v811_spc009/external/vboot_reference/tests/vboot_api_init_tests.c

/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
 * Tests for vboot_api_init
 */

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

#include "gbb_header.h"
#include "host_common.h"
#include "rollback_index.h"
#include "test_common.h"
#include "vboot_common.h"
#include "vboot_nvstorage.h"
#include "vboot_struct.h"

/* Mock data */
static VbCommonParams cparams;
static VbInitParams iparams;
static VbNvContext vnc;
static uint8_t shared_data[VB_SHARED_DATA_MIN_SIZE];
static VbSharedDataHeader *shared = (VbSharedDataHeader *)shared_data;
static uint64_t mock_timer;
static int rollback_s3_retval;
static int nv_write_called;
static GoogleBinaryBlockHeader gbb;
static int mock_virt_dev_sw;
static uint32_t mock_tpm_version;
static uint32_t mock_rfs_retval;
static int rfs_clear_tpm_request;
static int rfs_disable_dev_request;
static uint8_t backup_space[BACKUP_NV_SIZE];
static int backup_write_called;
static int backup_read_called;

/* Reset mock data (for use before each test) */
static void ResetMocks(void)
{
	Memset(&cparams, 0, sizeof(cparams));
	cparams.shared_data_size = sizeof(shared_data);
	cparams.shared_data_blob = shared_data;
	cparams.gbb_data = &gbb;
	cparams.gbb_size = sizeof(gbb);

	Memset(&gbb, 0, sizeof(gbb));
	gbb.major_version = GBB_MAJOR_VER;
	gbb.minor_version = GBB_MINOR_VER;
	gbb.flags = 0;

	Memset(&iparams, 0, sizeof(iparams));

	Memset(&vnc, 0, sizeof(vnc));
	VbNvSetup(&vnc);
	VbNvTeardown(&vnc);                   /* So CRC gets generated */

	Memset(backup_space, 0, sizeof(backup_space));
	backup_write_called = 0;
	backup_read_called = 0;

	Memset(&shared_data, 0, sizeof(shared_data));
	VbSharedDataInit(shared, sizeof(shared_data));

	mock_timer = 10;
	rollback_s3_retval = TPM_SUCCESS;
	nv_write_called = 0;

	mock_virt_dev_sw = 0;
	mock_tpm_version = 0x10001;
	mock_rfs_retval = 0;

	rfs_clear_tpm_request = 0;
	rfs_disable_dev_request = 0;
}

/****************************************************************************/
/* Mocked verification functions */

VbError_t VbExNvStorageRead(uint8_t *buf)
{
	Memcpy(buf, vnc.raw, sizeof(vnc.raw));
	return VBERROR_SUCCESS;
}

VbError_t VbExNvStorageWrite(const uint8_t *buf)
{
	nv_write_called++;
	Memcpy(vnc.raw, buf, sizeof(vnc.raw));
	return VBERROR_SUCCESS;
}

uint32_t RollbackBackupRead(uint8_t *raw)
{
	backup_read_called++;
	Memcpy(raw, backup_space, sizeof(backup_space));
	return TPM_SUCCESS;
}

uint32_t RollbackBackupWrite(uint8_t *raw)
{
	backup_write_called++;
	Memcpy(backup_space, raw, sizeof(backup_space));
	return TPM_SUCCESS;
}

uint64_t VbExGetTimer(void)
{
	/*
	 * Exponential-ish rather than linear time, so that subtracting any
	 * two mock values will yield a unique result.
	 */
	uint64_t new_timer = mock_timer * 2 + 1;
	VbAssert(new_timer > mock_timer);  /* Make sure we don't overflow */
	mock_timer = new_timer;
	return mock_timer;
}

uint32_t RollbackS3Resume(void)
{
	return rollback_s3_retval;
}

uint32_t RollbackFirmwareSetup(int is_hw_dev,
                               int disable_dev_request,
                               int clear_tpm_owner_request,
                               /* two outputs on success */
                               int *is_virt_dev, uint32_t *version)
{
	rfs_clear_tpm_request = clear_tpm_owner_request;
	rfs_disable_dev_request = disable_dev_request;

