BASELINE: Update Chromium to 96.0.4664.181

Change-Id: I762cd1da89d73aa6313b4a753fe126c34833f046
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

18 files changed, 260 insertions, 203 deletions

diff --git a/chromium/crypto/apple_keychain.h b/chromium/crypto/apple_keychain.h
index 01f8d285e1e..8e7624587fa 100644
--- a/chromium/crypto/apple_keychain.h
+++ b/chromium/crypto/apple_keychain.h
@@ -30,6 +30,10 @@ using AppleSecKeychainItemRef = SecKeychainItemRef;
 class CRYPTO_EXPORT AppleKeychain {
  public:
   AppleKeychain();
+
+  AppleKeychain(const AppleKeychain&) = delete;
+  AppleKeychain& operator=(const AppleKeychain&) = delete;
+
   virtual ~AppleKeychain();
 
   virtual OSStatus FindGenericPassword(UInt32 serviceNameLength,
@@ -53,9 +57,6 @@ class CRYPTO_EXPORT AppleKeychain {
 #if !defined(OS_IOS)
   virtual OSStatus ItemDelete(AppleSecKeychainItemRef itemRef) const;
 #endif  // !defined(OS_IOS)
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(AppleKeychain);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/ec_private_key.h b/chromium/crypto/ec_private_key.h
index 50d9877f770..ae8f446f175 100644
--- a/chromium/crypto/ec_private_key.h
+++ b/chromium/crypto/ec_private_key.h
@@ -27,6 +27,9 @@ namespace crypto {
 // tricky.)
 class CRYPTO_EXPORT ECPrivateKey {
  public:
+  ECPrivateKey(const ECPrivateKey&) = delete;
+  ECPrivateKey& operator=(const ECPrivateKey&) = delete;
+
   ~ECPrivateKey();
 
   // Creates a new random instance. Can return nullptr if initialization fails.
@@ -78,8 +81,6 @@ class CRYPTO_EXPORT ECPrivateKey {
   ECPrivateKey();
 
   bssl::UniquePtr<EVP_PKEY> key_;
-
-  DISALLOW_COPY_AND_ASSIGN(ECPrivateKey);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/ec_signature_creator_impl.h b/chromium/crypto/ec_signature_creator_impl.h
index 595a721cabf..96f06c4fe6e 100644
--- a/chromium/crypto/ec_signature_creator_impl.h
+++ b/chromium/crypto/ec_signature_creator_impl.h
@@ -19,6 +19,10 @@ namespace crypto {
 class ECSignatureCreatorImpl : public ECSignatureCreator {
  public:
   explicit ECSignatureCreatorImpl(ECPrivateKey* key);
+
+  ECSignatureCreatorImpl(const ECSignatureCreatorImpl&) = delete;
+  ECSignatureCreatorImpl& operator=(const ECSignatureCreatorImpl&) = delete;
+
   ~ECSignatureCreatorImpl() override;
 
   bool Sign(base::span<const uint8_t> data,
@@ -29,8 +33,6 @@ class ECSignatureCreatorImpl : public ECSignatureCreator {
 
  private:
   ECPrivateKey* key_;
-
-  DISALLOW_COPY_AND_ASSIGN(ECSignatureCreatorImpl);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/hmac.h b/chromium/crypto/hmac.h
index 716ab25d2ca..7f606c6957b 100644
--- a/chromium/crypto/hmac.h
+++ b/chromium/crypto/hmac.h
@@ -35,6 +35,10 @@ class CRYPTO_EXPORT HMAC {
   };
 
   explicit HMAC(HashAlgorithm hash_alg);
+
+  HMAC(const HMAC&) = delete;
+  HMAC& operator=(const HMAC&) = delete;
+
   ~HMAC();
 
   // Returns the length of digest that this HMAC will create.
@@ -105,8 +109,6 @@ class CRYPTO_EXPORT HMAC {
   HashAlgorithm hash_alg_;
   bool initialized_;
   std::vector<unsigned char> key_;
-
-  DISALLOW_COPY_AND_ASSIGN(HMAC);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/mock_apple_keychain.h b/chromium/crypto/mock_apple_keychain.h
index b44986d8804..88a6217b758 100644
--- a/chromium/crypto/mock_apple_keychain.h
+++ b/chromium/crypto/mock_apple_keychain.h
@@ -28,6 +28,10 @@ namespace crypto {
 class CRYPTO_EXPORT MockAppleKeychain : public AppleKeychain {
  public:
   MockAppleKeychain();
+
+  MockAppleKeychain(const MockAppleKeychain&) = delete;
+  MockAppleKeychain& operator=(const MockAppleKeychain&) = delete;
+
   ~MockAppleKeychain() override;
 
   // AppleKeychain implementation.
@@ -79,8 +83,6 @@ class CRYPTO_EXPORT MockAppleKeychain : public AppleKeychain {
   // Tracks the allocations and frees of password data in |FindGenericPassword|
   // and |ItemFreeContent|.
   mutable int password_data_count_;
-
-  DISALLOW_COPY_AND_ASSIGN(MockAppleKeychain);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/nss_util.h b/chromium/crypto/nss_util.h
index 0aace2d3170..b17557fcd5b 100644
--- a/chromium/crypto/nss_util.h
+++ b/chromium/crypto/nss_util.h
@@ -7,7 +7,7 @@
 
