firmware: Add context flag for OEM Lock

Firmware UI displays special error message when entering developer mode
with OEM Lock.

BRANCH=main
BUG=b:492057028
TEST=Enter developer mode with OEM Lock set and see the error message

Change-Id: I6b3d0ac73e8e8462af959fd4dd9580c75e257fcb
Signed-off-by: Tomasz Michalec <tmichalec@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/7764627
Reviewed-by: Jakub "Kuba" Czapiga <czapiga@google.com>
Reviewed-by: Konrad Adamczyk <konrada@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>

firmware/2lib/2misc.c

diff --git a/firmware/2lib/2misc.c b/firmware/2lib/2misc.c
index 2c63967..96d02f1 100644
--- a/firmware/2lib/2misc.c
+++ b/firmware/2lib/2misc.c
@@ -592,9 +592,12 @@
 {
 	struct vb2_gbb_header *gbb = vb2_get_gbb(ctx);
 
+	if (vb2_nv_get(ctx, VB2_NV_OEM_LOCK))
+		ctx->flags |= VB2_CONTEXT_OEM_LOCK_ENABLED;
+
 	if ((!vb2_secdata_fwmp_get_flag(ctx,
 				       VB2_SECDATA_FWMP_DEV_DISABLE_BOOT) &&
-	     !vb2_nv_get(ctx, VB2_NV_OEM_LOCK)) ||
+	     !(ctx->flags & VB2_CONTEXT_OEM_LOCK_ENABLED)) ||
 	    (gbb->flags & VB2_GBB_FLAG_FORCE_DEV_SWITCH_ON))
 		ctx->flags |= VB2_CONTEXT_DEV_BOOT_ALLOWED;
 

firmware/2lib/include/2context.h

diff --git a/firmware/2lib/include/2context.h b/firmware/2lib/include/2context.h
index 1b2f8e3..5be53fd 100644
--- a/firmware/2lib/include/2context.h
+++ b/firmware/2lib/include/2context.h
@@ -211,6 +211,11 @@
 	 * See more: b/484260435
 	 */
 	VB2_CONTEXT_FASTBOOT_ALLOWED = (1 << 30),
+
+	/*
+	 * OEM Lock is enabled.
+	 */
+	VB2_CONTEXT_OEM_LOCK_ENABLED = (1 << 31),
 };
 
 /* Helper for aligning fields in vb2_context. */

tests/vb2_misc_tests.c

diff --git a/tests/vb2_misc_tests.c b/tests/vb2_misc_tests.c
index 0d1517d..072940b 100644
--- a/tests/vb2_misc_tests.c
+++ b/tests/vb2_misc_tests.c
@@ -1200,6 +1200,20 @@
 	vb2_fill_dev_boot_flags(ctx);
 	TEST_FALSE(ctx->flags & VB2_CONTEXT_FASTBOOT_ALLOWED,
 		   "fastboot not allowed - normal mode + OEM lock + no GBB flag");
+
+	/* OEM Lock - enabled if non-zero */
+	reset_common_data();
+	vb2_nv_set(ctx, VB2_NV_OEM_LOCK, 1);
+	vb2_fill_dev_boot_flags(ctx);
+	TEST_TRUE(ctx->flags & VB2_CONTEXT_OEM_LOCK_ENABLED,
+		   "OEM Lock enabled - OEM Lock");
+
+	/* OEM Lock - disabled if zero */
+	reset_common_data();
+	vb2_nv_set(ctx, VB2_NV_OEM_LOCK, 0);
+	vb2_fill_dev_boot_flags(ctx);
+	TEST_FALSE(ctx->flags & VB2_CONTEXT_OEM_LOCK_ENABLED,
+		   "OEM Lock disabled - OEM unlock");
 }
 
 static void use_dev_screen_short_delay_tests(void)