	*is_virt_dev = mock_virt_dev_sw;
	*version = mock_tpm_version;
	return mock_rfs_retval;
}

/****************************************************************************/
/* Test VbInit() and check expected return value and recovery reason */

static void TestVbInit(VbError_t expected_retval,
                       uint8_t expected_recovery, const char *desc)
{
	uint32_t rr = 256;

	TEST_EQ(VbInit(&cparams, &iparams), expected_retval, desc);
	VbNvGet(&vnc, VBNV_RECOVERY_REQUEST, &rr);
	TEST_EQ(rr, expected_recovery, "  (recovery request)");
}

/****************************************************************************/

static void VbInitTest(void)
{
	uint32_t u;

	/* Test passing in too small a shared data area */
	ResetMocks();
	cparams.shared_data_size = VB_SHARED_DATA_MIN_SIZE - 1;
	TestVbInit(VBERROR_INIT_SHARED_DATA, 0, "Shared data too small");

	/* Normal call; dev=0 rec=0 */
	ResetMocks();
	TestVbInit(0, 0, "Normal call");
	TEST_EQ(shared->timer_vb_init_enter, 21, "  time enter");
	TEST_EQ(shared->timer_vb_init_exit, 43, "  time exit");
	TEST_EQ(shared->flags, 0, "  shared flags");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(nv_write_called, 0,
		"  NV write not called since nothing changed");

	/* If NV data is trashed, we initialize it */
	ResetMocks();
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, 123);
	/*
	 * Note that we're not doing a VbNvTeardown(), so the CRC hasn't been
	 * regenerated yet.  So VbInit() should ignore the corrupted recovery
	 * value and boot normally.
	 */
	TestVbInit(0, 0, "NV data trashed");
	TEST_EQ(nv_write_called, 1, "  NV write called");

	/*
	 * Test boot switch flags which are just passed through to shared
	 * flags, and don't have an effect on VbInit().
	 */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_WP_ENABLED;
	TestVbInit(0, 0, "Flags test WP");
	TEST_EQ(shared->flags, VBSD_BOOT_FIRMWARE_WP_ENABLED,
		"  shared flags");

	ResetMocks();
	iparams.flags = VB_INIT_FLAG_SW_WP_ENABLED;
	TestVbInit(0, 0, "Flags test SW WP");
	TEST_EQ(shared->flags, VBSD_BOOT_FIRMWARE_SW_WP_ENABLED,
		"  shared flags");

	ResetMocks();
	iparams.flags = VB_INIT_FLAG_RO_NORMAL_SUPPORT;
	TestVbInit(0, 0, "  flags test RO normal");
	TEST_EQ(shared->flags, VBSD_BOOT_RO_NORMAL_SUPPORT,
		"  shared flags");

	ResetMocks();
	iparams.flags = VB_INIT_FLAG_EC_SOFTWARE_SYNC;
	TestVbInit(0, 0, "  flags test EC software sync");
	TEST_EQ(shared->flags, VBSD_EC_SOFTWARE_SYNC, "  shared flags");

	ResetMocks();
	iparams.flags = VB_INIT_FLAG_EC_SLOW_UPDATE;
	TestVbInit(0, 0, "  flags test EC slow update");
	TEST_EQ(shared->flags, VBSD_EC_SLOW_UPDATE, "  shared flags");

	/* S3 resume */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_S3_RESUME;
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, 123);
	VbNvTeardown(&vnc);
	/* S3 resume doesn't clear the recovery request (or act on it) */
	TestVbInit(0, 123, "S3 resume");
	TEST_EQ(shared->flags, VBSD_BOOT_S3_RESUME, "  shared flags S3");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(shared->recovery_reason, 0,
		"  S3 doesn't look at recovery request");