 #include <stdint.h>
 
-#include "base/callback.h"
+#include "base/callback_forward.h"
 #include "base/compiler_specific.h"
 #include "base/macros.h"
 #include "build/chromeos_buildflags.h"
@@ -36,32 +36,27 @@ CRYPTO_EXPORT void EnsureNSSInit();
 bool CheckNSSVersion(const char* version);
 
 #if BUILDFLAG(IS_CHROMEOS_ASH)
-// Indicates that NSS should use the Chaps library so that we
-// can access the TPM through NSS.  InitializeTPMTokenAndSystemSlot and
-// InitializeTPMForChromeOSUser must still be called to load the slots.
-CRYPTO_EXPORT void EnableTPMTokenForNSS();
-
-// Returns true if EnableTPMTokenForNSS has been called.
-CRYPTO_EXPORT bool IsTPMTokenEnabledForNSS();
-
-// Returns true if the TPM is owned and PKCS#11 initialized with the
-// user and security officer PINs, and has been enabled in NSS by
-// calling EnableTPMForNSS, and Chaps has been successfully
-// loaded into NSS.
-// If |callback| is non-null and the function returns false, the |callback| will
-// be run once the TPM is ready. |callback| will never be run if the function
-// returns true.
-CRYPTO_EXPORT bool IsTPMTokenReady(base::OnceClosure callback)
-    WARN_UNUSED_RESULT;
+
+// Returns true once the TPM is owned and PKCS#11 initialized with the
+// user and security officer PINs, and Chaps has been successfully loaded into
+// NSS. Returns false if the TPM will never be loaded.
+CRYPTO_EXPORT void IsTPMTokenEnabled(base::OnceCallback<void(bool)> callback);
 
 // Initialize the TPM token and system slot. The |callback| will run on the same
 // thread with true if the token and slot were successfully loaded or were
-// already initialized. |callback| will be passed false if loading failed.  Once
-// called, InitializeTPMTokenAndSystemSlot must not be called again until the
-// |callback| has been run.
+// already initialized. |callback| will be passed false if loading failed.
+// Should be called only once.
 CRYPTO_EXPORT void InitializeTPMTokenAndSystemSlot(
     int system_slot_id,
     base::OnceCallback<void(bool)> callback);
+
+// Notifies clients that the TPM has finished initialization (i.e. notify
+// the callbacks of `IsTPMTokenEnabled()` or `GetSystemNSSKeySlot()`).
+// If `InitializeTPMTokenAndSystemSlot()` has been called before this method,
+// this signals that the TPM is enabled, and should use the slot configured by
+// those methods. If neither of those methods have been called, this signals
+// that no TPM system slot will be available.
+CRYPTO_EXPORT void FinishInitializingTPMTokenAndSystemSlot();
 #endif
 
 // Convert a NSS PRTime value into a base::Time object.
diff --git a/chromium/crypto/nss_util_chromeos.cc b/chromium/crypto/nss_util_chromeos.cc
index d9fd3271f1b..abf8a603613 100644
--- a/chromium/crypto/nss_util_chromeos.cc
+++ b/chromium/crypto/nss_util_chromeos.cc
@@ -24,6 +24,7 @@
 #include "base/lazy_instance.h"
 #include "base/location.h"
 #include "base/logging.h"
+#include "base/no_destructor.h"
 #include "base/path_service.h"
 #include "base/strings/string_piece.h"
 #include "base/strings/stringprintf.h"
@@ -106,14 +107,48 @@ class ChromeOSUserData {
   SlotReadyCallbackList tpm_ready_callback_list_;
 };
 
+// Contains state used for the ChromeOSTokenManager. Unlike the
+// ChromeOSTokenManager, which is thread-checked, this object may live
+// and be accessed on multiple threads. While this is normally dangerous,
+// this is done to support callers initializing early in process startup,
+// where the threads using the objects may not be created yet, and the
+// thread startup may depend on these objects.
+// Put differently: They may be written to from any thread, if, and only
+// if, the thread they will be read from has not yet been created;
+// otherwise, this should be treated as thread-affine/thread-hostile.
+struct ChromeOSTokenManagerDataForTesting {
+  static ChromeOSTokenManagerDataForTesting& GetInstance() {
+    static base::NoDestructor<ChromeOSTokenManagerDataForTesting> instance;
+    return *instance;
+  }
+
+  // System slot that will be used for the system slot initialization.
+  ScopedPK11Slot test_system_slot;
+};
+
 class ChromeOSTokenManager {
  public:
+  enum class State {
+    // Initial state.
+    kInitializationNotStarted,
+    // Initialization of the TPM token was started.
+    kInitializationStarted,
+    // TPM token was successfully initialized, but not available to the class'
+    // users yet.
+    kTpmTokenInitialized,
+    // TPM token was successfully enabled. It is a final state.
+    kTpmTokenEnabled,
+    // TPM token will never be enabled. It is a final state.
+    kTpmTokenDisabled,
+  };
+
   // Used with PostTaskAndReply to pass handles to worker thread and back.
   struct TPMModuleAndSlot {
     explicit TPMModuleAndSlot(SECMODModule* init_chaps_module)
         : chaps_module(init_chaps_module) {}
+
     SECMODModule* chaps_module;
-    crypto::ScopedPK11Slot tpm_slot;
+    ScopedPK11Slot tpm_slot;
   };
 
