vboot/secdata: rewrite rollback_index and centralize reads/writes

In current kernel verification code, secdata reads and writes
are spread throughout the code.  vboot2's design is to use
vb2_context.secdata_* for storing the state of secdata spaces,
and have the caller (depthcharge) read/save this field when
necessary.

Centralize secdata reads/writes into the functions of
secdata_tpm.c, previously known as rollback_index.c.
Functions which directly read/write to the TPM space are modified
to use vb2_secdata_*_get and vb2_secdata_*_set.

The secure spaces get read/flushed by functions in
vboot_api_kernel.c.  These calls and the underlying functions
from secdata_tpm.c will eventually be relocated to depthcharge.

Create a new external function vb2ex_commit_data, which commits
any modified nvdata/secdata.  Currently the depthcharge
implementation of this function only writes nvdata, but once
secdata TPM drivers have been migrated from vboot_reference to
depthcharge, it will also commit these data spaces.

This CL also removes the VbExNvStorageRead call from
vb2_kernel_setup, and the data is instead read in depthcharge
CL:1819379, right before calling VbSelectAndLoadKernel.

As such, both the VbExNvStorageRead and VbExNvStorageWrite
functions may be removed.

Finally, create a vb2_secdata_kernel_lock function, which should
be used right before attempting to leave vboot (by booting an OS
or chainloading to another firmware).  This should eventually be
exposed as a vb2ex_ API function and relocated to depthcharge.

BUG=b:124141368, chromium:972956, chromium:1006689
TEST=make clean && make runtests
BRANCH=none

Change-Id: Ifbfb21122af0bf85e22a6d3a0d48a1db7f7c25b7
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1819380, chromium:1939168
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1728298
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>

8 files changed, 445 insertions, 366 deletions

diff --git a/tests/secdata_tpm_tests.c b/tests/secdata_tpm_tests.c
index dd28e62a..32285ded 100644
--- a/tests/secdata_tpm_tests.c
+++ b/tests/secdata_tpm_tests.c
@@ -2,24 +2,16 @@
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
- * Tests for secdata_tpm functions
+ * Tests for TPM secure data space functions
  */
 
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "2crc8.h"
+#include "2api.h"
+#include "2secdata.h"
 #include "secdata_tpm.h"
 #include "test_common.h"
 #include "tlcl.h"
-
-_Static_assert(ROLLBACK_SPACE_FIRMWARE_VERSION > 0,
-	       "ROLLBACK_SPACE_FIRMWARE_VERSION must be greater than 0");
-
-_Static_assert(ROLLBACK_SPACE_KERNEL_VERSION > 0,
-	       "ROLLBACK_SPACE_KERNEL_VERSION must be greater than 0");
+#include "tss_constants.h"
+#include "vboot_test.h"
 
 /*
  * Buffer to hold accumulated list of calls to mocked Tlcl functions.
@@ -45,59 +37,85 @@ static char *mock_cnext = mock_calls;
 static int mock_count = 0;
 static int fail_at_count = 0;
 static uint32_t fail_with_error = TPM_SUCCESS;
+static int mock_bad_crc = 0;
 
 /* Params / backing store for mocked Tlcl functions. */
 static TPM_PERMANENT_FLAGS mock_pflags;
-static RollbackSpaceFirmware mock_rsf;
-static RollbackSpaceKernel mock_rsk;
-
-static union {
-	struct RollbackSpaceFwmp fwmp;
-	uint8_t buf[FWMP_NV_MAX_SIZE];
-} mock_fwmp;
-
+static uint8_t mock_rsf[VB2_SECDATA_FIRMWARE_SIZE];
+static uint8_t mock_rsk[VB2_SECDATA_KERNEL_SIZE];
+static uint8_t mock_fwmp[VB2_SECDATA_FWMP_MAX_SIZE];
+static uint32_t mock_fwmp_real_size;
 static uint32_t mock_permissions;
 
-/* Recalculate CRC of FWMP data */
-static void RecalcFwmpCrc(void)
-{
-	mock_fwmp.fwmp.crc = vb2_crc8(mock_fwmp.buf + 2,
-				  mock_fwmp.fwmp.struct_size - 2);
-}
+static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE]
+	__attribute__ ((aligned (VB2_WORKBUF_ALIGN)));
+static struct vb2_context *ctx;
 
 /* Reset the variables for the Tlcl mock functions. */
-static void ResetMocks(int fail_on_call, uint32_t fail_with_err)
+static void reset_common_data(int fail_on_call, uint32_t fail_with_err)
 {
 	*mock_calls = 0;
 	mock_cnext = mock_calls;
 	mock_count = 0;
 	fail_at_count = fail_on_call;
 	fail_with_error = fail_with_err;
+	mock_bad_crc = 0;
 
 	memset(&mock_pflags, 0, sizeof(mock_pflags));
 
-	memset(&mock_rsf, 0, sizeof(mock_rsf));
-	mock_rsf.struct_version = ROLLBACK_SPACE_FIRMWARE_VERSION;
-	mock_rsf.crc8 = vb2_crc8(&mock_rsf,
-				 offsetof(RollbackSpaceFirmware, crc8));
+	/* Use value other than 0 for memcmp() checks */
+	memset(&mock_rsf, 0xa6, sizeof(mock_rsf));
+	memset(&mock_rsk, 0xa7, sizeof(mock_rsk));
+	memset(&mock_fwmp, 0xa8, sizeof(mock_fwmp));
 
-	memset(&mock_rsk, 0, sizeof(mock_rsk));
-	mock_rsk.uid = ROLLBACK_SPACE_KERNEL_UID;
-	mock_rsk.struct_version = ROLLBACK_SPACE_KERNEL_VERSION;
-	mock_rsk.kernel_versions = 0x87654321;
-	mock_rsk.crc8 = vb2_crc8(&mock_rsk,
-				 offsetof(RollbackSpaceKernel, crc8));
+	mock_fwmp_real_size = VB2_SECDATA_FWMP_MIN_SIZE;
 
+	/* Note: only used when TPM2_MODE is disabled. */
+#ifndef TPM2_MODE
 	mock_permissions = TPM_NV_PER_PPWRITE;
+#else
+	mock_permissions = 0;
+#endif
+
+	secdata_kernel_locked = 0;
+
+	TEST_SUCC(vb2api_init(workbuf, sizeof(workbuf), &ctx),
+		  "vb2api_init failed");
+
+	ctx->flags |= VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
+	ctx->flags |= VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
+	ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
+}
+
+/* Mock functions */
+
+vb2_error_t vb2api_secdata_firmware_check(struct vb2_context *c)
+{
+	if (mock_bad_crc)
+		return VB2_ERROR_SECDATA_FIRMWARE_CRC;
+
+	return VB2_SUCCESS;
+}
 
-	memset(mock_fwmp.buf, 0, sizeof(mock_fwmp.buf));
-	mock_fwmp.fwmp.struct_size = sizeof(mock_fwmp.fwmp);
-	mock_fwmp.fwmp.struct_version = ROLLBACK_SPACE_FWMP_VERSION;
-	mock_fwmp.fwmp.flags = 0x1234;
-	/* Put some data in the hash */
-	mock_fwmp.fwmp.dev_key_hash[0] = 0xaa;
-	mock_fwmp.fwmp.dev_key_hash[FWMP_HASH_SIZE - 1] = 0xbb;
-	RecalcFwmpCrc();
+vb2_error_t vb2api_secdata_kernel_check(struct vb2_context *c)
+{
+	if (mock_bad_crc)
+		return VB2_ERROR_SECDATA_FIRMWARE_CRC;
+
+	return VB2_SUCCESS;
+}
+
+vb2_error_t vb2api_secdata_fwmp_check(struct vb2_context *c, uint8_t *size)
+{
+	if (*size < mock_fwmp_real_size) {
+		*size = mock_fwmp_real_size;
+		return VB2_ERROR_SECDATA_FWMP_INCOMPLETE;
+	}
+
+	if (mock_bad_crc)
+		return VB2_ERROR_SECDATA_FIRMWARE_CRC;
+
+	return VB2_SUCCESS;
 }
 