	/* S3 resume with TPM resume error */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_S3_RESUME;
	rollback_s3_retval = 1;
	/* S3 resume doesn't clear the recovery request (or act on it) */
	TestVbInit(VBERROR_TPM_S3_RESUME, 0, "S3 resume rollback error");

	/*
	 * Normal boot doesn't care about TPM resume error because it doesn't
	 * call RollbackS3Resume().
	 */
	ResetMocks();
	rollback_s3_retval = 1;
	TestVbInit(0, 0, "Normal doesn't S3 resume");

	/* S3 resume with debug reset */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_S3_RESUME;
	VbNvSet(&vnc, VBNV_DEBUG_RESET_MODE, 1);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "S3 debug reset");
	TEST_EQ(iparams.out_flags, VB_INIT_OUT_S3_DEBUG_BOOT, "  out flags");
	VbNvGet(&vnc, VBNV_DEBUG_RESET_MODE, &u);
	TEST_EQ(u, 0, "  S3 clears nv debug reset mode");

	/* Normal boot clears S3 debug reset mode; doesn't set output flag */
	ResetMocks();
	VbNvSet(&vnc, VBNV_DEBUG_RESET_MODE, 1);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Normal with debug reset mode");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	VbNvGet(&vnc, VBNV_DEBUG_RESET_MODE, &u);
	TEST_EQ(u, 0, "  normal clears nv debug reset mode");

	/*
	 * S3 resume with debug reset is a normal boot, so doesn't resume the
	 * TPM.
	 */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_S3_RESUME;
	rollback_s3_retval = 1;
	VbNvSet(&vnc, VBNV_DEBUG_RESET_MODE, 1);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "S3 debug reset rollback error");

	/* Developer mode */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON;
	TestVbInit(0, 0, "Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER |
		VB_INIT_OUT_ENABLE_ALTERNATE_OS, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");

	/* Developer mode forced by GBB flag */
	ResetMocks();
	iparams.flags = 0;
	gbb.flags = GBB_FLAG_FORCE_DEV_SWITCH_ON;
	TestVbInit(0, 0, "Dev mode via GBB");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER |
		VB_INIT_OUT_ENABLE_ALTERNATE_OS, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");

	/* Developer mode when option ROM matters and isn't loaded */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON |
		VB_INIT_FLAG_OPROM_MATTERS;
	TestVbInit(VBERROR_VGA_OPROM_MISMATCH, 0, "Dev mode need oprom");
	VbNvGet(&vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 1, "  oprom requested");

	/* Developer mode when option ROM matters and is already loaded */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON |
		VB_INIT_FLAG_OPROM_MATTERS | VB_INIT_FLAG_OPROM_LOADED;
	TestVbInit(0, 0, "Dev mode has oprom");

	/* Normal mode when option ROM matters and is loaded */
	ResetMocks();
	VbNvSet(&vnc, VBNV_OPROM_NEEDED, 1);
	VbNvTeardown(&vnc);
	iparams.flags = VB_INIT_FLAG_OPROM_MATTERS | VB_INIT_FLAG_OPROM_LOADED;
	TestVbInit(VBERROR_VGA_OPROM_MISMATCH, 0, "Normal mode with oprom");
	VbNvGet(&vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 0, "  oprom not requested");

	/* Option ROMs can be forced by GBB flag */
	ResetMocks();
	gbb.flags = GBB_FLAG_LOAD_OPTION_ROMS;
	TestVbInit(0, 0, "GBB load option ROMs");
	TEST_EQ(iparams.out_flags, VB_INIT_OUT_ENABLE_OPROM, "  out flags");

	/* If requiring signed only, don't enable alternate OS by default */
	ResetMocks();
	VbNvSet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, 1);
	VbNvTeardown(&vnc);
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON;
	TestVbInit(0, 0, "Dev signed only");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER, "  out flags");