   ScopedPK11Slot OpenPersistentNSSDBForPath(const std::string& db_name,
@@ -132,42 +167,12 @@ class ChromeOSTokenManager {
     return OpenSoftwareNSSDB(nssdb_path, db_name);
   }
 
-  void EnableTPMTokenForNSS() {
-    DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-
-    // If this gets set, then we'll use the TPM for certs with
-    // private keys, otherwise we'll fall back to the software
-    // implementation.
-    tpm_token_enabled_for_nss_ = true;
-  }
-
-  bool IsTPMTokenEnabledForNSS() {
-    DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-    return tpm_token_enabled_for_nss_;
-  }
-
   void InitializeTPMTokenAndSystemSlot(
       int system_slot_id,
       base::OnceCallback<void(bool)> callback) {
     DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-    // Should not be called while there is already an initialization in
-    // progress.
-    DCHECK(!initializing_tpm_token_);
-    // If EnableTPMTokenForNSS hasn't been called, return false.
-    if (!tpm_token_enabled_for_nss_) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
-          FROM_HERE, base::BindOnce(std::move(callback), false));
-      return;
-    }
-
-    // If everything is already initialized, then return true.
-    // Note that only |tpm_slot_| is checked, since |chaps_module_| could be
-    // nullptr in tests while |tpm_slot_| has been set to the test DB.
-    if (tpm_slot_) {
-      base::ThreadTaskRunnerHandle::Get()->PostTask(
-          FROM_HERE, base::BindOnce(std::move(callback), true));
-      return;
-    }
+    DCHECK_EQ(state_, State::kInitializationNotStarted);
+    state_ = State::kInitializationStarted;
 
     // Note that a reference is not taken to chaps_module_. This is safe since
     // ChromeOSTokenManager is Leaky, so the reference it holds is never
@@ -184,7 +189,26 @@ class ChromeOSTokenManager {
             &ChromeOSTokenManager::OnInitializedTPMTokenAndSystemSlot,
             base::Unretained(this),  // ChromeOSTokenManager is leaky
             std::move(callback), std::move(tpm_args)));
-    initializing_tpm_token_ = true;
+  }
+
+  void FinishInitializingTPMTokenAndSystemSlot() {
+    DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+    DCHECK(!IsInitializationFinished());
+
+    // If `OnInitializedTPMTokenAndSystemSlot` was not called, but a test system
+    // slot is prepared, start using it now. Can happen in tests that don't fake
+    // enable TPM.
+    if (!system_slot_ &&
+        ChromeOSTokenManagerDataForTesting::GetInstance().test_system_slot) {
+      system_slot_ = ScopedPK11Slot(
+          PK11_ReferenceSlot(ChromeOSTokenManagerDataForTesting::GetInstance()
+                                 .test_system_slot.get()));
+    }
+
+    state_ = (state_ == State::kTpmTokenInitialized) ? State::kTpmTokenEnabled
+                                                     : State::kTpmTokenDisabled;
+
+    tpm_ready_callback_list_.Notify();
   }
 
   static void InitializeTPMTokenInThreadPool(CK_SLOT_ID token_slot_id,
@@ -215,39 +239,49 @@ class ChromeOSTokenManager {
              << ", got tpm slot: " << !!tpm_args->tpm_slot;
 
     chaps_module_ = tpm_args->chaps_module;
-    tpm_slot_ = std::move(tpm_args->tpm_slot);
-    if (!chaps_module_ && test_system_slot_) {
+
+    if (ChromeOSTokenManagerDataForTesting::GetInstance().test_system_slot) {
       // chromeos_unittests try to test the TPM initialization process. If we
-      // have a test DB open, pretend that it is the TPM slot.
-      tpm_slot_.reset(PK11_ReferenceSlot(test_system_slot_.get()));
+      // have a test DB open, pretend that it is the system slot.
+      system_slot_ = ScopedPK11Slot(
+          PK11_ReferenceSlot(ChromeOSTokenManagerDataForTesting::GetInstance()
+                                 .test_system_slot.get()));
+    } else {
+      system_slot_ = std::move(tpm_args->tpm_slot);
     }
-    initializing_tpm_token_ = false;
 
-    if (tpm_slot_)
-      RunAndClearTPMReadyCallbackList();
+    if (system_slot_) {
+      state_ = State::kTpmTokenInitialized;
+    }
 
-    std::move(callback).Run(!!tpm_slot_);
+    std::move(callback).Run(!!system_slot_);
   }
 