 /****************************************************************************/
@@ -212,26 +230,12 @@ uint32_t TlclAssertPhysicalPresence(void)
 	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
 }
 
-uint32_t TlclFinalizePhysicalPresence(void)
-{
-	mock_cnext += sprintf(mock_cnext, "TlclFinalizePhysicalPresence()\n");
-	mock_pflags.physicalPresenceLifetimeLock = 1;
-	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
 uint32_t TlclPhysicalPresenceCMDEnable(void)
 {
 	mock_cnext += sprintf(mock_cnext, "TlclPhysicalPresenceCMDEnable()\n");
 	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
 }
 
-uint32_t TlclSetNvLocked(void)
-{
-	mock_cnext += sprintf(mock_cnext, "TlclSetNvLocked()\n");
-	mock_pflags.nvLocked = 1;
-	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
-}
-
 uint32_t TlclSetGlobalLock(void)
 {
 	mock_cnext += sprintf(mock_cnext, "TlclSetGlobalLock()\n");
@@ -244,6 +248,7 @@ uint32_t TlclLockPhysicalPresence(void)
 	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
 }
 
+#ifndef TPM2_MODE
 uint32_t TlclGetPermissions(uint32_t index, uint32_t* permissions)
 {
 	mock_cnext += sprintf(mock_cnext, "TlclGetPermissions(%#x)\n", index);
@@ -251,297 +256,332 @@ uint32_t TlclGetPermissions(uint32_t index, uint32_t* permissions)
 	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
 }
 
-/****************************************************************************/
-/* Tests for CRC errors  */
-
-static void FirmwareSpaceTest(void)
+uint32_t TlclFinalizePhysicalPresence(void)
 {
-	RollbackSpaceFirmware rsf;
-
-	/* Old version, valid CRC */
-	ResetMocks(0, 0);
-	mock_rsf.struct_version -= 1;
-	mock_rsf.crc8 = vb2_crc8(&mock_rsf,
-				 offsetof(RollbackSpaceFirmware, crc8));
-	TEST_EQ(ReadSpaceFirmware(&rsf), TPM_E_STRUCT_VERSION,
-		"ReadSpaceFirmware(), old version");
-	TEST_STR_EQ(mock_calls,
-		    "TlclRead(0x1007, 10)\n",
-		    "tlcl calls");
-
-	/* Current version, bad CRC */
-	ResetMocks(0, 0);
-	mock_rsf.crc8 = 0;
-	TEST_EQ(ReadSpaceFirmware(&rsf), TPM_E_CORRUPTED_STATE,
-		"ReadSpaceFirmware(), bad CRC");
-	TEST_STR_EQ(mock_calls,
-		    "TlclRead(0x1007, 10)\n",
-		    "tlcl calls");
-
-	/* Current version, valid CRC */
-	ResetMocks(0, 0);
-	TEST_EQ(ReadSpaceFirmware(&rsf), 0,
-		"ReadSpaceFirmware(), successful read");
-	TEST_STR_EQ(mock_calls,
-		    "TlclRead(0x1007, 10)\n",
-		    "tlcl calls");
+	mock_cnext += sprintf(mock_cnext, "TlclFinalizePhysicalPresence()\n");
+	mock_pflags.physicalPresenceLifetimeLock = 1;
+	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
 }
 
-static void KernelSpaceTest(void)
+uint32_t TlclSetNvLocked(void)
 {
-	RollbackSpaceKernel rsk;
-
-	/* Current version, bad perms, valid CRC, valid UID */
-	ResetMocks(0, 0);
-	mock_permissions = 0;
-	TEST_EQ(ReadSpaceKernel(&rsk), TPM_E_CORRUPTED_STATE,
-		"ReadSpaceKernel(), bad permissions");
-	TEST_STR_EQ(mock_calls,
-		    "TlclGetPermissions(0x1008)\n",
-		    "tlcl calls");
-
-	/* Old version, good perms, valid CRC, valid UID */
-	ResetMocks(0, 0);
-	mock_rsk.struct_version -= 1;
-	mock_rsk.crc8 = vb2_crc8(&mock_rsk,
-				 offsetof(RollbackSpaceKernel, crc8));
-	TEST_EQ(ReadSpaceKernel(&rsk), TPM_E_STRUCT_VERSION,
-		"ReadSpaceKernel(), old version");
-	TEST_STR_EQ(mock_calls,
-		    "TlclGetPermissions(0x1008)\n"
-		    "TlclRead(0x1008, 13)\n",
-		    "tlcl calls");
-
-	/* Current version, good perms, bad CRC, valid UID */
-	ResetMocks(0, 0);
-	mock_rsk.crc8 = 0;
-	TEST_EQ(ReadSpaceKernel(&rsk), TPM_E_CORRUPTED_STATE,
-		"ReadSpaceKernel(), bad CRC");
-	TEST_STR_EQ(mock_calls,
-		    "TlclGetPermissions(0x1008)\n"
-		    "TlclRead(0x1008, 13)\n",
-		    "tlcl calls");
-
-	/* Current version, good perms, valid CRC, bad UID */
-	ResetMocks(0, 0);
-	mock_rsk.uid = 0;
-	mock_rsk.crc8 = vb2_crc8(&mock_rsk,
-				 offsetof(RollbackSpaceKernel, crc8));
-	TEST_EQ(ReadSpaceKernel(&rsk), TPM_E_CORRUPTED_STATE,
-		"ReadSpaceKernel(), bad UID");
-	TEST_STR_EQ(mock_calls,
-		    "TlclGetPermissions(0x1008)\n"
-		    "TlclRead(0x1008, 13)\n",
-		    "tlcl calls");
-
-	/* Current version, good perms, valid CRC, valid UID */
-	ResetMocks(0, 0);
-	TEST_EQ(ReadSpaceKernel(&rsk), 0,
-		"ReadSpaceKernel(), successful read");
-	TEST_STR_EQ(mock_calls,
-		    "TlclGetPermissions(0x1008)\n"
-		    "TlclRead(0x1008, 13)\n",
-		    "tlcl calls");
+	mock_cnext += sprintf(mock_cnext, "TlclSetNvLocked()\n");
+	mock_pflags.nvLocked = 1;
+	return (++mock_count == fail_at_count) ? fail_with_error : TPM_SUCCESS;
 }
+#endif
 
 /****************************************************************************/
 /* Tests for misc helper functions */
 
-static void MiscTest(void)
+static void misc_tests(void)
 {
 	uint8_t buf[8];
 
-	ResetMocks(0, 0);
-	TEST_EQ(TPMClearAndReenable(), 0, "TPMClearAndReenable()");
+	reset_common_data(0, 0);
+	TEST_EQ(tlcl_clear_and_reenable(), 0, "tlcl_clear_and_enable()");
 	TEST_STR_EQ(mock_calls,
 		    "TlclForceClear()\n"
 		    "TlclSetEnable()\n"
 		    "TlclSetDeactivated(0)\n",
-		    "tlcl calls");
+		    "  tlcl calls");
 
-	ResetMocks(0, 0);
-	TEST_EQ(SafeWrite(0x123, buf, 8), 0, "SafeWrite()");
+	reset_common_data(0, 0);
+	TEST_EQ(tlcl_safe_write(0x123, buf, 8), 0, "tlcl_safe_write()");
 	TEST_STR_EQ(mock_calls,
 		    "TlclWrite(0x123, 8)\n",
-		    "tlcl calls");
+		    "  tlcl calls");
 
-	ResetMocks(1, TPM_E_BADINDEX);
-	TEST_EQ(SafeWrite(0x123, buf, 8), TPM_E_BADINDEX, "SafeWrite() bad");
+	reset_common_data(1, TPM_E_BADINDEX);
+	TEST_EQ(tlcl_safe_write(0x123, buf, 8), TPM_E_BADINDEX,
+		"tlcl_safe_write() bad");
 	TEST_STR_EQ(mock_calls,
 		    "TlclWrite(0x123, 8)\n",
-		    "tlcl calls");
+		    "  tlcl calls");
 