	/* But that can be overridden by the GBB */
	ResetMocks();
	VbNvSet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, 1);
	VbNvTeardown(&vnc);
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON;
	gbb.flags = GBB_FLAG_ENABLE_ALTERNATE_OS;
	TestVbInit(0, 0, "Force option ROMs via GBB");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER |
		VB_INIT_OUT_ENABLE_ALTERNATE_OS, "  out flags");

	/* The GBB override is ignored in normal mode */
	ResetMocks();
	gbb.flags = GBB_FLAG_ENABLE_ALTERNATE_OS;
	TestVbInit(0, 0, "Normal mode ignores forcing option ROMs via GBB");
	TEST_EQ(iparams.out_flags, 0, "  out flags");

	/* Recovery mode from NV storage */
	ResetMocks();
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, 123);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Recovery mode - from nv");
	TEST_EQ(shared->recovery_reason, 123, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_ENABLE_RECOVERY |
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE, "  out flags");
	TEST_EQ(shared->flags, 0, "  shared flags");

	/* Recovery mode from recovery button */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_REC_BUTTON_PRESSED;
	TestVbInit(0, 0, "Recovery mode - button");
	TEST_EQ(shared->recovery_reason, VBNV_RECOVERY_RO_MANUAL,
		"  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_ENABLE_RECOVERY |
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_REC_SWITCH_ON, "  shared flags");

	/* Recovery button reason supersedes NV reason */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_REC_BUTTON_PRESSED;
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, 123);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Recovery mode - button AND nv");
	TEST_EQ(shared->recovery_reason, VBNV_RECOVERY_RO_MANUAL,
		"  recovery reason");

	/* Recovery mode from previous boot fail */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_PREVIOUS_BOOT_FAIL;
	TestVbInit(0, 0, "Recovery mode - previous boot fail");
	TEST_EQ(shared->recovery_reason, VBNV_RECOVERY_RO_FIRMWARE,
		"  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_ENABLE_RECOVERY |
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE, "  out flags");
	TEST_EQ(shared->flags, 0, "  shared flags");

	/* Recovery mode from NV supersedes previous boot fail */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_PREVIOUS_BOOT_FAIL;
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, 123);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Recovery mode - previous boot fail AND nv");
	TEST_EQ(shared->recovery_reason, 123, "  recovery reason");

	/* Dev + recovery = recovery */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_REC_BUTTON_PRESSED |
		VB_INIT_FLAG_DEV_SWITCH_ON;
	TestVbInit(0, 0, "Recovery mode - button");
	TEST_EQ(shared->recovery_reason, VBNV_RECOVERY_RO_MANUAL,
		"  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_ENABLE_RECOVERY |
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE, "  out flags");
	TEST_EQ(shared->flags,
		VBSD_BOOT_REC_SWITCH_ON | VBSD_BOOT_DEV_SWITCH_ON,
		"  shared flags");
}

static void VbInitTestTPM(void)
{
	uint32_t u;

	/* Rollback setup needs to reboot */
	ResetMocks();
	mock_rfs_retval = TPM_E_MUST_REBOOT;
	TestVbInit(VBERROR_TPM_REBOOT_REQUIRED, 0,
		   "Rollback TPM reboot (rec=0)");
	ResetMocks();
	mock_rfs_retval = TPM_E_MUST_REBOOT;
	iparams.flags = VB_INIT_FLAG_REC_BUTTON_PRESSED;
	TestVbInit(VBERROR_TPM_REBOOT_REQUIRED, VBNV_RECOVERY_RO_TPM_REBOOT,
		   "Rollback TPM reboot, in recovery, first time");
	/* Ignore if we already tried rebooting */
	ResetMocks();
	mock_rfs_retval = TPM_E_MUST_REBOOT;
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, VBNV_RECOVERY_RO_TPM_REBOOT);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Rollback TPM reboot, in recovery, already retried");
	TEST_EQ(shared->fw_version_tpm, 0x10001, "  shared fw_version_tpm");