-  void RunAndClearTPMReadyCallbackList() { tpm_ready_callback_list_.Notify(); }
-
-  bool IsTPMTokenReady(base::OnceClosure callback) {
+  void IsTPMTokenEnabled(base::OnceCallback<void(bool)> callback) {
     DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-    if (tpm_slot_)
-      return true;
-
-    if (!callback.is_null())
-      tpm_ready_callback_list_.AddUnsafe(std::move(callback));
+    DCHECK(!callback.is_null());
+
+    if (!IsInitializationFinished()) {
+      // Call back to this method when initialization is finished.
+      tpm_ready_callback_list_.AddUnsafe(
+          base::BindOnce(&ChromeOSTokenManager::IsTPMTokenEnabled,
+                         base::Unretained(this) /* singleton is leaky */,
+                         std::move(callback)));
+      return;
+    }
 
-    return false;
+    DCHECK(base::SequencedTaskRunnerHandle::IsSet());
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
+        FROM_HERE,
+        base::BindOnce(std::move(callback),
+                       /*is_tpm_enabled=*/(state_ == State::kTpmTokenEnabled)));
   }
 
   // Note that CK_SLOT_ID is an unsigned long, but cryptohome gives us the slot
   // id as an int. This should be safe since this is only used with chaps, which
   // we also control.
-  static crypto::ScopedPK11Slot GetTPMSlotForIdInThreadPool(
-      SECMODModule* chaps_module,
-      CK_SLOT_ID slot_id) {
+  static ScopedPK11Slot GetTPMSlotForIdInThreadPool(SECMODModule* chaps_module,
+                                                    CK_SLOT_ID slot_id) {
     DCHECK(chaps_module);
 
     DVLOG(3) << "Poking chaps module.";
@@ -258,7 +292,7 @@ class ChromeOSTokenManager {
     PK11SlotInfo* slot = SECMOD_LookupSlot(chaps_module->moduleID, slot_id);
     if (!slot)
       LOG(ERROR) << "TPM slot " << slot_id << " not found.";
-    return crypto::ScopedPK11Slot(slot);
+    return ScopedPK11Slot(slot);
   }
 
   bool InitializeNSSForChromeOSUser(const std::string& username_hash,
@@ -392,34 +426,28 @@ class ChromeOSTokenManager {
     chromeos_user_map_.erase(i);
   }
 
-  void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
+  void GetSystemNSSKeySlot(base::OnceCallback<void(ScopedPK11Slot)> callback) {
     DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
-    // Ensure that a previous value of test_system_slot_ is not overwritten.
-    // Unsetting, i.e. setting a nullptr, however is allowed.
-    DCHECK(!slot || !test_system_slot_);
-    test_system_slot_ = std::move(slot);
-    if (test_system_slot_) {
-      tpm_slot_.reset(PK11_ReferenceSlot(test_system_slot_.get()));
-      RunAndClearTPMReadyCallbackList();
-    } else {
-      tpm_slot_.reset();
+    if (!IsInitializationFinished()) {
+      // Call back to this method when initialization is finished.
+      tpm_ready_callback_list_.AddUnsafe(
+          base::BindOnce(&ChromeOSTokenManager::GetSystemNSSKeySlot,
+                         base::Unretained(this) /* singleton is leaky */,
+                         std::move(callback)));
+      return;
     }
-  }
-
-  void SetSystemKeySlotWithoutInitializingTPMForTesting(ScopedPK11Slot slot) {
-    DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
-    // Ensure that a previous value of test_system_slot_ is not overwritten.
-    // Unsetting, i.e. setting a nullptr, however is allowed.
-    DCHECK(!slot || !test_system_slot_);
-    if (tpm_slot_ && tpm_slot_ == test_system_slot_) {
-      // Unset |tpm_slot_| if it was initialized from |test_system_slot_|.
-      tpm_slot_.reset();
-    }
-    test_system_slot_ = std::move(slot);
+    base::SequencedTaskRunnerHandle::Get()->PostTask(
+        FROM_HERE,
+        base::BindOnce(std::move(callback),
+                       /*system_slot=*/ScopedPK11Slot(
+                           system_slot_ ? PK11_ReferenceSlot(system_slot_.get())
+                                        : nullptr)));
   }
 
+  void ResetSystemSlotForTesting() { system_slot_.reset(); }
+
   void SetPrivateSoftwareSlotForChromeOSUserForTesting(ScopedPK11Slot slot) {
     DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
 
@@ -429,29 +457,8 @@ class ChromeOSTokenManager {
     prepared_test_private_slot_ = std::move(slot);
   }
 
-  void GetSystemNSSKeySlotCallback(
-      base::OnceCallback<void(ScopedPK11Slot)> callback) {
-    std::move(callback).Run(
-        ScopedPK11Slot(PK11_ReferenceSlot(tpm_slot_.get())));
-  }
-
-  ScopedPK11Slot GetSystemNSSKeySlot(
-      base::OnceCallback<void(ScopedPK11Slot)> callback) {
-    DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
-    // TODO(mattm): chromeos::TPMTokenloader always calls
-    // InitializeTPMTokenAndSystemSlot with slot 0.  If the system slot is
-    // disabled, tpm_slot_ will be the first user's slot instead. Can that be
-    // detected and return nullptr instead?
-
-    base::OnceClosure wrapped_callback;
-    if (!callback.is_null()) {
-      wrapped_callback = base::BindOnce(
-          &ChromeOSTokenManager::GetSystemNSSKeySlotCallback,
-          base::Unretained(this) /* singleton is leaky */, std::move(callback));
-    }
-    if (IsTPMTokenReady(std::move(wrapped_callback)))
-      return ScopedPK11Slot(PK11_ReferenceSlot(tpm_slot_.get()));
-    return ScopedPK11Slot();
+  bool IsInitializationStarted() {
+    return (state_ != State::kInitializationNotStarted);
   }
 
  private:
@@ -464,14 +471,24 @@ class ChromeOSTokenManager {
   // shut down.
   ~ChromeOSTokenManager() = delete;
 