-	ResetMocks(1, TPM_E_MAXNVWRITES);
-	TEST_EQ(SafeWrite(0x123, buf, 8), 0, "SafeWrite() retry max writes");
+	reset_common_data(1, TPM_E_MAXNVWRITES);
+	TEST_EQ(tlcl_safe_write(0x123, buf, 8), 0,
+		"tlcl_safe_write() retry max writes");
 	TEST_STR_EQ(mock_calls,
 		    "TlclWrite(0x123, 8)\n"
 		    "TlclForceClear()\n"
 		    "TlclSetEnable()\n"
 		    "TlclSetDeactivated(0)\n"
 		    "TlclWrite(0x123, 8)\n",
-		    "tlcl calls");
+		    "  tlcl calls");
 }
 
 /****************************************************************************/
-/* Tests for RollbackKernel() calls */
+/* Tests for firmware space functions */
 
-static void RollbackKernelTest(void)
+static void secdata_firmware_tests(void)
 {
-	uint32_t version = 0;
+	/* Write with no new changes */
+	reset_common_data(0, 0);
+	ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
+	TEST_SUCC(secdata_firmware_write(ctx),
+		  "secdata_firmware_write(), no changes, success");
+	TEST_STR_EQ(mock_calls,
+		    "",
+		    "  tlcl calls");
 
-	/* Normal read */
-	ResetMocks(0, 0);
-	TEST_EQ(RollbackKernelRead(&version), 0, "RollbackKernelRead()");
+	/* Write failure */
+	reset_common_data(1, TPM_E_IOERROR);
+	TEST_EQ(secdata_firmware_write(ctx), TPM_E_IOERROR,
+		"secdata_firmware_write(), failure");
 	TEST_STR_EQ(mock_calls,
-		    "TlclGetPermissions(0x1008)\n"
+		    "TlclWrite(0x1007, 10)\n",
+		    "  tlcl calls");
+	TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0,
+		 "  should leave SECDATA_FIRMWARE_CHANGED context flag");
+
+	/* Write in normal mode */
+	reset_common_data(0, 0);
+	ctx->flags &= ~VB2_CONTEXT_RECOVERY_MODE;
+	TEST_EQ(secdata_firmware_write(ctx), TPM_E_AREA_LOCKED,
+		"secdata_firmware_write(), normal mode, failure");
+	TEST_STR_EQ(mock_calls,
+		    "",
+		    "  tlcl calls");
+	TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0,
+		 "  should leave SECDATA_FIRMWARE_CHANGED context flag");
+
+	/* Write success and readback */
+	reset_common_data(0, 0);
+	memset(ctx->secdata_firmware, 0xaa, sizeof(ctx->secdata_firmware));
+	TEST_SUCC(secdata_firmware_write(ctx),
+		  "secdata_firmware_write(), success");
+	TEST_STR_EQ(mock_calls,
+		    "TlclWrite(0x1007, 10)\n",
+		    "  tlcl calls");
+	memset(ctx->secdata_firmware, 0xaa, sizeof(ctx->secdata_firmware));
+	TEST_EQ(memcmp(ctx->secdata_firmware, &mock_rsf,
+		       sizeof(ctx->secdata_firmware)), 0,
+		"  unchanged on readback");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED, 0,
+		"  should reset SECDATA_FIRMWARE_CHANGED context flag");
+}
+
+/****************************************************************************/
+/* Tests for kernel space functions */
+
+static void secdata_kernel_tests(void)
+{
+	/* Not present is an error */
+	reset_common_data(1, TPM_E_BADINDEX);
+	TEST_EQ(secdata_kernel_read(ctx), TPM_E_BADINDEX,
+		"secdata_kernel_read(), not present");
+	TEST_STR_EQ(mock_calls,
+#ifndef TPM2_MODE
+		    "TlclGetPermissions(0x1008)\n",
+#else
 		    "TlclRead(0x1008, 13)\n",
-		    "tlcl calls");
-	TEST_EQ(version, 0x87654321, "RollbackKernelRead() version");
+#endif
+		    "  tlcl calls");
 
-	/* Read error */
-	ResetMocks(1, TPM_E_IOERROR);
-	TEST_EQ(RollbackKernelRead(&version), TPM_E_IOERROR,
-		"RollbackKernelRead() error");
-
-	/* Wrong permission or UID will return error */
-	ResetMocks(0, 0);
-	mock_rsk.uid = 0;
-	mock_rsk.crc8 = vb2_crc8(&mock_rsk,
-				 offsetof(RollbackSpaceKernel, crc8));
-	TEST_EQ(RollbackKernelRead(&version), TPM_E_CORRUPTED_STATE,
-		"RollbackKernelRead() bad uid");
-
-	ResetMocks(0, 0);
+#ifndef TPM2_MODE
+	/* Bad permissions */
+	reset_common_data(0, 0);
 	mock_permissions = 0;
-	TEST_EQ(RollbackKernelRead(&version), TPM_E_CORRUPTED_STATE,
-		"RollbackKernelRead() bad permissions");
-
-	/* Test write */
-	ResetMocks(0, 0);
-	TEST_EQ(RollbackKernelWrite(0xBEAD4321), 0, "RollbackKernelWrite()");
-	TEST_EQ(mock_rsk.kernel_versions, 0xBEAD4321,
-		"RollbackKernelWrite() version");
+	TEST_EQ(secdata_kernel_read(ctx), TPM_E_CORRUPTED_STATE,
+		"secdata_kernel_read(), bad permissions");
+	TEST_STR_EQ(mock_calls,
+		    "TlclGetPermissions(0x1008)\n",
+		    "  tlcl calls");
+#endif
+
+	/* Good permissions, read failure */
+#ifndef TPM2_MODE
+	int read_failure_on_call = 2;
+#else
+	int read_failure_on_call = 1;
+#endif
+	reset_common_data(read_failure_on_call, TPM_E_IOERROR);
+	TEST_EQ(secdata_kernel_read(ctx), TPM_E_IOERROR,
+		"secdata_kernel_read(), good permissions, failure");
 	TEST_STR_EQ(mock_calls,
+#ifndef TPM2_MODE
 		    "TlclGetPermissions(0x1008)\n"
-		    "TlclRead(0x1008, 13)\n"
-		    "TlclWrite(0x1008, 13)\n",
-		    "tlcl calls");
+#endif
+		    "TlclRead(0x1008, 13)\n",
+		    "  tlcl calls");
+
+	/* Good permissions, read success, bad CRC */
+	reset_common_data(0, 0);
+	mock_bad_crc = 1;
+	TEST_EQ(secdata_kernel_read(ctx), TPM_E_CORRUPTED_STATE,
+		"secdata_kernel_read(), read success, bad CRC");
+	TEST_STR_EQ(mock_calls,
+#ifndef TPM2_MODE
+		    "TlclGetPermissions(0x1008)\n"
+#endif
+		    "TlclRead(0x1008, 13)\n",
+		    "  tlcl calls");
 
-	ResetMocks(1, TPM_E_IOERROR);
-	TEST_EQ(RollbackKernelWrite(123), TPM_E_IOERROR,
-		"RollbackKernelWrite() error");
+	/* Good permissions, read success */
+	reset_common_data(0, 0);
+	TEST_SUCC(secdata_kernel_read(ctx),
+		  "secdata_kernel_read(), good permissions, success");
+	TEST_STR_EQ(mock_calls,
+#ifndef TPM2_MODE
+		    "TlclGetPermissions(0x1008)\n"
+#endif
+		    "TlclRead(0x1008, 13)\n",
+		    "  tlcl calls");
+	TEST_EQ(memcmp(ctx->secdata_kernel, &mock_rsk,
+		       sizeof(ctx->secdata_kernel)), 0, "  data");
+
+	/* Write with no new changes */
+	reset_common_data(0, 0);
+	ctx->flags &= ~VB2_CONTEXT_SECDATA_KERNEL_CHANGED;
+	TEST_SUCC(secdata_kernel_write(ctx),
+		  "secdata_kernel_write(), no changes, success");
+	TEST_STR_EQ(mock_calls,
+		    "",
+		    "  tlcl calls");
 
