tpm2: implement locking firmware rollback counter

TPM1.2 is using the somewhat misnamed tlcl_set_global_lock() command
function to lock the hardware rollback counter. For TPM2 let's
implement and use the TPM2 command to lock an NV Ram location
(TPM2_NV_WriteLock).

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that TPM2_NV_WriteLock command is invoked before RO
     firmware starts RW, and succeeds.

Change-Id: I52aa8db95b908488ec4cf0843afeb6310dc7f38b
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 2f859335dfccfeea900f15bbb8c6cb3fd5ec8c77
Original-Change-Id: I62f22b9991522d4309cccc44180a5ebd4dca488d
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358097
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15638
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>

src/vendorcode/google/chromeos/vboot2/antirollback.c

@@ -157,6 +157,11 @@ uint32_t tpm_clear_and_reenable(void)
 	return TPM_SUCCESS;
 }
 
+uint32_t antirollback_lock_space_firmware(void)
+{
+	return tlcl_lock_nv_write(FIRMWARE_NV_INDEX);
+}
+
 #else
 
 uint32_t tpm_clear_and_reenable(void)
@@ -263,6 +268,11 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
 					VB2_SECDATA_SIZE));
 	return TPM_SUCCESS;
 }
+
+uint32_t antirollback_lock_space_firmware(void)
+{
+	return tlcl_set_global_lock();
+}
 #endif
 
 uint32_t factory_initialize_tpm(struct vb2_context *ctx)
@@ -424,8 +434,3 @@ uint32_t antirollback_write_space_firmware(struct vb2_context *ctx)
 {
 	return write_secdata(FIRMWARE_NV_INDEX, ctx->secdata, VB2_SECDATA_SIZE);
 }
-
-uint32_t antirollback_lock_space_firmware()
-{
-	return tlcl_set_global_lock();
-}