-  bool tpm_token_enabled_for_nss_ = false;
-  bool initializing_tpm_token_ = false;
-  using TPMReadyCallbackList = base::OnceClosureList;
-  TPMReadyCallbackList tpm_ready_callback_list_;
+  bool IsInitializationFinished() {
+    switch (state_) {
+      case State::kTpmTokenEnabled:
+      case State::kTpmTokenDisabled:
+        return true;
+      case State::kInitializationNotStarted:
+      case State::kInitializationStarted:
+      case State::kTpmTokenInitialized:
+        return false;
+    }
+  }
+
+  State state_ = State::kInitializationNotStarted;
+  base::OnceClosureList tpm_ready_callback_list_;
+
   SECMODModule* chaps_module_ = nullptr;
-  crypto::ScopedPK11Slot tpm_slot_;
+  ScopedPK11Slot system_slot_;
   std::map<std::string, std::unique_ptr<ChromeOSUserData>> chromeos_user_map_;
-  ScopedPK11Slot test_system_slot_;
   ScopedPK11Slot prepared_test_private_slot_;
 
   THREAD_CHECKER(thread_checker_);
@@ -486,30 +503,29 @@ base::FilePath GetSoftwareNSSDBPath(
   return profile_directory_path.AppendASCII(".pki").AppendASCII("nssdb");
 }
 
-ScopedPK11Slot GetSystemNSSKeySlot(
-    base::OnceCallback<void(ScopedPK11Slot)> callback) {
-  return g_token_manager.Get().GetSystemNSSKeySlot(std::move(callback));
+void GetSystemNSSKeySlot(base::OnceCallback<void(ScopedPK11Slot)> callback) {
+  g_token_manager.Get().GetSystemNSSKeySlot(std::move(callback));
 }
 
-void SetSystemKeySlotForTesting(ScopedPK11Slot slot) {
-  g_token_manager.Get().SetSystemKeySlotForTesting(std::move(slot));
-}
-
-void SetSystemKeySlotWithoutInitializingTPMForTesting(ScopedPK11Slot slot) {
-  g_token_manager.Get().SetSystemKeySlotWithoutInitializingTPMForTesting(
-      std::move(slot));
-}
+void PrepareSystemSlotForTesting(ScopedPK11Slot slot) {
+  DCHECK(!ChromeOSTokenManagerDataForTesting::GetInstance().test_system_slot);
+  DCHECK(!g_token_manager.IsCreated() ||
+         !g_token_manager.Get().IsInitializationStarted())
+      << "PrepareSystemSlotForTesting is called after initialization started";
 
-void EnableTPMTokenForNSS() {
-  g_token_manager.Get().EnableTPMTokenForNSS();
+  ChromeOSTokenManagerDataForTesting::GetInstance().test_system_slot =
+      std::move(slot);
 }
 
-bool IsTPMTokenEnabledForNSS() {
-  return g_token_manager.Get().IsTPMTokenEnabledForNSS();
+void ResetSystemSlotForTesting() {
+  if (g_token_manager.IsCreated()) {
+    g_token_manager.Get().ResetSystemSlotForTesting();  // IN-TEST
+  }
+  ChromeOSTokenManagerDataForTesting::GetInstance().test_system_slot.reset();
 }
 
-bool IsTPMTokenReady(base::OnceClosure callback) {
-  return g_token_manager.Get().IsTPMTokenReady(std::move(callback));
+void IsTPMTokenEnabled(base::OnceCallback<void(bool)> callback) {
+  g_token_manager.Get().IsTPMTokenEnabled(std::move(callback));
 }
 
 void InitializeTPMTokenAndSystemSlot(int token_slot_id,
@@ -518,6 +534,10 @@ void InitializeTPMTokenAndSystemSlot(int token_slot_id,
                                                         std::move(callback));
 }
 
+void FinishInitializingTPMTokenAndSystemSlot() {
+  g_token_manager.Get().FinishInitializingTPMTokenAndSystemSlot();
+}
+
 bool InitializeNSSForChromeOSUser(const std::string& username_hash,
                                   const base::FilePath& path) {
   return g_token_manager.Get().InitializeNSSForChromeOSUser(username_hash,
diff --git a/chromium/crypto/nss_util_internal.h b/chromium/crypto/nss_util_internal.h
index 99fbb10c7e2..9e11efcd1a2 100644
--- a/chromium/crypto/nss_util_internal.h
+++ b/chromium/crypto/nss_util_internal.h
@@ -36,11 +36,14 @@ CRYPTO_EXPORT ScopedPK11Slot OpenSoftwareNSSDB(const base::FilePath& path,
 class CRYPTO_EXPORT AutoSECMODListReadLock {
  public:
   AutoSECMODListReadLock();
+
+  AutoSECMODListReadLock(const AutoSECMODListReadLock&) = delete;
+  AutoSECMODListReadLock& operator=(const AutoSECMODListReadLock&) = delete;
+
   ~AutoSECMODListReadLock();
 
  private:
   SECMODListLock* lock_;
-  DISALLOW_COPY_AND_ASSIGN(AutoSECMODListReadLock);
 };
 