	/* Other rollback setup errors */
	ResetMocks();
	mock_rfs_retval = TPM_E_IOERROR;
	mock_tpm_version = 0x20002;
	TestVbInit(VBERROR_TPM_FIRMWARE_SETUP, VBNV_RECOVERY_RO_TPM_S_ERROR,
		   "Rollback TPM setup error - not in recovery");
	TEST_EQ(shared->fw_version_tpm, 0, "  shared fw_version_tpm not set");
	ResetMocks();
	mock_rfs_retval = TPM_E_IOERROR;
	VbNvSet(&vnc, VBNV_RECOVERY_REQUEST, VBNV_RECOVERY_US_TEST);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Rollback TPM setup error ignored in recovery");
	TEST_EQ(shared->fw_version_tpm, 0x10001, "  shared fw_version_tpm");

	/* Virtual developer switch, but not enabled. */
	ResetMocks();
	VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 1);
	VbNvTeardown(&vnc);
	iparams.flags = VB_INIT_FLAG_VIRTUAL_DEV_SWITCH;
	TestVbInit(0, 0, "TPM Dev mode off");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(shared->flags, VBSD_HONOR_VIRT_DEV_SWITCH, "  shared flags");
	VbNvGet(&vnc, VBNV_DISABLE_DEV_REQUEST, &u);
	TEST_EQ(u, 0, "  disable dev request");

	/* Virtual developer switch, enabled. */
	ResetMocks();
	VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 1);
	VbNvTeardown(&vnc);
	iparams.flags = VB_INIT_FLAG_VIRTUAL_DEV_SWITCH;
	mock_virt_dev_sw = 1;
	TestVbInit(0, 0, "TPM Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER |
		VB_INIT_OUT_ENABLE_ALTERNATE_OS, "  out flags");
	TEST_EQ(shared->flags,
		VBSD_BOOT_DEV_SWITCH_ON | VBSD_HONOR_VIRT_DEV_SWITCH,
		"  shared flags");
	/* Disable-request doesn't get cleared because dev mode is still on */
	VbNvGet(&vnc, VBNV_DISABLE_DEV_REQUEST, &u);
	TEST_EQ(u, 1, "  disable dev request");
	/* Disable request was passed on to RollbackFirmwareSetup() */
	TEST_EQ(rfs_disable_dev_request, 1, "  rfs disable dev");

	/* Ignore virtual developer switch, even though enabled. */
	ResetMocks();
	mock_virt_dev_sw = 1;
	TestVbInit(0, 0, "TPM Dev mode on but ignored");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(shared->flags, 0, "  shared flags");

	/* HW dev switch on, no virtual developer switch */
	ResetMocks();
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON;
	TestVbInit(0, 0, "HW Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER |
		VB_INIT_OUT_ENABLE_ALTERNATE_OS, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");

	/* Check TPM owner clear request */
	ResetMocks();
	VbNvSet(&vnc, VBNV_CLEAR_TPM_OWNER_REQUEST, 1);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "TPM clear owner");
	VbNvGet(&vnc, VBNV_CLEAR_TPM_OWNER_REQUEST, &u);
	TEST_EQ(u, 0, "  tpm clear request");
	VbNvGet(&vnc, VBNV_CLEAR_TPM_OWNER_DONE, &u);
	TEST_EQ(u, 1, "  tpm clear request");
	TEST_EQ(rfs_clear_tpm_request, 1, "rfs tpm clear request");
}

static void VbInitTestBackup(void)
{
	VbNvContext tmp_vnc;
	uint32_t u, nv_w, bu_r;

