Update FWMP in TPM

chrome/browser/chromeos/policy/enrollment_handler_chromeos.h

Index: chrome/browser/chromeos/policy/enrollment_handler_chromeos.h
diff --git a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h
index a216297529f180b2b935b0004627442215ff1dd9..db281ca92e2476f153a6778ca9069b7413b3fb42 100644
--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h
+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h
@@ -115,13 +115,14 @@ class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
     STEP_VALIDATION = 5,          // Policy validation.
     STEP_ROBOT_AUTH_FETCH = 6,    // Fetching device API auth code.
     STEP_ROBOT_AUTH_REFRESH = 7,  // Fetching device API refresh token.
-    STEP_AD_DOMAIN_JOIN = 8,      // Joining Active Directory domain.
-    STEP_LOCK_DEVICE = 9,         // Writing installation-time attributes.
-    STEP_STORE_TOKEN = 10,        // Encrypting and storing DM token.
-    STEP_STORE_ROBOT_AUTH = 11,   // Encrypting & writing robot refresh token.
-    STEP_STORE_POLICY = 12,       // Storing policy and API refresh token. For
+    STEP_SET_FWMP_DATA = 8,       // Setting the firmware management parameters.

[Thiemo Nagel, 2017/03/23 17:23:52]

Why not immediately before LOCK_DEVICE?  It would seem more logical to have the
TMP-related steps next to each other...

[igorcov, 2017/03/24 13:29:15]

Done.

+    STEP_AD_DOMAIN_JOIN = 9,      // Joining Active Directory domain.
+    STEP_LOCK_DEVICE = 10,        // Writing installation-time attributes.
+    STEP_STORE_TOKEN = 11,        // Encrypting and storing DM token.
+    STEP_STORE_ROBOT_AUTH = 12,   // Encrypting & writing robot refresh token.
+    STEP_STORE_POLICY = 13,       // Storing policy and API refresh token. For
                                   // AD, includes policy fetch via authpolicyd.
-    STEP_FINISHED = 13,           // Enrollment process done, no further action.
+    STEP_FINISHED = 14,           // Enrollment process done, no further action.
   };
 
   // Handles the response to a request for server-backed state keys.
@@ -142,6 +143,20 @@ class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
   // successful.
   void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator);
 
+  // Updates the firmware management partition from TPM, setting the data
+  // according to devmode.

[Thiemo Nagel, 2017/03/23 17:23:52]

"according to devmode" seems unclear to me.  Please clarify.

[igorcov, 2017/03/24 13:29:15]

Done.

+  void SetFirmwareManagementParametersData();
+
+  // Invoked after the firmware management partition in TPM is updated.
+  void OnFirmwareManagementParametersDataSet(
+      chromeos::DBusMethodCallStatus call_status,
+      bool result,
+      const cryptohome::BaseReply& reply);
+
+  // Returns whether block_devmode is set. Can be invoked after the policy is

[Thiemo Nagel, 2017/03/23 17:23:52]

s/Can be/Must only be/
s/is retrieved/has been retrieved/

[igorcov, 2017/03/24 13:29:15]

Done.

+  // retrieved.
+  bool GetBlockDevmode();

[Thiemo Nagel, 2017/03/23 17:23:52]

Nit: I'd suggest to make clearer that this is based on the policy.  Either by
renaming to something like GetBlockDevmodeFromPolicy() or maybe even better by
making it a free function (anonymous namespace) and passing in the
PolicyFetchResponse as a parameter.

[igorcov, 2017/03/24 13:29:15]

Done.

+
   // Start joining the Active Directory domain in case the device is enrolling
   // into Active Directory management mode.
   void StartJoinAdDomain();