 #if BUILDFLAG(IS_CHROMEOS_ASH)
@@ -49,27 +52,23 @@ class CRYPTO_EXPORT AutoSECMODListReadLock {
 CRYPTO_EXPORT base::FilePath GetSoftwareNSSDBPath(
     const base::FilePath& profile_directory_path);
 
-// Returns a reference to the system-wide TPM slot if it is loaded. If it is not
-// loaded and |callback| is non-null, the |callback| will be run once the slot
-// is loaded.
-CRYPTO_EXPORT ScopedPK11Slot GetSystemNSSKeySlot(
-    base::OnceCallback<void(ScopedPK11Slot)> callback) WARN_UNUSED_RESULT;
-
-// Sets the test system slot to |slot|, which means that |slot| will be exposed
-// through |GetSystemNSSKeySlot| and |IsTPMTokenReady| will return true.
-// |InitializeTPMTokenAndSystemSlot|, which triggers the TPM initialization,
-// does not have to be called if the test system slot is set.
-// This must must not be called consecutively with a |slot| != nullptr. If
-// |slot| is nullptr, the test system slot is unset.
-CRYPTO_EXPORT void SetSystemKeySlotForTesting(ScopedPK11Slot slot);
+// Returns a reference to the system-wide TPM slot (or nullptr if it will never
+// be loaded).
+CRYPTO_EXPORT void GetSystemNSSKeySlot(
+    base::OnceCallback<void(ScopedPK11Slot)> callback);
 
 // Injects the given |slot| as a system slot set by the future
 // |InitializeTPMTokenAndSystemSlot| call.
-// This must must not be called consecutively with a |slot| != nullptr. If
-// |slot| is nullptr and the system slot is already initialized to the
-// previously passed test value, the system slot is unset.
-CRYPTO_EXPORT void SetSystemKeySlotWithoutInitializingTPMForTesting(
-    ScopedPK11Slot slot);
+CRYPTO_EXPORT void PrepareSystemSlotForTesting(ScopedPK11Slot slot);
+
+// Attempt to unset the testing system slot.
+// Note: After this method is called, the system is in an undefined state; it is
+// NOT possible to call `PrepareSystemSlotForTesting()` and have it return to a
+// known-good state. The primary purpose is to attempt to release system
+// resources, such as file handles, to allow the cleanup of files on disk, but
+// because of the process-wide effect, it's not possible to unwind any/all
+// initialization that depended on this previously-configured system slot.
+CRYPTO_EXPORT void ResetSystemSlotForTesting();
 
 // Prepare per-user NSS slot mapping. It is safe to call this function multiple
 // times. Returns true if the user was added, or false if it already existed.
diff --git a/chromium/crypto/openssl_util.h b/chromium/crypto/openssl_util.h
index db6537eef07..91cb596147c 100644
--- a/chromium/crypto/openssl_util.h
+++ b/chromium/crypto/openssl_util.h
@@ -29,6 +29,10 @@ class ScopedOpenSSLSafeSizeBuffer {
         output_len_(output_len) {
   }
 
+  ScopedOpenSSLSafeSizeBuffer(const ScopedOpenSSLSafeSizeBuffer&) = delete;
+  ScopedOpenSSLSafeSizeBuffer& operator=(const ScopedOpenSSLSafeSizeBuffer&) =
+      delete;
+
   ~ScopedOpenSSLSafeSizeBuffer() {
     if (output_len_ < MIN_SIZE) {
       // Copy the temporary buffer out, truncating as needed.
@@ -50,8 +54,6 @@ class ScopedOpenSSLSafeSizeBuffer {
   // Temporary buffer writen into in the case where the caller's
   // buffer is not of sufficient size.
   unsigned char min_sized_buffer_[MIN_SIZE];
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedOpenSSLSafeSizeBuffer);
 };
 
 // Initialize OpenSSL if it isn't already initialized. This must be called
diff --git a/chromium/crypto/rsa_private_key.h b/chromium/crypto/rsa_private_key.h
index 707994922ed..b747b896558 100644
--- a/chromium/crypto/rsa_private_key.h
+++ b/chromium/crypto/rsa_private_key.h
@@ -24,6 +24,9 @@ namespace crypto {
 // TODO(hclam): This class should be ref-counted so it can be reused easily.
 class CRYPTO_EXPORT RSAPrivateKey {
  public:
+  RSAPrivateKey(const RSAPrivateKey&) = delete;
+  RSAPrivateKey& operator=(const RSAPrivateKey&) = delete;
+
   ~RSAPrivateKey();
 
