vboot2: tpm2 factory initialization.

This patch adds a TPM2 specific path in the vboot2 initialization
sequence when the device is turned on in the factory for the first
time, namely two secure NVRAM spaces are created, with different
access privileges.

The higher privilege space can be modified only be the RO firmware,
and the lower privilege space can be modified by both RO and RW
firmware.

The API is being modified to hide the TPM implementation details from
the caller.

Some functions previously exported as global are in fact not used
anywhere else, they are being defined static.

BRANCH=none
BUG=chrome-os-partner:50645
TEST=when this code is enabled the two secure spaces are successfully
     created during factory initialization.

Change-Id: I917b2f74dfdbd214d7f651ce3d4b80f4a18def20
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/353916
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>

src/include/antirollback.h

@@ -62,22 +62,6 @@ uint32_t tpm_extend_pcr(struct vb2_context *ctx, int pcr,
  */
 uint32_t tpm_clear_and_reenable(void);
 
-/**
- * Like tlcl_write(), but checks for write errors due to hitting the 64-write
- * limit and clears the TPM when that happens.  This can only happen when the
- * TPM is unowned, so it is OK to clear it (and we really have no choice).
- * This is not expected to happen frequently, but it could happen.
- */
-uint32_t safe_write(uint32_t index, const void *data, uint32_t length);
-
-/**
- * Similarly to safe_write(), this ensures we don't fail a DefineSpace because
- * we hit the TPM write limit.  This is even less likely to happen than with
- * writes because we only define spaces once at initialization, but we'd rather
- * be paranoid about this.
- */
-uint32_t safe_define_space(uint32_t index, uint32_t perm, uint32_t size);
-
 /**
  * Perform one-time initializations.
  *