flashupdate: Support key rotation
If the RoT-Config support BIOS Key rotation, the Cr51Validator will
use BIOS trust bundle information fetched from RoT config to validate
the BIOS CR51 descriptor.
The BIOS trust bundle will be:
* the trusted signature verification (public) key's finger printer.
* the allowed cr51 descriptor hash
If the RoT-Config does not support, will fallback to use key information
built-in gBMC firmware.
RoT-Config support BIOS key rotation means the RoT-Config record contain
at least one public key finger printer chunk.
For dev signed bios, the dev signature verification key will only be
built-in gBMC image. So when dev signed bios is allowed, the built-in
key will be tried if image cannot be valided by keys within RoT-Config.
Tested:
with testing bios RoT configraution
Google-Bug-Id: 421797519
Change-Id: I7ee686b94c49113ee8f406f19628851de21868b6
Signed-off-by: Dan Zhang <zhdaniel@google.com>
11 files changed