   // Create a new random instance. Can return NULL if initialization fails.
@@ -56,8 +59,6 @@ class CRYPTO_EXPORT RSAPrivateKey {
   RSAPrivateKey();
 
   bssl::UniquePtr<EVP_PKEY> key_;
-
-  DISALLOW_COPY_AND_ASSIGN(RSAPrivateKey);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/scoped_capi_types.h b/chromium/crypto/scoped_capi_types.h
index 19bca16992d..a54dfc926eb 100644
--- a/chromium/crypto/scoped_capi_types.h
+++ b/chromium/crypto/scoped_capi_types.h
@@ -88,6 +88,16 @@ struct FreeCertChainContextFunctor {
 using ScopedPCCERT_CHAIN_CONTEXT =
     std::unique_ptr<const CERT_CHAIN_CONTEXT, FreeCertChainContextFunctor>;
 
+struct FreeCtlContextFunctor {
+  void operator()(PCCTL_CONTEXT ctl_context) const {
+    if (ctl_context)
+      CertFreeCTLContext(ctl_context);
+  }
+};
+
+using ScopedPCCTL_CONTEXT =
+    std::unique_ptr<const CTL_CONTEXT, FreeCtlContextFunctor>;
+
 }  // namespace crypto
 
 #endif  // CRYPTO_SCOPED_CAPI_TYPES_H_
diff --git a/chromium/crypto/scoped_test_nss_chromeos_user.h b/chromium/crypto/scoped_test_nss_chromeos_user.h
index 9202b0f0207..ad5a770a412 100644
--- a/chromium/crypto/scoped_test_nss_chromeos_user.h
+++ b/chromium/crypto/scoped_test_nss_chromeos_user.h
@@ -21,6 +21,11 @@ class CRYPTO_EXPORT ScopedTestNSSChromeOSUser {
   // Opens the software database and sets the public slot for the user. The
   // private slot will not be initialized until FinishInit() is called.
   explicit ScopedTestNSSChromeOSUser(const std::string& username_hash);
+
+  ScopedTestNSSChromeOSUser(const ScopedTestNSSChromeOSUser&) = delete;
+  ScopedTestNSSChromeOSUser& operator=(const ScopedTestNSSChromeOSUser&) =
+      delete;
+
   ~ScopedTestNSSChromeOSUser();
 
   std::string username_hash() const { return username_hash_; }
@@ -34,8 +39,6 @@ class CRYPTO_EXPORT ScopedTestNSSChromeOSUser {
   const std::string username_hash_;
   base::ScopedTempDir temp_dir_;
   bool constructed_successfully_;
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedTestNSSChromeOSUser);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/scoped_test_nss_db.h b/chromium/crypto/scoped_test_nss_db.h
index 1505b4d395f..f0da44d43d4 100644
--- a/chromium/crypto/scoped_test_nss_db.h
+++ b/chromium/crypto/scoped_test_nss_db.h
@@ -18,6 +18,10 @@ namespace crypto {
 class CRYPTO_EXPORT ScopedTestNSSDB {
  public:
   ScopedTestNSSDB();
+
+  ScopedTestNSSDB(const ScopedTestNSSDB&) = delete;
+  ScopedTestNSSDB& operator=(const ScopedTestNSSDB&) = delete;
+
   ~ScopedTestNSSDB();
 
   bool is_open() const { return !!slot_; }
@@ -29,8 +33,6 @@ class CRYPTO_EXPORT ScopedTestNSSDB {
 
   base::ScopedTempDir temp_dir_;
   ScopedPK11Slot slot_;
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedTestNSSDB);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/scoped_test_system_nss_key_slot.cc b/chromium/crypto/scoped_test_system_nss_key_slot.cc
index 53fbbffc1a9..4bc52bb8c2c 100644
--- a/chromium/crypto/scoped_test_system_nss_key_slot.cc
+++ b/chromium/crypto/scoped_test_system_nss_key_slot.cc
@@ -4,21 +4,27 @@
 
 #include "crypto/scoped_test_system_nss_key_slot.h"
 
+#include "crypto/nss_util.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_test_nss_db.h"
 
 namespace crypto {
 
-ScopedTestSystemNSSKeySlot::ScopedTestSystemNSSKeySlot()
+ScopedTestSystemNSSKeySlot::ScopedTestSystemNSSKeySlot(
+    bool simulate_token_loader)
     : test_db_(new ScopedTestNSSDB) {
   if (!test_db_->is_open())
     return;
-  SetSystemKeySlotForTesting(
+
+  PrepareSystemSlotForTesting(  // IN-TEST
       ScopedPK11Slot(PK11_ReferenceSlot(test_db_->slot())));
+
+  if (simulate_token_loader)
+    FinishInitializingTPMTokenAndSystemSlot();
 }
 
 ScopedTestSystemNSSKeySlot::~ScopedTestSystemNSSKeySlot() {
-  SetSystemKeySlotForTesting(ScopedPK11Slot());
+  ResetSystemSlotForTesting();  // IN-TEST
 }
 
 bool ScopedTestSystemNSSKeySlot::ConstructedSuccessfully() const {
diff --git a/chromium/crypto/scoped_test_system_nss_key_slot.h b/chromium/crypto/scoped_test_system_nss_key_slot.h
index ae9b2cd8a5b..d01d4da8e80 100644
--- a/chromium/crypto/scoped_test_system_nss_key_slot.h
+++ b/chromium/crypto/scoped_test_system_nss_key_slot.h
@@ -17,17 +17,27 @@ namespace crypto {
 
 class ScopedTestNSSDB;
 
