ap_ro_integrity_check: Add vendor command to check status

AP RO verification has four outcomes. Shimless RMA needs to be able to
check the status. This change adds a vendor command to check the AP RO
verification status

NOT_TRIGGERED: The last AP reboot was not triggered by RO verification
               key combination.
PASS: The last AP reboot was triggered by RO verification key
      combination, and the verification passes
FAIL: The last AP reboot was triggered by RO verification key
      combination, and it fails. In reality, the device should brick and
      the system will not see this response.
UNSUPPORTED: The last AP reboot was triggered by RO verification key
             combination, but there is no data to perform it or the
	     board doesn't support it.

BUG=b:182594555
TEST=manual
	# Erase board id

	# Erase AP RO hash
	cr50 > ap_ro_info erase

	# Check status
	AP RO status = 3: unsupported

	# Set gbb flags
	/usr/share/vboot/bin/set_gbb_flags.sh 0x140

	# Set AP RO hash
	./util/ap_ro_hash.py -v True GBB

	# Check status
	AP RO status = 0: not run

	# Trigger verification
	# Check status
	AP RO status = 1: pass

	# Change gbb flags
	/usr/share/vboot/bin/set_gbb_flags.sh 0xa39

	# Trigger verification
	# Check status
	AP RO status = 2: FAIL

	# Set board id to DUKI:0x10
	# Check status
	AP RO status = 3: unsupported

Change-Id: I354ccd6317cd36008a66ffd93afb3ee95f3c3561
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2950314
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 2 insertions, 0 deletions

diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h
index 40c1849e86..83a0f700f5 100644
--- a/include/tpm_vendor_cmds.h
+++ b/include/tpm_vendor_cmds.h
@@ -153,6 +153,8 @@ enum vendor_cmd_cc {
 
 	VENDOR_CC_GET_AP_RO_HASH = 56,
 
+	VENDOR_CC_GET_AP_RO_STATUS = 57,
+
 	LAST_VENDOR_COMMAND = 65535,
 };