cr50: use new conventions to determine key ladder mode

The new RW dev key does not follow the existing convention of bit 0x4
set in prod Key ID and unset in dev key ID.

The suggested approach is to check values of some key manager
registers to determine if the device is running in fully configured
prod mode or not.

BRANCH=cr50, cr50-mp
BUG=b:144455990
TEST=tried running this patch on a node locked image:
  > sysinfo
  ...
  RO keyid:    0xaa66150f
  RW keyid:    0x334f70df
  ...
  Key Ladder:  dev

Change-Id: I73088ce44a8b8bf8e11a0d240d07152b49a3225b
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1915504
Reviewed-by: Andrey Pronin <apronin@chromium.org>
(cherry picked from commit 74237689eb277bf1fe0e682cb256825508fa511f)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/1954338

1 files changed, 1 insertions, 5 deletions

diff --git a/board/cr50/tpm2/endorsement.c b/board/cr50/tpm2/endorsement.c
index 4167fe0745..e85d3dfd0e 100644
--- a/board/cr50/tpm2/endorsement.c
+++ b/board/cr50/tpm2/endorsement.c
@@ -599,7 +599,6 @@ enum manufacturing_status tpm_endorse(void)
 		HASH_update(&hmac.hash, p, RO_CERTS_REGION_SIZE - 32);
 		if (!DCRYPTO_equals(p + RO_CERTS_REGION_SIZE - 32,
 				   DCRYPTO_HMAC_final(&hmac), 32)) {
-			const struct SignedHeader *h;
 
 			CPRINTF("%s: bad cert region hmac;", __func__);
 #ifdef CR50_INCLUDE_FALLBACK_CERT
@@ -620,10 +619,7 @@ enum manufacturing_status tpm_endorse(void)
 				break;
 			}
 #else
-			h = (const struct SignedHeader *)
-				get_program_memory_addr
-				(system_get_image_copy());
-			if (G_SIGNED_FOR_PROD(h)) {
+			if (board_in_prod_mode()) {
 
 				/* TODO(ngm): is this state considered
 				 * endorsement failure?