-// Opens a persistent NSS software database in a temporary directory and sets
-// the test system slot to the opened database. This helper should be created in
-// tests to fake the system token that is usually provided by the Chaps module.
-// |slot| is exposed through |GetSystemNSSKeySlot| and |IsTPMTokenReady| will
-// return true.
-// |InitializeTPMTokenAndSystemSlot|, which triggers the TPM initialization,
-// does not have to be called if this helper is used.
-// At most one instance of this helper must be used at a time.
+// Helper object to override the behavior of `crypto::GetSystemNSSKeySlot()`
+// to return a slot from a temporary directory (i.e. bypassing the TPM).
+// This object MUST be created before any call to
+// `crypto::InitializeTPMTokenAndSystemSlot()`. Note: As noted in
+// `crypto::ResetSystemSlotForTesting()`, once a fake slot has been configured
+// for a process, it cannot be undone. As such, only one instance of this object
+// must be created for a process.
 class CRYPTO_EXPORT ScopedTestSystemNSSKeySlot {
  public:
-  ScopedTestSystemNSSKeySlot();
+  // If `simulate_token_loader` is false, this class only prepares a software
+  // system slot, which will be made available through `GetSystemNSSKeySlot`
+  // when something else (presumably the TpmTokenLoader) calls
+  // `crypto::FinishInitializingTPMTokenAndSystemSlot`. Setting
+  // `simulate_token_loader` to true emulates the "initialization finished"
+  // signal immediately (e.g. in unit tests).
+  ScopedTestSystemNSSKeySlot(bool simulate_token_loader);
+
+  ScopedTestSystemNSSKeySlot(const ScopedTestSystemNSSKeySlot&) = delete;
+  ScopedTestSystemNSSKeySlot& operator=(const ScopedTestSystemNSSKeySlot&) =
+      delete;
+
   ~ScopedTestSystemNSSKeySlot();
 
   bool ConstructedSuccessfully() const;
@@ -35,8 +45,6 @@ class CRYPTO_EXPORT ScopedTestSystemNSSKeySlot {
 
  private:
   std::unique_ptr<ScopedTestNSSDB> test_db_;
-
-  DISALLOW_COPY_AND_ASSIGN(ScopedTestSystemNSSKeySlot);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/secure_hash.h b/chromium/crypto/secure_hash.h
index b97487b5ca7..907c6a85e9b 100644
--- a/chromium/crypto/secure_hash.h
+++ b/chromium/crypto/secure_hash.h
@@ -22,6 +22,10 @@ class CRYPTO_EXPORT SecureHash {
   enum Algorithm {
     SHA256,
   };
+
+  SecureHash(const SecureHash&) = delete;
+  SecureHash& operator=(const SecureHash&) = delete;
+
   virtual ~SecureHash() {}
 
   static std::unique_ptr<SecureHash> Create(Algorithm type);
@@ -37,9 +41,6 @@ class CRYPTO_EXPORT SecureHash {
 
  protected:
   SecureHash() {}
-
- private:
-  DISALLOW_COPY_AND_ASSIGN(SecureHash);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/signature_creator.h b/chromium/crypto/signature_creator.h
index 3a50bacd7ae..35e4c776358 100644
--- a/chromium/crypto/signature_creator.h
+++ b/chromium/crypto/signature_creator.h
@@ -29,6 +29,9 @@ class CRYPTO_EXPORT SignatureCreator {
     SHA256,
   };
 
+  SignatureCreator(const SignatureCreator&) = delete;
+  SignatureCreator& operator=(const SignatureCreator&) = delete;
+
   ~SignatureCreator();
 
   // Create an instance. The caller must ensure that the provided PrivateKey
@@ -56,8 +59,6 @@ class CRYPTO_EXPORT SignatureCreator {
   SignatureCreator();
 
   EVP_MD_CTX* sign_context_;
-
-  DISALLOW_COPY_AND_ASSIGN(SignatureCreator);
 };
 
 }  // namespace crypto
diff --git a/chromium/crypto/symmetric_key.h b/chromium/crypto/symmetric_key.h
index d802241a0a0..da79fba44aa 100644
--- a/chromium/crypto/symmetric_key.h
+++ b/chromium/crypto/symmetric_key.h
@@ -27,6 +27,9 @@ class CRYPTO_EXPORT SymmetricKey {
     HMAC_SHA1,
   };
 
+  SymmetricKey(const SymmetricKey&) = delete;
+  SymmetricKey& operator=(const SymmetricKey&) = delete;
+
   virtual ~SymmetricKey();
 
   // Generates a random key suitable to be used with |algorithm| and of
@@ -79,8 +82,6 @@ class CRYPTO_EXPORT SymmetricKey {
   SymmetricKey();
 
   std::string key_;
-
-  DISALLOW_COPY_AND_ASSIGN(SymmetricKey);
 };
 
 }  // namespace crypto