ap_ro_integrity_check: skip verify based on RLZ

Some factories programmed hashes into devices that don't support reading
from AP flash while EC_RST_L is asserted. Skip AP RO verification on
these devices if the RLZ is blocked.

BUG=b:185783841
TEST=manual
	Set board id to YVRQ:0x10
	Verify AP RO verification can be triggered

	Set board id to VYRC:0x10
	Verify AP RO verification is skipped even if the hash is stored.

Change-Id: I7ef5ceafd55ae5e90b4a754d1e92317a9a745ef9
Signed-off-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2950313
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

2 files changed, 7 insertions, 0 deletions

diff --git a/include/ap_ro_integrity_check.h b/include/ap_ro_integrity_check.h
index 0edc477c88..30181289e6 100644
--- a/include/ap_ro_integrity_check.h
+++ b/include/ap_ro_integrity_check.h
@@ -27,4 +27,10 @@ int validate_ap_ro(void);
  */
 void ap_ro_add_flash_event(enum ap_ro_verification_ev event);
 
+/*
+ * ap_ro_board_id_blocked: Returns True if AP RO verification is disabled for
+ *       the board's RLZ.
+ */
+int ap_ro_board_id_blocked(void);
+
 #endif /* ! __CR50_INCLUDE_AP_RO_INTEGRITY_CHECK_H */
diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h
index b919b3e922..40c1849e86 100644
--- a/include/tpm_vendor_cmds.h
+++ b/include/tpm_vendor_cmds.h
@@ -262,6 +262,7 @@ enum ap_ro_check_vc_errors {
 	ARCVE_TOO_MANY_RANGES = 9,
 	ARCVE_NOT_PROGRAMMED = 10,
 	ARCVE_FLASH_READ_FAILED = 11,
+	ARCVE_BOARD_ID_BLOCKED = 12,
 };
 
 /* Structure for VENDOR_CC_SPI_HASH request which follows tpm_header */