3 files changed, 30 insertions, 13 deletions

diff --git a/firmware/2lib/2kernel.c b/firmware/2lib/2kernel.c
index 5b18cad5..350a1bf6 100644
--- a/firmware/2lib/2kernel.c
+++ b/firmware/2lib/2kernel.c
@@ -197,3 +197,22 @@ vb2_error_t vb2api_kernel_phase1(struct vb2_context *ctx)
 
 	return VB2_SUCCESS;
 }
+
+vb2_error_t vb2api_kernel_finalize(struct vb2_context *ctx)
+{
+	vb2_gbb_flags_t gbb_flags = vb2api_gbb_get_flags(ctx);
+
+	/*
+	 * Disallow booting to kernel when NO_BOOT flag is set, except when
+	 * GBB flag disables software sync.
+	 */
+	if (!(gbb_flags & VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC)
+	    && (ctx->flags & VB2_CONTEXT_EC_SYNC_SUPPORTED)
+	    && (ctx->flags & VB2_CONTEXT_NO_BOOT)) {
+		VB2_DEBUG("Blocking escape from NO_BOOT mode.\n");
+		vb2api_fail(ctx, VB2_RECOVERY_ESCAPE_NO_BOOT, 0);
+		return VB2_ERROR_ESCAPE_NO_BOOT;
+	}
+
+	return VB2_SUCCESS;
+}
diff --git a/firmware/2lib/include/2api.h b/firmware/2lib/include/2api.h
index b740f6dd..bd0d14ed 100644
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -818,6 +818,16 @@ vb2_error_t vb2api_get_pcr_digest(struct vb2_context *ctx,
 vb2_error_t vb2api_kernel_phase1(struct vb2_context *ctx);
 
 /**
+ * Finalize for kernel verification stage.
+ *
+ * Handle NO_BOOT flag.
+ *
+ * @param ctx		Vboot context
+ * @return VB2_SUCCESS, or error code on error.
+ */
+vb2_error_t vb2api_kernel_finalize(struct vb2_context *ctx);
+
+/**
  * Load the verified boot block (vblock) for a kernel.
  *
  * This function may be called multiple times, to load and verify the
diff --git a/firmware/lib/vboot_api_kernel.c b/firmware/lib/vboot_api_kernel.c
index 3029852e..a46317e1 100644
--- a/firmware/lib/vboot_api_kernel.c
+++ b/firmware/lib/vboot_api_kernel.c
@@ -251,17 +251,5 @@ vb2_error_t VbSelectAndLoadKernel(struct vb2_context *ctx,
 		return VB2_ERROR_ESCAPE_NO_BOOT;
 	}
 
-	/*
-	 * Stop all cases returning SUCCESS against NO_BOOT flag except when
-	 * GBB flag disables software sync.
-	 */
-	if (!(gbb_flags & VB2_GBB_FLAG_DISABLE_EC_SOFTWARE_SYNC)
-	    && (ctx->flags & VB2_CONTEXT_EC_SYNC_SUPPORTED)
-	    && (ctx->flags & VB2_CONTEXT_NO_BOOT)) {
-		VB2_DEBUG("Blocking escape from NO_BOOT mode.\n");
-		vb2api_fail(ctx, VB2_RECOVERY_ESCAPE_NO_BOOT, 0);
-		return VB2_ERROR_ESCAPE_NO_BOOT;
-	}
-
-	return VB2_SUCCESS;
+	return vb2api_kernel_finalize(ctx);
 }