-	/* Test lock (recovery off) */
-	ResetMocks(1, TPM_E_IOERROR);
-	TEST_EQ(RollbackKernelLock(0), TPM_E_IOERROR,
-		"RollbackKernelLock() error");
+	/* Write failure */
+	reset_common_data(1, TPM_E_IOERROR);
+	TEST_EQ(secdata_kernel_write(ctx), TPM_E_IOERROR,
+		"secdata_kernel_write(), failure");
+	TEST_STR_EQ(mock_calls,
+		    "TlclWrite(0x1008, 13)\n",
+		    "  tlcl calls");
+	TEST_NEQ(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED, 0,
+		 "  should leave SECDATA_KERNEL_CHANGED context flag");
+
+	/* Write success and readback */
+	reset_common_data(0, 0);
+	memset(ctx->secdata_kernel, 0xaa, sizeof(ctx->secdata_kernel));
+	TEST_SUCC(secdata_kernel_write(ctx),
+		  "secdata_kernel_write(), failure");
+	TEST_STR_EQ(mock_calls,
+		    "TlclWrite(0x1008, 13)\n",
+		    "  tlcl calls");
+	memset(ctx->secdata_kernel, 0xaa, sizeof(ctx->secdata_kernel));
+	TEST_EQ(memcmp(ctx->secdata_kernel, &mock_rsk,
+		       sizeof(ctx->secdata_kernel)), 0,
+		"  unchanged on readback");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_SECDATA_KERNEL_CHANGED, 0,
+		"  should reset SECDATA_KERNEL_CHANGED context flag");
+
+	/* Lock in normal mode with failure */
+	reset_common_data(1, TPM_E_AREA_LOCKED);
+	TEST_EQ(secdata_kernel_lock(ctx), TPM_E_AREA_LOCKED,
+		"secdata_kernel_lock(), lock failure");
+	TEST_STR_EQ(mock_calls,
+		    "TlclLockPhysicalPresence()\n",
+		    "  tlcl calls");
 
-	/* Test lock with recovery on; shouldn't lock PP */
-	ResetMocks(0, 0);
-	TEST_EQ(RollbackKernelLock(1), 0, "RollbackKernelLock() in recovery");
-	TEST_STR_EQ(mock_calls, "", "no tlcl calls");
+	/* Lock in normal mode */
+	reset_common_data(0, 0);
+	TEST_SUCC(secdata_kernel_lock(ctx),
+		  "secdata_kernel_lock(), success (locked)");
+	TEST_STR_EQ(mock_calls,
+		    "TlclLockPhysicalPresence()\n",
+		    "  tlcl calls");
 
-	ResetMocks(0, 0);
-	TEST_EQ(RollbackKernelLock(0), 0, "RollbackKernelLock()");
+	/* Lock after already locked (only one TlclLockPhysicalPresence). */
+	reset_common_data(0, 0);
+	TEST_SUCC(secdata_kernel_lock(ctx),
+		  "secdata_kernel_lock(), lock first run");
+	TEST_SUCC(secdata_kernel_lock(ctx),
+		  "secdata_kernel_lock(), already locked");
 	TEST_STR_EQ(mock_calls,
 		    "TlclLockPhysicalPresence()\n",
-		    "tlcl calls");
+		    "  tlcl calls");
 }
 
 /****************************************************************************/
-/* Tests for RollbackFwmpRead() calls */
+/* Tests for fwmp space functions */
 
-static void RollbackFwmpTest(void)
+static void secdata_fwmp_tests(void)
 {
-	struct RollbackSpaceFwmp fwmp;
-	struct RollbackSpaceFwmp fwmp_zero = {0};
+	/* Read failure */
+	reset_common_data(1, TPM_E_IOERROR);
+	TEST_EQ(secdata_fwmp_read(ctx), TPM_E_IOERROR,
+		"secdata_fwmp_read(), failure");
+	TEST_STR_EQ(mock_calls,
+		    "TlclRead(0x100a, 40)\n",
+		    "  tlcl calls");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		"  should leave NO_SECDATA_FWMP context flag");
+
+	/* Normal read, bad CRC */
+	reset_common_data(0, 0);
+	mock_bad_crc = 1;
+	TEST_EQ(secdata_fwmp_read(ctx), TPM_E_CORRUPTED_STATE,
+		"secdata_fwmp_read(), success, bad CRC");
+	TEST_STR_EQ(mock_calls,
+		    "TlclRead(0x100a, 40)\n",
+		    "  tlcl calls");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		"  should leave NO_SECDATA_FWMP context flag");
 
 	/* Normal read */
-	ResetMocks(0, 0);
-	TEST_EQ(RollbackFwmpRead(&fwmp), 0, "RollbackFwmpRead()");
+	reset_common_data(0, 0);
+	TEST_SUCC(secdata_fwmp_read(ctx),
+		  "secdata_fwmp_read(), success");
 	TEST_STR_EQ(mock_calls,
 		    "TlclRead(0x100a, 40)\n",
 		    "  tlcl calls");
-	TEST_EQ(0, memcmp(&fwmp, &mock_fwmp, sizeof(fwmp)), "  data");
+	TEST_EQ(memcmp(ctx->secdata_fwmp, &mock_fwmp,
+		       mock_fwmp_real_size), 0, "  data");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		"  should leave NO_SECDATA_FWMP context flag");
 
 	/* Read error */
-	ResetMocks(1, TPM_E_IOERROR);
-	TEST_EQ(RollbackFwmpRead(&fwmp), TPM_E_IOERROR,
-		"RollbackFwmpRead() error");
+	reset_common_data(1, TPM_E_IOERROR);
+	TEST_EQ(secdata_fwmp_read(ctx), TPM_E_IOERROR,
+		"secdata_fwmp_read(), error");
 	TEST_STR_EQ(mock_calls,
 		    "TlclRead(0x100a, 40)\n",
 		    "  tlcl calls");
-	TEST_EQ(0, memcmp(&fwmp, &fwmp_zero, sizeof(fwmp)), "  data clear");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		"  should leave NO_SECDATA_FWMP context flag");
 
-	/* Not present isn't an error; just returns empty data */
-	ResetMocks(1, TPM_E_BADINDEX);
-	TEST_EQ(RollbackFwmpRead(&fwmp), 0, "RollbackFwmpRead() not present");
+	/* Not present isn't an error; just sets context flag */
+	reset_common_data(1, TPM_E_BADINDEX);
+	TEST_SUCC(secdata_fwmp_read(ctx), "secdata_fwmp_read(), not present");
 	TEST_STR_EQ(mock_calls,
 		    "TlclRead(0x100a, 40)\n",
 		    "  tlcl calls");
-	TEST_EQ(0, memcmp(&fwmp, &fwmp_zero, sizeof(fwmp)), "  data clear");
-
-	/* Struct size too small */
-	ResetMocks(0, 0);
-	mock_fwmp.fwmp.struct_size--;
-	TEST_EQ(RollbackFwmpRead(&fwmp), TPM_E_STRUCT_SIZE,
-		"RollbackFwmpRead() too small");
-
-	/* Struct size too large with good CRC */
-	ResetMocks(0, 0);
-	mock_fwmp.fwmp.struct_size += 4;
-	RecalcFwmpCrc();
-	TEST_EQ(RollbackFwmpRead(&fwmp), 0, "RollbackFwmpRead() bigger");
+	TEST_NEQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		 "  should set NO_SECDATA_FWMP context flag");
+
+	/* Struct size too large, then bad CRC */
+	reset_common_data(0, 0);
+	mock_fwmp_real_size += 4;
+	mock_bad_crc = 1;
+	TEST_EQ(secdata_fwmp_read(ctx), TPM_E_CORRUPTED_STATE,
+		  "secdata_fwmp_read(), bigger, bad CRC");
 	TEST_STR_EQ(mock_calls,
 		    "TlclRead(0x100a, 40)\n"
 		    "TlclRead(0x100a, 44)\n",
 		    "  tlcl calls");
-	TEST_EQ(0, memcmp(&fwmp, &mock_fwmp, sizeof(fwmp)), "  data");
-
-	/* Bad CRC causes retry, then eventual failure */
-	ResetMocks(0, 0);
-	mock_fwmp.fwmp.crc++;
-	TEST_EQ(RollbackFwmpRead(&fwmp), TPM_E_CORRUPTED_STATE,
-		"RollbackFwmpRead() crc");
-	TEST_STR_EQ(mock_calls,
-		    "TlclRead(0x100a, 40)\n",
-		    "  tlcl calls");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		"  should leave NO_SECDATA_FWMP context flag");
 
