Fix KeyBlockVerify() to take an explicit param for whether to use hash only.

firmware/lib/vboot_kernel.c

Index: firmware/lib/vboot_kernel.c
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index 4b2a030be39c0467bb4a8e8270a8d4cbe847992c..2402a090eae25c1b724db43b0c4b7e3bb24e609d 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -168,10 +168,6 @@ int LoadKernel(LoadKernelParams* params) {
       return (status == TPM_E_MUST_REBOOT ?
               LOAD_KERNEL_REBOOT : LOAD_KERNEL_RECOVERY);
     }
-  } else if (is_dev && !is_rec) {
-    /* In developer mode, we ignore the kernel subkey, and just use
-     * the SHA-512 hash to verify the key block. */
-    kernel_subkey = NULL;
   }
 
   do {
@@ -215,9 +211,11 @@ int LoadKernel(LoadKernelParams* params) {
       if (0 != BootDeviceReadLBA(part_start, kbuf_sectors, kbuf))
         continue;
 
-      /* Verify the key block */
+      /* Verify the key block.  In developer mode, we ignore the key
+       * and use only the SHA-512 hash to verify the key block. */
       key_block = (VbKeyBlockHeader*)kbuf;
-      if ((0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey))) {
+      if ((0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey,
+                               is_dev && !is_rec))) {
         VBDEBUG(("Verifying key block failed.\n"));
         continue;
       }