digest_finalize(uint8_t *digest,
+				   uint32_t digest_size)
+{
+	vb2_digest_finalize(&hwcrypto_emulation_dc, digest, digest_size);
+
+	if (hwcrypto_state != HWCRYPTO_ENABLED)
+		return VB2_ERROR_UNKNOWN;
+
+	return retval_hwcrypto;
+}
+
 /* Tests */
 
 static void phase3_tests(void)
@@ -195,6 +252,13 @@ static void init_hash_tests(void)
 	sig->hash_alg = VB2_HASH_INVALID;
 	TEST_EQ(vb2api_init_hash2(&ctx, test_guid, &size),
 		VB2_ERROR_SHA_INIT_ALGORITHM, "init hash algorithm");
+
+	if (hwcrypto_state == HWCRYPTO_ENABLED) {
+		reset_common_data(FOR_MISC);
+		retval_hwcrypto = VB2_ERROR_MOCK;
+		TEST_EQ(vb2api_init_hash2(&ctx, test_guid, &size),
+			VB2_ERROR_MOCK, "init hash use hwcrypto");
+	}
 }
 
 static void extend_hash_tests(void)
@@ -223,12 +287,19 @@ static void extend_hash_tests(void)
 	TEST_EQ(vb2api_extend_hash(&ctx, mock_body, 0),
 		VB2_ERROR_API_EXTEND_HASH_SIZE, "hash extend empty");
 
-	reset_common_data(FOR_EXTEND_HASH);
-	dc = (struct vb2_digest_context *)
-		(ctx.workbuf + sd->workbuf_hash_offset);
-	dc->hash_alg = VB2_HASH_INVALID;
-	TEST_EQ(vb2api_extend_hash(&ctx, mock_body, mock_body_size),
-		VB2_ERROR_SHA_EXTEND_ALGORITHM, "hash extend fail");
+	if (hwcrypto_state == HWCRYPTO_ENABLED) {
+		reset_common_data(FOR_EXTEND_HASH);
+		retval_hwcrypto = VB2_ERROR_MOCK;
+		TEST_EQ(vb2api_extend_hash(&ctx, mock_body, mock_body_size),
+			VB2_ERROR_MOCK, "hash extend use hwcrypto");
+	} else {
+		reset_common_data(FOR_EXTEND_HASH);
+		dc = (struct vb2_digest_context *)
+			(ctx.workbuf + sd->workbuf_hash_offset);
+		dc->hash_alg = VB2_HASH_INVALID;
+		TEST_EQ(vb2api_extend_hash(&ctx, mock_body, mock_body_size),
+			VB2_ERROR_SHA_EXTEND_ALGORITHM, "hash extend fail");
+	}
 }
 
 static void check_hash_tests(void)
@@ -267,20 +338,42 @@ static void check_hash_tests(void)
 		VB2_ERROR_API_CHECK_HASH_WORKBUF_DIGEST, "check hash workbuf");
 
 	reset_common_data(FOR_CHECK_HASH);
-	dc->hash_alg = VB2_HASH_INVALID;
-	*((uint8_t *)sig + sig->sig_offset) ^= 0x55;
-	TEST_EQ(vb2api_check_hash(&ctx),
-		VB2_ERROR_SHA_FINALIZE_ALGORITHM, "check hash finalize");
-
-	reset_common_data(FOR_CHECK_HASH);
 	*((uint8_t *)sig + sig->sig_offset) ^= 0x55;
 	TEST_EQ(vb2api_check_hash(&ctx),
 		VB2_ERROR_API_CHECK_HASH_SIG, "check hash sig");
+
+	if (hwcrypto_state == HWCRYPTO_ENABLED) {
+		reset_common_data(FOR_CHECK_HASH);
+		retval_hwcrypto = VB2_ERROR_MOCK;
+		TEST_EQ(vb2api_check_hash(&ctx),
+			VB2_ERROR_MOCK, "check hash use hwcrypto");
+	} else {
+		reset_common_data(FOR_CHECK_HASH);
+		dc->hash_alg = VB2_HASH_INVALID;
+		*((uint8_t *)sig + sig->sig_offset) ^= 0x55;
+		TEST_EQ(vb2api_check_hash(&ctx),
+			VB2_ERROR_SHA_FINALIZE_ALGORITHM, "check hash finaliz");
+	}
 }
 
 int main(int argc, char* argv[])
 {
 	phase3_tests();
+
+	fprintf(stderr, "Running hash API tests without hwcrypto support...\n");
+	hwcrypto_state = HWCRYPTO_DISABLED;
+	init_hash_tests();
+	extend_hash_tests();
+	check_hash_tests();
+
+	fprintf(stderr, "Running hash API tests with hwcrypto support...\n");
+	hwcrypto_state = HWCRYPTO_ENABLED;
+	init_hash_tests();
+	extend_hash_tests();
+	check_hash_tests();
+
+	fprintf(stderr, "Running hash API tests with forbidden hwcrypto...\n");
+	hwcrypto_state = HWCRYPTO_FORBIDDEN;
 	init_hash_tests();
 	extend_hash_tests();
 	check_hash_tests();