-	/* Struct size too large with bad CRC */
-	ResetMocks(0, 0);
-	mock_fwmp.fwmp.struct_size += 4;
-	RecalcFwmpCrc();
-	mock_fwmp.fwmp.crc++;
-	TEST_EQ(RollbackFwmpRead(&fwmp), TPM_E_CORRUPTED_STATE,
-		"RollbackFwmpRead() bigger crc");
+	/* Struct size too large */
+	reset_common_data(0, 0);
+	mock_fwmp_real_size += 4;
+	TEST_SUCC(secdata_fwmp_read(ctx), "secdata_fwmp_read(), bigger");
 	TEST_STR_EQ(mock_calls,
 		    "TlclRead(0x100a, 40)\n"
 		    "TlclRead(0x100a, 44)\n",
 		    "  tlcl calls");
-	TEST_EQ(0, memcmp(&fwmp, &fwmp_zero, sizeof(fwmp)), "  data");
-
-	/* Minor version difference ok */
-	ResetMocks(0, 0);
-	mock_fwmp.fwmp.struct_version++;
-	RecalcFwmpCrc();
-	TEST_EQ(RollbackFwmpRead(&fwmp), 0, "RollbackFwmpRead() minor version");
-	TEST_EQ(0, memcmp(&fwmp, &mock_fwmp, sizeof(fwmp)), "  data");
-
-	/* Major version difference not ok */
-	ResetMocks(0, 0);
-	mock_fwmp.fwmp.struct_version += 0x10;
-	RecalcFwmpCrc();
-	TEST_EQ(RollbackFwmpRead(&fwmp), TPM_E_STRUCT_VERSION,
-		"RollbackFwmpRead() major version");
+	TEST_EQ(memcmp(ctx->secdata_fwmp, &mock_fwmp,
+		       mock_fwmp_real_size), 0, "  data");
+	TEST_EQ(ctx->flags & VB2_CONTEXT_NO_SECDATA_FWMP, 0,
+		"  should leave NO_SECDATA_FWMP context flag");
 }
 
 int main(int argc, char* argv[])
 {
-	FirmwareSpaceTest();
-	KernelSpaceTest();
-	MiscTest();
-	RollbackKernelTest();
-	RollbackFwmpTest();
+	misc_tests();
+	secdata_firmware_tests();
+	secdata_kernel_tests();
+	secdata_fwmp_tests();
 
 	return gTestSuccess ? 0 : 255;
 }
diff --git a/tests/test_common.h b/tests/test_common.h
index 17689b71..e0d8ef3b 100644
--- a/tests/test_common.h
+++ b/tests/test_common.h
@@ -109,7 +109,7 @@ int test_false(int result,
 		   #result " == false", \
 		   comment)
 
-/* Return 1 if result is 0 (VB_ERROR_SUCCESS / VB2_SUCCESS), else return 0.
+/* Return 1 if result is 0 (VB2_SUCCESS or other), else return 0.
  * Also update the global gTestSuccess flag if test fails. */
 int test_succ(int result,
 	      const char *preamble, const char *desc, const char *comment);
diff --git a/tests/vboot_api_devmode_tests.c b/tests/vboot_api_devmode_tests.c
index 6cbcedec..36983d1f 100644
--- a/tests/vboot_api_devmode_tests.c
+++ b/tests/vboot_api_devmode_tests.c
@@ -122,6 +122,9 @@ static void ResetMocks(void)
 	sd = vb2_get_sd(ctx);
 	sd->vbsd = shared;
 
+	ctx->flags |= VB2_CONTEXT_NO_SECDATA_FWMP;
+	sd->status |= VB2_SD_STATUS_SECDATA_FWMP_INIT;
+
 	memset(&gbb, 0, sizeof(gbb));
 
 	memset(&shared_data, 0, sizeof(shared_data));
@@ -149,12 +152,7 @@ struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c)
 	return &gbb;
 }
 
-vb2_error_t VbExNvStorageRead(uint8_t* buf)
-{
-	return VB2_SUCCESS;
-}
-
-vb2_error_t VbExNvStorageWrite(const uint8_t* buf)
+vb2_error_t vb2_commit_data(struct vb2_context *c)
 {
 	return VB2_SUCCESS;
 }
diff --git a/tests/vboot_api_kernel2_tests.c b/tests/vboot_api_kernel2_tests.c
index 50ee0752..6d8946ee 100644
--- a/tests/vboot_api_kernel2_tests.c
+++ b/tests/vboot_api_kernel2_tests.c
@@ -9,6 +9,7 @@
 #include "2misc.h"
 #include "2nvstorage.h"
 #include "2secdata.h"
+#include "2secdata_struct.h"
 #include "host_common.h"
 #include "load_kernel_fw.h"
 #include "secdata_tpm.h"
@@ -30,6 +31,7 @@ static uint8_t workbuf[VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE]
 static struct vb2_context *ctx;
 static struct vb2_shared_data *sd;
 static struct vb2_gbb_header gbb;
+static struct vb2_secdata_fwmp *fwmp;
 
 static int audio_looping_calls_left;
 static uint32_t vbtlk_retval;
@@ -82,7 +84,6 @@ static void MockGpioAfter(uint32_t ticks, uint32_t gpio_flags)
 static void ResetMocks(void)
 {
 	vb2_init_ui();
-	memset(VbApiKernelGetFwmp(), 0, sizeof(struct RollbackSpaceFwmp));
 
 	memset(&shared_data, 0, sizeof(shared_data));
 	VbSharedDataInit(shared, sizeof(shared_data));
@@ -97,6 +98,10 @@ static void ResetMocks(void)
 	sd->vbsd = shared;
 	sd->flags |= VB2_SD_FLAG_DISPLAY_AVAILABLE;
 
+	/* CRC will be invalid after here, but nobody's checking */
+	sd->status |= VB2_SD_STATUS_SECDATA_FWMP_INIT;
+	fwmp = (struct vb2_secdata_fwmp *)ctx->secdata_fwmp;
+
 	memset(&gbb, 0, sizeof(gbb));
 
 	audio_looping_calls_left = 30;
@@ -125,7 +130,8 @@ static void ResetMocks(void)
 }
 
 /* Mock functions */
-uint32_t RollbackKernelLock(int recovery_mode)
+
+uint32_t secdata_kernel_lock(struct vb2_context *c)
 {
 	return TPM_SUCCESS;
 }
@@ -252,9 +258,9 @@ vb2_error_t VbDisplayScreen(struct vb2_context *c, uint32_t screen, int force,
 	return VB2_SUCCESS;
 }
 
-vb2_error_t SetVirtualDevMode(int val)
+vb2_error_t vb2_enable_developer_mode(struct vb2_context *c)
 {
-	virtdev_set = val;
+	virtdev_set = 1;
 	return virtdev_retval;
 }
 
@@ -718,7 +724,7 @@ static void VbBootDevTest(void)
 
 	/* Enter altfw menu and select firmware 0 */
 	ResetMocks();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_ENABLE_LEGACY;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_ENABLE_LEGACY;
 	mock_keypress[0] = VB_KEY_CTRL('L');
 	mock_keypress[1] = '0';
 	TEST_EQ(VbBootDeveloper(ctx), 1002,
@@ -750,7 +756,7 @@ static void VbBootDevTest(void)
 		TEST_EQ(altfw_num, key - '0', "  check altfw_num");
 
 		ResetMocks();
-		VbApiKernelGetFwmp()->flags |= FWMP_DEV_ENABLE_LEGACY;
+		fwmp->flags |= VB2_SECDATA_FWMP_DEV_ENABLE_LEGACY;
 		mock_keypress[0] = key;
 		TEST_EQ(VbBootDeveloper(ctx), 1002,
 			"Ctrl+L fwmp legacy");
@@ -779,7 +785,7 @@ static void VbBootDevTest(void)
 
