vboot2: Use TPM for hash acceleration allowance

Previously we used a flag in preamble to prevent HW acceleration for SHA
hashing. However we started to use kernel TPM flag for RSA part since we
can use the flag in preamble only after we verified preamble.

No need to keep both for same objective, so deprecate old flag and
change code to use TPM flag.

BUG=b:166038345
BRANCH=zork
TEST=CC=x86_64-pc-linux-gnu-clang make runtests
TEST=boot Ezkinil, check HW acceleration is used for SHA

Signed-off-by: Kangheui Won <khwon@chromium.org>
Change-Id: I81b174dbe285fa3f68a22667b6af14a52b06b112
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2566866
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>

1 files changed, 26 insertions, 24 deletions

diff --git a/tests/vb2_api_tests.c b/tests/vb2_api_tests.c
index c5e45097..1fabb60b 100644
--- a/tests/vb2_api_tests.c
+++ b/tests/vb2_api_tests.c
@@ -82,6 +82,9 @@ static void reset_common_data(enum reset_type t)
 
 	vb2api_secdata_kernel_create(ctx);
 	vb2_secdata_kernel_init(ctx);
+	if (hwcrypto_state != HWCRYPTO_FORBIDDEN)
+		vb2_secdata_kernel_set(ctx, VB2_SECDATA_KERNEL_FLAGS,
+				VB2_SECDATA_KERNEL_FLAG_HWCRYPTO_ALLOWED);
 
 	force_dev_mode = 0;
 	retval_vb2_fw_init_gbb = VB2_SUCCESS;
@@ -102,10 +105,7 @@ static void reset_common_data(enum reset_type t)
 	pre = vb2_member_of(sd, sd->preamble_offset);
 	pre->body_signature.data_size = mock_body_size;
 	pre->body_signature.sig_size = mock_sig_size;
-	if (hwcrypto_state == HWCRYPTO_FORBIDDEN)
-		pre->flags = VB2_FIRMWARE_PREAMBLE_DISALLOW_HWCRYPTO;
-	else
-		pre->flags = 0;
+	pre->flags = 0;
 
 	sd->data_key_offset = sd->workbuf_used;
 	sd->data_key_size = sizeof(*k) + 8;
@@ -741,26 +741,28 @@ static void check_hash_tests(void)
 		"check digest value");
 
 	/* Test hwcrypto conditions */
-	reset_common_data(FOR_CHECK_HASH);
-	TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
-	TEST_EQ(last_used_key.allow_hwcrypto, 0,
-		"hwcrypto is forbidden by TPM flag");
-
-	ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
-	TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
-	TEST_EQ(last_used_key.allow_hwcrypto, 0,
-		"hwcrypto is forbidden by TPM flag on recovery mode");
-
-	vb2_secdata_kernel_set(ctx, VB2_SECDATA_KERNEL_FLAGS,
-			VB2_SECDATA_KERNEL_FLAG_HWCRYPTO_ALLOWED);
-
-	TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
-	TEST_EQ(last_used_key.allow_hwcrypto, 0,
-		"hwcrypto is forbidden on recovery mode");
-
-	ctx->flags &= ~VB2_CONTEXT_RECOVERY_MODE;
-	TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
-	TEST_EQ(last_used_key.allow_hwcrypto, 1, "hwcrypto is allowed");
+	if (hwcrypto_state == HWCRYPTO_FORBIDDEN) {
+		reset_common_data(FOR_CHECK_HASH);
+		TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
+		TEST_EQ(last_used_key.allow_hwcrypto, 0,
+			"hwcrypto is forbidden by TPM flag");
+
+		reset_common_data(FOR_CHECK_HASH);
+		ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
+		TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
+		TEST_EQ(last_used_key.allow_hwcrypto, 0,
+			"hwcrypto is forbidden by TPM flag on recovery mode");
+	} else {
+		reset_common_data(FOR_CHECK_HASH);
+		TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
+		TEST_EQ(last_used_key.allow_hwcrypto, 1, "hwcrypto is allowed");
+
+		reset_common_data(FOR_CHECK_HASH);
+		ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
+		TEST_SUCC(vb2api_check_hash(ctx), "check hash good");
+		TEST_EQ(last_used_key.allow_hwcrypto, 0,
+			"hwcrypto is forbidden on recovery mode");
+	}
 
 	reset_common_data(FOR_CHECK_HASH);
 	TEST_EQ(vb2api_check_hash_get_digest(ctx, digest_result,