	ResetMocks();
	/* Normal mode call */
	TestVbInit(0, 0, "normal mode, no backup");
	TEST_EQ(shared->flags, 0, "  shared flags");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(nv_write_called, 0,
		"  NV write not called since nothing changed");

	ResetMocks();
	/* Now set some params that should be backed up. */
	VbNvSet(&vnc, VBNV_KERNEL_FIELD, 0xaabbccdd);
	VbNvSet(&vnc, VBNV_LOCALIZATION_INDEX, 0xa5);
	VbNvSet(&vnc, VBNV_DEV_BOOT_USB, 1);
	VbNvSet(&vnc, VBNV_DEV_BOOT_LEGACY, 1);
	VbNvSet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, 1);
	/* and some that don't */
	VbNvSet(&vnc, VBNV_OPROM_NEEDED, 1);
	VbNvSet(&vnc, VBNV_TRY_B_COUNT, 3);
	/* Make sure they're clean */
	VbNvTeardown(&vnc);
	/* Normal mode call */
	TestVbInit(0, 0, "normal mode, some backup");
	TEST_EQ(shared->flags, 0, "  shared flags");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(nv_write_called, 1,
		"  Write NV because things have changed");
	/* Some fields should be unchanged */
	VbNvGet(&vnc, VBNV_KERNEL_FIELD, &u);
	TEST_EQ(u, 0xaabbccdd, "  NV kernel field");
	VbNvGet(&vnc, VBNV_LOCALIZATION_INDEX, &u);
	TEST_EQ(u, 0xa5, "  NV localization index");
	VbNvGet(&vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 1, "  NV oprom_needed");
	VbNvGet(&vnc, VBNV_TRY_B_COUNT, &u);
	TEST_EQ(u, 3, "  NV try_b_count");
	/* But normal mode should have cleared the DEV_BOOT flags */
	VbNvGet(&vnc, VBNV_DEV_BOOT_USB, &u);
	TEST_EQ(u, 0, "  NV dev_boot_usb");
	VbNvGet(&vnc, VBNV_DEV_BOOT_LEGACY, &u);
	TEST_EQ(u, 0, "  NV dev_boot_legacy");
	VbNvGet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, &u);
	TEST_EQ(u, 0, "  NV dev_boot_signed_only");
	/* So we should have written the backup */
	TEST_EQ(backup_write_called, 1, "  Backup written once");
	/* And the backup should reflect the persisent flags. */
	Memset(&tmp_vnc, 0, sizeof(tmp_vnc));
	TEST_EQ(0, RestoreNvFromBackup(&tmp_vnc), "read from backup");
	VbNvGet(&tmp_vnc, VBNV_KERNEL_FIELD, &u);
	TEST_EQ(u, 0xaabbccdd, "  BU kernel field");
	VbNvGet(&tmp_vnc, VBNV_LOCALIZATION_INDEX, &u);
	TEST_EQ(u, 0xa5, "  BU localization index");
	VbNvGet(&tmp_vnc, VBNV_DEV_BOOT_USB, &u);
	TEST_EQ(u, 0, "  BU dev_boot_usb");
	VbNvGet(&tmp_vnc, VBNV_DEV_BOOT_LEGACY, &u);
	TEST_EQ(u, 0, "  BU dev_boot_legacy");
	VbNvGet(&tmp_vnc, VBNV_DEV_BOOT_SIGNED_ONLY, &u);
	TEST_EQ(u, 0, "  BU dev_boot_signed_only");
	/* but not the others */
	VbNvGet(&tmp_vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 0, "  BU oprom_needed");
	VbNvGet(&tmp_vnc, VBNV_TRY_B_COUNT, &u);
	TEST_EQ(u, 0, "  BU try_b_count");