 	/* Ctrl+U enabled via FWMP */
 	ResetMocks();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_ENABLE_USB;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_ENABLE_USB;
 	mock_keypress[0] = VB_KEY_CTRL('U');
 	vbtlk_retval = VB2_SUCCESS - VB_DISK_FLAG_REMOVABLE;
 	TEST_EQ(VbBootDeveloper(ctx), 0, "Ctrl+U force USB");
@@ -984,7 +990,7 @@ static void VbBootDevTest(void)
 
 	/* If dev mode is disabled, goes to TONORM screen repeatedly */
 	ResetMocks();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_DISABLE_BOOT;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_DISABLE_BOOT;
 	mock_keypress[0] = VB_KEY_ESC;  /* Just causes TONORM again */
 	mock_keypress[1] = VB_KEY_ENTER;
 	TEST_EQ(VbBootDeveloper(ctx), VBERROR_REBOOT_REQUIRED,
@@ -1001,7 +1007,7 @@ static void VbBootDevTest(void)
 	/* Shutdown requested when dev disabled */
 	ResetMocks();
 	shared->flags = VBSD_BOOT_DEV_SWITCH_ON;
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_DISABLE_BOOT;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_DISABLE_BOOT;
 	MockGpioAfter(1, GPIO_SHUTDOWN);
 	TEST_EQ(VbBootDeveloper(ctx),
 		VBERROR_SHUTDOWN_REQUESTED,
@@ -1012,7 +1018,7 @@ static void VbBootDevTest(void)
 	/* Shutdown requested by keyboard when dev disabled */
 	ResetMocks();
 	shared->flags = VBSD_BOOT_DEV_SWITCH_ON;
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_DISABLE_BOOT;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_DISABLE_BOOT;
 	mock_keypress[0] = VB_BUTTON_POWER_SHORT_PRESS;
 	TEST_EQ(VbBootDeveloper(ctx),
 		VBERROR_SHUTDOWN_REQUESTED,
diff --git a/tests/vboot_api_kernel4_tests.c b/tests/vboot_api_kernel4_tests.c
index c168f82d..c0a10727 100644
--- a/tests/vboot_api_kernel4_tests.c
+++ b/tests/vboot_api_kernel4_tests.c
@@ -21,27 +21,31 @@
 #include "vboot_common.h"
 #include "vboot_kernel.h"
 #include "vboot_struct.h"
+#include "vboot_test.h"
 
 /* Mock data */
 static uint8_t workbuf[VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE]
 	__attribute__((aligned(VB2_WORKBUF_ALIGN)));
 static struct vb2_context *ctx;
-static struct vb2_context ctx_nvram_backend;
 static struct vb2_shared_data *sd;
 static VbSelectAndLoadKernelParams kparams;
 static uint8_t shared_data[VB_SHARED_DATA_MIN_SIZE];
 static VbSharedDataHeader *shared = (VbSharedDataHeader *)shared_data;
 static struct vb2_gbb_header gbb;
 
-static uint32_t rkr_version;
+static uint32_t kernel_version;
 static uint32_t new_version;
-static struct RollbackSpaceFwmp rfr_fwmp;
-static int rkr_retval, rkw_retval, rkl_retval, rfr_retval;
+static uint8_t fwmp_buf[VB2_SECDATA_FWMP_MIN_SIZE];
+static uint32_t kernel_read_retval;
+static uint32_t kernel_write_retval;
+static uint32_t kernel_lock_retval;
+static uint32_t fwmp_read_retval;
 static vb2_error_t vbboot_retval;
 
 static uint32_t mock_switches[8];
 static uint32_t mock_switches_count;
 static int mock_switches_are_stuck;
+static int commit_data_called;
 
 /* Reset mock data (for use before each test) */
 static void ResetMocks(void)
@@ -57,26 +61,22 @@ static void ResetMocks(void)
 		  "vb2api_init failed");
 	sd = vb2_get_sd(ctx);
 	sd->flags |= VB2_SD_FLAG_DISPLAY_AVAILABLE;
+	ctx->flags |= VB2_CONTEXT_NO_SECDATA_FWMP;
 
-	/*
-	 * ctx_nvram_backend is only used as an NVRAM backend (see
-	 * VbExNvStorageRead and VbExNvStorageWrite), and with
-	 * vb2_set_nvdata and nv2_get_nvdata to manually read and tweak
-	 * contents.  No other initialization is needed.
-	 */
-	memset(&ctx_nvram_backend, 0, sizeof(ctx_nvram_backend));
-	vb2_nv_init(&ctx_nvram_backend);
-	vb2_nv_set(&ctx_nvram_backend, VB2_NV_KERNEL_MAX_ROLLFORWARD,
-		   0xffffffff);
+	vb2_nv_init(ctx);
+	vb2_nv_set(ctx, VB2_NV_KERNEL_MAX_ROLLFORWARD, 0xffffffff);
+	commit_data_called = 0;
 
 	memset(&shared_data, 0, sizeof(shared_data));
 	VbSharedDataInit(shared, sizeof(shared_data));
 
-	memset(&rfr_fwmp, 0, sizeof(rfr_fwmp));
-	rfr_retval = TPM_SUCCESS;
+	memset(&fwmp_buf, 0, sizeof(fwmp_buf));
+	fwmp_read_retval = TPM_SUCCESS;
 
-	rkr_version = new_version = 0x10002;
-	rkr_retval = rkw_retval = rkl_retval = VB2_SUCCESS;
+	kernel_version = new_version = 0x10002;
+	kernel_read_retval = TPM_SUCCESS;
+	kernel_write_retval = TPM_SUCCESS;
+	kernel_lock_retval = TPM_SUCCESS;
 	vbboot_retval = VB2_SUCCESS;
 
 	memset(mock_switches, 0, sizeof(mock_switches));
@@ -86,41 +86,59 @@ static void ResetMocks(void)
 
 /* Mock functions */
 
-vb2_error_t VbExNvStorageRead(uint8_t *buf)
+vb2_error_t vb2ex_commit_data(struct vb2_context *c)
 {
-	memcpy(buf, ctx_nvram_backend.nvdata,
-	       vb2_nv_get_size(&ctx_nvram_backend));
+	commit_data_called = 1;
 	return VB2_SUCCESS;
 }
 
-vb2_error_t VbExNvStorageWrite(const uint8_t *buf)
+uint32_t secdata_firmware_write(struct vb2_context *c)
 {
-	memcpy(ctx_nvram_backend.nvdata, buf,
-	       vb2_nv_get_size(&ctx_nvram_backend));
-	return VB2_SUCCESS;
+	return TPM_SUCCESS;
+}
+
+uint32_t secdata_kernel_read(struct vb2_context *c)
+{
+	return kernel_read_retval;
+}
+
+uint32_t secdata_kernel_write(struct vb2_context *c)
+{
+	return kernel_write_retval;
 }
 
-uint32_t RollbackKernelRead(uint32_t *version)
+uint32_t secdata_kernel_lock(struct vb2_context *c)
 {
-	*version = rkr_version;
-	return rkr_retval;
+	return kernel_lock_retval;
 }
 
-uint32_t RollbackKernelWrite(uint32_t version)
+uint32_t secdata_fwmp_read(struct vb2_context *c)
 {
-	rkr_version = version;
-	return rkw_retval;
+	memcpy(&c->secdata_fwmp, &fwmp_buf, sizeof(fwmp_buf));
+	return fwmp_read_retval;
 }
 
-uint32_t RollbackKernelLock(int recovery_mode)
+vb2_error_t vb2_secdata_firmware_init(struct vb2_context *c)
 {
-	return rkl_retval;
+	return VB2_SUCCESS;
+}
+
+vb2_error_t vb2_secdata_kernel_init(struct vb2_context *c)
+{
+	return VB2_SUCCESS;
 }
 
