cbfs/vboot: Adapt to new vb2_digest API

CL:3825558 changes all vb2_digest and vb2_hash functions to take a new
hwcrypto_allowed argument, to potentially let them try to call the
vb2ex_hwcrypto API for hash calculation. This change will open hardware
crypto acceleration up to all hash calculations in coreboot (most
notably CBFS verification). As part of this change, the
vb2_digest_buffer() function has been removed, so replace existing
instances in coreboot with the newer vb2_hash_calculate() API.

Due to the circular dependency of these changes with vboot, this patch
also needs to update the vboot submodule:

Updating from commit id 18cb85b5:
    2load_kernel.c: Expose load kernel as vb2_api

to commit id b827ddb9:
    tests: Ensure auxfw sync runs after EC sync

This brings in 15 new commits.

Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I287d8dac3c49ad7ea3e18a015874ce8d610ec67e
Reviewed-on: https://review.coreboot.org/c/coreboot/+/66561
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Jakub Czapiga <jacz@semihalf.com>

payloads/libpayload/libcbfs/cbfs.c

@@ -89,7 +89,7 @@ static bool cbfs_file_hash_mismatch(const void *buffer, size_t size,
 		ERROR("'%s' does not have a file hash!\n", mdata->h.filename);
 		return true;
 	}
-	if (vb2_hash_verify(buffer, size, hash) != VB2_SUCCESS) {
+	if (vb2_hash_verify(cbfs_hwcrypto_allowed(), buffer, size, hash) != VB2_SUCCESS) {
 		ERROR("'%s' file hash mismatch!\n", mdata->h.filename);
 		return true;
 	}
@@ -223,3 +223,10 @@ void *_cbfs_unverified_area_load(const char *area, const char *name, void *buf,
 
 	return do_load(&mdata, dev.offset + data_offset, buf, size_inout, true);
 }
+
+/* This should be overridden by payloads that want to enforce more explicit
+   policy on using HW crypto. */
+__weak bool cbfs_hwcrypto_allowed(void)
+{
+	return true;
+}