Add crossystem support for nvram_cleared and kern_nv

Fix try_b processing

And move key block flags check up in LoadFirmware(), which speeds up
boot when the dev switch is off because it doesn't do a signature
check and then throw it out.

BUG=12282
TEST=build firmware, try by hand

Review URL: http://codereview.chromium.org/6596081

Change-Id: I10474e9e0ae324906dfe02a351347d04ce847f67

2 files changed, 18 insertions, 16 deletions

diff --git a/firmware/lib/vboot_firmware.c b/firmware/lib/vboot_firmware.c
index e8c8a86f..036441fb 100644
--- a/firmware/lib/vboot_firmware.c
+++ b/firmware/lib/vboot_firmware.c
@@ -116,10 +116,7 @@ int LoadFirmware(LoadFirmwareParams* params) {
     uint8_t* body_digest;
 
     /* If try B count is non-zero try firmware B first */
-    index = (try_b_count ? i : 1 - i);
-
-    /* Verify the key block */
-    VBPERFSTART("VB_VKB");
+    index = (try_b_count ? 1 - i : i);
     if (0 == index) {
       key_block = (VbKeyBlockHeader*)params->verification_block_0;
       vblock_size = params->verification_size_0;
@@ -127,14 +124,10 @@ int LoadFirmware(LoadFirmwareParams* params) {
       key_block = (VbKeyBlockHeader*)params->verification_block_1;
       vblock_size = params->verification_size_1;
     }
-    if ((0 != KeyBlockVerify(key_block, vblock_size, root_key, 0))) {
-      VBDEBUG(("Key block verification failed.\n"));
-      VBPERFEND("VB_VKB");
-      continue;
-    }
-    VBPERFEND("VB_VKB");
 
-    /* Check the key block flags against the current boot mode. */
+    /* Check the key block flags against the current boot mode.  Do this
+     * before verifying the key block, since flags are faster to check than
+     * the RSA signature. */
     if (!(key_block->key_block_flags &
           (is_dev ? KEY_BLOCK_FLAG_DEVELOPER_1 :
            KEY_BLOCK_FLAG_DEVELOPER_0))) {
@@ -147,6 +140,15 @@ int LoadFirmware(LoadFirmwareParams* params) {
       continue;
     }
 
+    /* Verify the key block */
+    VBPERFSTART("VB_VKB");
+    if ((0 != KeyBlockVerify(key_block, vblock_size, root_key, 0))) {
+      VBDEBUG(("Key block verification failed.\n"));
+      VBPERFEND("VB_VKB");
+      continue;
+    }
+    VBPERFEND("VB_VKB");
+
     /* Check for rollback of key version. */
     key_version = key_block->data_key.key_version;
     if (key_version < (tpm_version >> 16)) {
diff --git a/firmware/lib/vboot_nvstorage.c b/firmware/lib/vboot_nvstorage.c
index d9158041..419a9fbc 100644
--- a/firmware/lib/vboot_nvstorage.c
+++ b/firmware/lib/vboot_nvstorage.c
@@ -21,7 +21,7 @@
 
 #define BOOT_OFFSET                  1
 #define BOOT_DEBUG_RESET_MODE           0x80
-#define BOOT_TRY_B_COUNT                0x0F
+#define BOOT_TRY_B_COUNT_MASK           0x0F
 
 #define RECOVERY_OFFSET              2
 #define LOCALIZATION_OFFSET          3
@@ -107,7 +107,7 @@ int VbNvGet(VbNvContext* context, VbNvParam param, uint32_t* dest) {
       return 0;
 
     case VBNV_TRY_B_COUNT:
-      *dest = raw[BOOT_OFFSET] & BOOT_TRY_B_COUNT;
+      *dest = raw[BOOT_OFFSET] & BOOT_TRY_B_COUNT_MASK;
       return 0;
 
     case VBNV_RECOVERY_REQUEST:
@@ -172,10 +172,10 @@ int VbNvSet(VbNvContext* context, VbNvParam param, uint32_t value) {
 
     case VBNV_TRY_B_COUNT:
       /* Clip to valid range. */
-      if (value > BOOT_TRY_B_COUNT)
-        value = BOOT_TRY_B_COUNT - 1;
+      if (value > BOOT_TRY_B_COUNT_MASK)
+        value = BOOT_TRY_B_COUNT_MASK;
 
-      raw[BOOT_OFFSET] &= ~BOOT_TRY_B_COUNT;
+      raw[BOOT_OFFSET] &= ~BOOT_TRY_B_COUNT_MASK;
       raw[BOOT_OFFSET] |= (uint8_t)value;
       break;