-uint32_t RollbackFwmpRead(struct RollbackSpaceFwmp *fwmp)
+uint32_t vb2_secdata_kernel_get(struct vb2_context *c,
+				enum vb2_secdata_kernel_param param)
 {
-	memcpy(fwmp, &rfr_fwmp, sizeof(*fwmp));
-	return rfr_retval;
+	return kernel_version;
+}
+
+void vb2_secdata_kernel_set(struct vb2_context *c,
+			    enum vb2_secdata_kernel_param param,
+			    uint32_t value)
+{
+	kernel_version = value;
 }
 
 vb2_error_t VbTryLoadKernel(struct vb2_context *c, uint32_t get_info_flags)
@@ -164,8 +182,10 @@ vb2_error_t VbBootDiagnostic(struct vb2_context *c)
 static void test_slk(vb2_error_t retval, int recovery_reason, const char *desc)
 {
 	TEST_EQ(VbSelectAndLoadKernel(ctx, shared, &kparams), retval, desc);
-	TEST_EQ(vb2_nv_get(&ctx_nvram_backend, VB2_NV_RECOVERY_REQUEST),
+	TEST_EQ(vb2_nv_get(ctx, VB2_NV_RECOVERY_REQUEST),
 		recovery_reason, "  recovery reason");
+	if (recovery_reason)
+		TEST_TRUE(commit_data_called, "  didn't commit nvdata");
 }
 
 uint32_t VbExGetSwitches(uint32_t request_mask)
@@ -189,7 +209,7 @@ static void VbSlkTest(void)
 {
 	ResetMocks();
 	test_slk(0, 0, "Normal");
-	TEST_EQ(rkr_version, 0x10002, "  version");
+	TEST_EQ(kernel_version, 0x10002, "  version");
 
 	/*
 	 * If shared->flags doesn't ask for software sync, we won't notice
@@ -206,42 +226,43 @@ static void VbSlkTest(void)
 
 	/* Rollback kernel version */
 	ResetMocks();
-	rkr_retval = 123;
-	test_slk(VBERROR_TPM_READ_KERNEL,
+	kernel_read_retval = 123;
+	test_slk(VB2_ERROR_SECDATA_KERNEL_READ,
 		 VB2_RECOVERY_RW_TPM_R_ERROR, "Read kernel rollback");
 
 	ResetMocks();
 	new_version = 0x20003;
 	test_slk(0, 0, "Roll forward");
-	TEST_EQ(rkr_version, 0x20003, "  version");
+	TEST_EQ(kernel_version, 0x20003, "  version");
 
 	ResetMocks();
-	vb2_nv_set(&ctx_nvram_backend, VB2_NV_FW_RESULT, VB2_FW_RESULT_TRYING);
+	vb2_nv_set(ctx, VB2_NV_FW_RESULT, VB2_FW_RESULT_TRYING);
 	new_version = 0x20003;
 	test_slk(0, 0, "Don't roll forward kernel when trying new FW");
-	TEST_EQ(rkr_version, 0x10002, "  version");
+	TEST_EQ(kernel_version, 0x10002, "  version");
 
 	ResetMocks();
-	vb2_nv_set(&ctx_nvram_backend, VB2_NV_KERNEL_MAX_ROLLFORWARD, 0x30005);
+	vb2_nv_set(ctx, VB2_NV_KERNEL_MAX_ROLLFORWARD, 0x30005);
 	new_version = 0x40006;
 	test_slk(0, 0, "Limit max roll forward");
-	TEST_EQ(rkr_version, 0x30005, "  version");
+	TEST_EQ(kernel_version, 0x30005, "  version");
 
 	ResetMocks();
-	vb2_nv_set(&ctx_nvram_backend, VB2_NV_KERNEL_MAX_ROLLFORWARD, 0x10001);
+	vb2_nv_set(ctx, VB2_NV_KERNEL_MAX_ROLLFORWARD, 0x10001);
 	new_version = 0x40006;
 	test_slk(0, 0, "Max roll forward can't rollback");
-	TEST_EQ(rkr_version, 0x10002, "  version");
+	TEST_EQ(kernel_version, 0x10002, "  version");
+
 
 	ResetMocks();
 	new_version = 0x20003;
-	rkw_retval = 123;
-	test_slk(VBERROR_TPM_WRITE_KERNEL,
+	kernel_write_retval = 123;
+	test_slk(VB2_ERROR_SECDATA_KERNEL_WRITE,
 		 VB2_RECOVERY_RW_TPM_W_ERROR, "Write kernel rollback");
 
 	ResetMocks();
-	rkl_retval = 123;
-	test_slk(VBERROR_TPM_LOCK_KERNEL,
+	kernel_lock_retval = 123;
+	test_slk(VB2_ERROR_SECDATA_KERNEL_LOCK,
 		 VB2_RECOVERY_RW_TPM_L_ERROR, "Lock kernel rollback");
 
 	/* Boot normal */
@@ -253,12 +274,14 @@ static void VbSlkTest(void)
 	if (DIAGNOSTIC_UI) {
 		ResetMocks();
 		mock_switches[1] = VB_SWITCH_FLAG_PHYS_PRESENCE_PRESSED;
-		vb2_nv_set(&ctx_nvram_backend, VB2_NV_DIAG_REQUEST, 1);
+		vb2_nv_set(ctx, VB2_NV_DIAG_REQUEST, 1);
 		vbboot_retval = -4;
 		test_slk(VB2_ERROR_MOCK, 0,
 			 "Normal boot with diag");
-		TEST_EQ(vb2_nv_get(&ctx_nvram_backend, VB2_NV_DIAG_REQUEST),
+		TEST_EQ(vb2_nv_get(ctx, VB2_NV_DIAG_REQUEST),
 			0, "  diag not requested");
+		TEST_TRUE(commit_data_called,
+			  "  didn't commit nvdata");
 	}
 
 	/* Boot dev */
@@ -271,7 +294,7 @@ static void VbSlkTest(void)
 	shared->flags |= VBSD_BOOT_DEV_SWITCH_ON;
 	new_version = 0x20003;
 	test_slk(0, 0, "Dev doesn't roll forward");
-	TEST_EQ(rkr_version, 0x10002, "  version");
+	TEST_EQ(kernel_version, 0x10002, "  version");
 
 	/* Boot recovery */
 	ResetMocks();
@@ -283,11 +306,13 @@ static void VbSlkTest(void)
 	shared->recovery_reason = 123;
 	new_version = 0x20003;
 	test_slk(0, 0, "Recovery doesn't roll forward");
-	TEST_EQ(rkr_version, 0x10002, "  version");
+	TEST_EQ(kernel_version, 0x10002, "  version");
 
 	ResetMocks();
 	shared->recovery_reason = 123;
-	rkr_retval = rkw_retval = rkl_retval = VB2_ERROR_MOCK;
+	kernel_read_retval = TPM_E_IOERROR;
+	kernel_write_retval = TPM_E_IOERROR;
+	kernel_lock_retval = TPM_E_IOERROR;
 	test_slk(0, 0, "Recovery ignore TPM errors");
 
 	ResetMocks();
diff --git a/tests/vboot_detach_menu_tests.c b/tests/vboot_detach_menu_tests.c
index f0440cfb..d85acbc6 100644
--- a/tests/vboot_detach_menu_tests.c
+++ b/tests/vboot_detach_menu_tests.c
@@ -9,6 +9,7 @@
 #include "2misc.h"
 #include "2nvstorage.h"
 #include "2secdata.h"
+#include "2secdata_struct.h"
 #include "host_common.h"
 #include "load_kernel_fw.h"
 #include "secdata_tpm.h"
@@ -32,6 +33,7 @@ static uint8_t workbuf[VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE]
 static struct vb2_context *ctx;
 static struct vb2_shared_data *sd;
 static struct vb2_gbb_header gbb;
+static struct vb2_secdata_fwmp *fwmp;
 
 static int shutdown_request_calls_left;
 static int audio_looping_calls_left;
@@ -61,8 +63,6 @@ static int vbexaltfwmask_called;
 /* Reset mock data (for use before each test) */
 static void ResetMocks(void)
 {
-	memset(VbApiKernelGetFwmp(), 0, sizeof(struct RollbackSpaceFwmp));
-
 	memset(&shared_data, 0, sizeof(shared_data));
 	VbSharedDataInit(shared, sizeof(shared_data));
 	shared->flags = VBSD_BOOT_FIRMWARE_VBOOT2;
@@ -76,6 +76,10 @@ static void ResetMocks(void)
 	sd = vb2_get_sd(ctx);
 	sd->vbsd = shared;
 