	/*
	 * If we change one of the non-backed-up NVRAM params and try
	 * again, we shouldn't need to backup again.
	 */
	VbNvSet(&vnc, VBNV_OPROM_NEEDED, 0);
	VbNvSet(&vnc, VBNV_TRY_B_COUNT, 2);
	/* Make sure they're clean */
	VbNvTeardown(&vnc);
	/* Normal mode call */
	TestVbInit(0, 0, "normal mode, expect no backup");
	TEST_EQ(shared->flags, 0, "  shared flags");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(backup_write_called, 1, "  Backup still only written once");

	/* Now switch to dev-mode. */
	iparams.flags = VB_INIT_FLAG_DEV_SWITCH_ON;
	TestVbInit(0, 0, "Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER |
		VB_INIT_OUT_ENABLE_ALTERNATE_OS, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");
	TEST_EQ(backup_write_called, 1, "  Still only one backup");

	/* Now change some params that should be backed up. */
	VbNvSet(&vnc, VBNV_KERNEL_FIELD, 0xdeadbeef);
	VbNvSet(&vnc, VBNV_LOCALIZATION_INDEX, 0x5a);
	VbNvSet(&vnc, VBNV_DEV_BOOT_USB, 1);
	VbNvSet(&vnc, VBNV_DEV_BOOT_LEGACY, 1);
	VbNvSet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, 1);
	/* and some that don't */
	VbNvSet(&vnc, VBNV_OPROM_NEEDED, 1);
	VbNvSet(&vnc, VBNV_TRY_B_COUNT, 4);
	/* Make sure they're clean */
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");
	TEST_EQ(backup_write_called, 1, "  Once more, one backup");

	/* But if we explictly request a backup, they'll get saved. */
	VbNvSet(&vnc, VBNV_BACKUP_NVRAM_REQUEST, 1);
	VbNvTeardown(&vnc);
	TestVbInit(0, 0, "Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");
	TEST_EQ(backup_write_called, 2, "  Two backups now");
	VbNvGet(&vnc, VBNV_BACKUP_NVRAM_REQUEST, &u);
	TEST_EQ(u, 0, "  backup_request cleared");
	/* Quick check that the non-backed-up stuff is still valid */
	VbNvGet(&vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 1, "  NV oprom_needed");
	VbNvGet(&vnc, VBNV_TRY_B_COUNT, &u);
	TEST_EQ(u, 4, "  NV try_b_count");
	/* But only the stuff we care about was backed up */
	Memset(&tmp_vnc, 0, sizeof(tmp_vnc));
	TEST_EQ(0, RestoreNvFromBackup(&tmp_vnc), "read from backup");
	VbNvGet(&tmp_vnc, VBNV_KERNEL_FIELD, &u);
	TEST_EQ(u, 0xdeadbeef, "  BU kernel field");
	VbNvGet(&tmp_vnc, VBNV_LOCALIZATION_INDEX, &u);
	TEST_EQ(u, 0x5a, "  BU localization index");
	VbNvGet(&tmp_vnc, VBNV_DEV_BOOT_USB, &u);
	TEST_EQ(u, 1, "  BU dev_boot_usb");
	VbNvGet(&tmp_vnc, VBNV_DEV_BOOT_LEGACY, &u);
	TEST_EQ(u, 1, "  BU dev_boot_legacy");
	VbNvGet(&tmp_vnc, VBNV_DEV_BOOT_SIGNED_ONLY, &u);
	TEST_EQ(u, 1, "  BU dev_boot_signed_only");
	/* but not the others */
	VbNvGet(&tmp_vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 0, "  BU oprom_needed");
	VbNvGet(&tmp_vnc, VBNV_TRY_B_COUNT, &u);
	TEST_EQ(u, 0, "  BU try_b_count");

	/* If we lose the NV storage, the backup bits will be restored */
	vnc.raw[0] = 0;
	bu_r = backup_read_called;
	nv_w = nv_write_called;
	TestVbInit(0, 0, "Dev mode on");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags,
		VB_INIT_OUT_CLEAR_RAM |
		VB_INIT_OUT_ENABLE_DISPLAY |
		VB_INIT_OUT_ENABLE_USB_STORAGE |
		VB_INIT_OUT_ENABLE_DEVELOPER, "  out flags");
	TEST_EQ(shared->flags, VBSD_BOOT_DEV_SWITCH_ON, "  shared flags");
	TEST_EQ(backup_write_called, 2, "  Still just two backups now");
	TEST_EQ(backup_read_called, bu_r + 1, "  One more backup read");
	TEST_EQ(nv_write_called, nv_w + 1, "  One more NV write");
	/* The non-backed-up stuff is reset to defaults */
	VbNvGet(&vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 0, "  NV oprom_needed");
	VbNvGet(&vnc, VBNV_TRY_B_COUNT, &u);
	TEST_EQ(u, 0, "  NV try_b_count");
	/* And the backed up stuff is restored */
	VbNvGet(&vnc, VBNV_KERNEL_FIELD, &u);
	TEST_EQ(u, 0xdeadbeef, "  BU kernel field");
	VbNvGet(&vnc, VBNV_LOCALIZATION_INDEX, &u);
	TEST_EQ(u, 0x5a, "  BU localization index");
	VbNvGet(&vnc, VBNV_DEV_BOOT_USB, &u);
	TEST_EQ(u, 1, "  BU dev_boot_usb");
	VbNvGet(&vnc, VBNV_DEV_BOOT_LEGACY, &u);
	TEST_EQ(u, 1, "  BU dev_boot_legacy");
	VbNvGet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, &u);
	TEST_EQ(u, 1, "  BU dev_boot_signed_only");

	/*
	 * But if we lose the NV storage and go back to normal mode at the same
	 * time, then the DEV_BOOT_* flags will be cleared.
	 */
	vnc.raw[0] = 0;
	bu_r = backup_read_called;
	nv_w = nv_write_called;
	iparams.flags = 0;
	TestVbInit(0, 0, "Back to normal mode");
	TEST_EQ(shared->recovery_reason, 0, "  recovery reason");
	TEST_EQ(iparams.out_flags, 0, "  out flags");
	TEST_EQ(shared->flags, 0, "  shared flags");
	/* We read twice: once to restore, once for read-prior-to-write */
	TEST_EQ(backup_read_called, bu_r + 2, "  Two more backup reads");
	TEST_EQ(backup_write_called, 3, "  Backup write due clearing DEV_*");
	TEST_EQ(nv_write_called, nv_w + 1, "  One more NV write");
	/* The non-backed-up stuff is reset to defaults */
	VbNvGet(&vnc, VBNV_OPROM_NEEDED, &u);
	TEST_EQ(u, 0, "  NV oprom_needed");
	VbNvGet(&vnc, VBNV_TRY_B_COUNT, &u);
	TEST_EQ(u, 0, "  NV try_b_count");
	/* And the backed up stuff is restored */
	VbNvGet(&vnc, VBNV_KERNEL_FIELD, &u);
	TEST_EQ(u, 0xdeadbeef, "  BU kernel field");
	VbNvGet(&vnc, VBNV_LOCALIZATION_INDEX, &u);
	TEST_EQ(u, 0x5a, "  BU localization index");
	/* But not the DEV_BOOT_* flags */
	VbNvGet(&vnc, VBNV_DEV_BOOT_USB, &u);
	TEST_EQ(u, 0, "  BU dev_boot_usb");
	VbNvGet(&vnc, VBNV_DEV_BOOT_LEGACY, &u);
	TEST_EQ(u, 0, "  BU dev_boot_legacy");
	VbNvGet(&vnc, VBNV_DEV_BOOT_SIGNED_ONLY, &u);
	TEST_EQ(u, 0, "  BU dev_boot_signed_only");
}


int main(int argc, char *argv[])
{
	VbInitTest();
	VbInitTestTPM();
	VbInitTestBackup();

	return gTestSuccess ? 0 : 255;
}