+	/* CRC will be invalid after here, but nobody's checking */
+	sd->status |= VB2_SD_STATUS_SECDATA_FWMP_INIT;
+	fwmp = (struct vb2_secdata_fwmp *)ctx->secdata_fwmp;
+
 	memset(&gbb, 0, sizeof(gbb));
 
 	/* In recovery we have 50 keyscans per disk scan, this must be high. */
@@ -124,7 +128,8 @@ static void ResetMocksForManualRecovery(void)
 }
 
 /* Mock functions */
-uint32_t RollbackKernelLock(int recovery_mode)
+
+uint32_t secdata_kernel_lock(struct vb2_context *c)
 {
 	return TPM_SUCCESS;
 }
@@ -252,9 +257,9 @@ vb2_error_t VbExBeep(uint32_t msec, uint32_t frequency)
 	return VB2_SUCCESS;
 }
 
-vb2_error_t SetVirtualDevMode(int val)
+vb2_error_t vb2_enable_developer_mode(struct vb2_context *c)
 {
-	virtdev_set = val;
+	virtdev_set = 1;
 	return virtdev_retval;
 }
 
@@ -665,7 +670,7 @@ static void VbBootDevTest(void)
 
 	/* Ctrl+L boots legacy if enabled by FWMP */
 	ResetMocksForDeveloper();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_ENABLE_LEGACY;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_ENABLE_LEGACY;
 	mock_keypress[0] = VB_KEY_CTRL('L');
 	mock_keypress[1] = VB_BUTTON_POWER_SHORT_PRESS;
 	TEST_EQ(VbBootDeveloperMenu(ctx), vbtlk_retval_fixed,
@@ -755,7 +760,7 @@ static void VbBootDevTest(void)
 
 	/* Ctrl+U enabled via FWMP */
 	ResetMocksForDeveloper();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_ENABLE_USB;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_ENABLE_USB;
 	mock_keypress[0] = VB_KEY_CTRL('U');
 	vbtlk_retval[0] = VB2_SUCCESS - VB_DISK_FLAG_REMOVABLE;
 	TEST_EQ(VbBootDeveloperMenu(ctx), VB2_SUCCESS, "Ctrl+U force USB");
@@ -1148,7 +1153,7 @@ static void VbBootDevTest(void)
 
 	/* If dev mode is disabled, goes to TONORM screen repeatedly */
 	ResetMocksForDeveloper();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_DISABLE_BOOT;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_DISABLE_BOOT;
 	audio_looping_calls_left = 1;	/* Confirm audio doesn't tick down. */
 	i = 0;
 	mock_keypress[i++] = VB_KEY_CTRL('D');  /* Just stays on TONORM and flashes */
@@ -1202,7 +1207,7 @@ static void VbBootDevTest(void)
 
 	/* Shutdown requested when dev disabled */
 	ResetMocksForDeveloper();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_DISABLE_BOOT;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_DISABLE_BOOT;
 	shutdown_request_calls_left = 1;
 	TEST_EQ(VbBootDeveloperMenu(ctx), VBERROR_SHUTDOWN_REQUESTED,
 		"Shutdown requested when dev disabled");
@@ -1218,7 +1223,7 @@ static void VbBootDevTest(void)
 
 	/* Explicit Power Off when dev disabled */
 	ResetMocksForDeveloper();
-	VbApiKernelGetFwmp()->flags |= FWMP_DEV_DISABLE_BOOT;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_DISABLE_BOOT;
 	i = 0;
 	mock_keypress[i++] = VB_BUTTON_VOL_DOWN_SHORT_PRESS;	// Power Off
 	mock_keypress[i++] = VB_BUTTON_POWER_SHORT_PRESS;
diff --git a/tests/vboot_display_tests.c b/tests/vboot_display_tests.c
index 58ccda07..7565a196 100644
--- a/tests/vboot_display_tests.c
+++ b/tests/vboot_display_tests.c
@@ -16,6 +16,7 @@
 #include "2struct.h"
 #include "2sysincludes.h"
 #include "host_common.h"
+#include "secdata_tpm.h"
 #include "test_common.h"
 #include "vboot_common.h"
 #include "vboot_display.h"
@@ -72,6 +73,11 @@ vb2_error_t VbExDisplayDebugInfo(const char *info_str, int full_info)
 	return VB2_SUCCESS;
 }
 
+vb2_error_t vb2_commit_data(struct vb2_context *c)
+{
+	return VB2_SUCCESS;
+}
+
 /* Test displaying debug info */
 static void DebugInfoTest(void)
 {
diff --git a/tests/vboot_kernel_tests.c b/tests/vboot_kernel_tests.c
index b43a2acd..86afcb8d 100644
--- a/tests/vboot_kernel_tests.c
+++ b/tests/vboot_kernel_tests.c
@@ -63,7 +63,7 @@ static VbSharedDataHeader *shared = (VbSharedDataHeader *)shared_data;
 static LoadKernelParams lkp;
 static struct vb2_keyblock kbh;
 static VbKernelPreambleHeader kph;
-static struct RollbackSpaceFwmp fwmp;
+static struct vb2_secdata_fwmp *fwmp;
 static uint8_t mock_disk[MOCK_SECTOR_SIZE * MOCK_SECTOR_COUNT];
 static GptHeader *mock_gpt_primary =
 	(GptHeader*)&mock_disk[MOCK_SECTOR_SIZE * 1];
@@ -164,9 +164,6 @@ static void ResetMocks(void)
 	kph.bootloader_address = 0xbeadd008;
 	kph.bootloader_size = 0x1234;
 
-	memset(&fwmp, 0, sizeof(fwmp));
-	memcpy(fwmp.dev_key_hash, mock_digest, sizeof(fwmp.dev_key_hash));
-
 	memset(mock_parts, 0, sizeof(mock_parts));
 	mock_parts[0].start = 100;
 	mock_parts[0].size = 150;  /* 75 KB */
@@ -181,6 +178,11 @@ static void ResetMocks(void)
 	struct vb2_shared_data *sd = vb2_get_sd(ctx);
 	sd->vbsd = shared;
 
+	/* CRC will be invalid after here, but nobody's checking */
+	sd->status |= VB2_SD_STATUS_SECDATA_FWMP_INIT;
+	fwmp = (struct vb2_secdata_fwmp *)ctx->secdata_fwmp;
+	memcpy(&fwmp->dev_key_hash, mock_digest, sizeof(fwmp->dev_key_hash));
+
 	// TODO: more workbuf fields - flags, secdata_firmware, secdata_kernel
 }
 
@@ -670,8 +672,7 @@ static void LoadKernelTest(void)
 
 	ResetMocks();
 	ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
-	lkp.fwmp = &fwmp;
-	fwmp.flags |= FWMP_DEV_ENABLE_OFFICIAL_ONLY;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_ENABLE_OFFICIAL_ONLY;
 	keyblock_verify_fail = 1;
 	TestLoadKernel(VBERROR_INVALID_KERNEL_FOUND,
 		       "Fail keyblock dev sig fwmp");
@@ -761,17 +762,15 @@ static void LoadKernelTest(void)
 	/* Check developer key hash - bad */
 	ResetMocks();
 	ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
-	lkp.fwmp = &fwmp;
-	fwmp.flags |= FWMP_DEV_USE_KEY_HASH;
-	fwmp.dev_key_hash[0]++;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_USE_KEY_HASH;
+	fwmp->dev_key_hash[0]++;
 	TestLoadKernel(VBERROR_INVALID_KERNEL_FOUND,
 		       "Fail keyblock dev fwmp hash");
 
 	/* Check developer key hash - good */
 	ResetMocks();
 	ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
-	lkp.fwmp = &fwmp;
-	fwmp.flags |= FWMP_DEV_USE_KEY_HASH;
+	fwmp->flags |= VB2_SECDATA_FWMP_DEV_USE_KEY_HASH;
 	TestLoadKernel(0, "Good keyblock dev fwmp hash");
 
 	ResetMocks();