If easy sign-in is set up, allow TPMTokenLoader to start before login

As part of easy sign-in protocol, a nonce has to be signed by TPM
private key. To be able to do this, we need to allow system token to be
loaded before a user is logged in. This cl starts system token
initialization (which is done by TPMTokenLoader) before LoginState is
LOGGED_IN if there is a user with easy sign-in enabled.

BUG=409027

Review URL: https://codereview.chromium.org/741593002

Cr-Commit-Position: refs/heads/master@{#308321}

chrome/browser/signin/easy_unlock_service_signin_chromeos.cc

@@ -16,6 +16,7 @@
 #include "chrome/browser/chromeos/login/easy_unlock/easy_unlock_metrics.h"
 #include "chrome/browser/chromeos/login/session/user_session_manager.h"
 #include "chromeos/login/auth/user_context.h"
+#include "chromeos/tpm/tpm_token_loader.h"
 
 namespace {
 
@@ -318,6 +319,15 @@ void EasyUnlockServiceSignin::OnFocusedUserChanged(const std::string& user_id) {
   }
 
   LoadCurrentUserDataIfNeeded();
+
+  // Start loading TPM system token.
+  // The system token will be needed to sign a nonce using TPM private key
+  // during the sign-in protocol.
+  EasyUnlockScreenlockStateHandler::HardlockState hardlock_state;
+  if (GetPersistedHardlockState(&hardlock_state) &&
+      hardlock_state != EasyUnlockScreenlockStateHandler::NO_PAIRING) {
+    chromeos::TPMTokenLoader::Get()->EnsureStarted();
+  }
 }
 
 void EasyUnlockServiceSignin::LoggedInStateChanged() {

chromeos/tpm/tpm_token_loader.cc

@@ -70,6 +70,7 @@ TPMTokenLoader::TPMTokenLoader(bool for_test)
               DBusThreadManager::Get()->GetCryptohomeClient(),
               base::ThreadTaskRunnerHandle::Get())),
       tpm_token_slot_id_(-1),
+      can_start_before_login_(false),
       weak_factory_(this) {
   if (!initialized_for_test_ && LoginState::IsInitialized())
     LoginState::Get()->AddObserver(this);
@@ -86,6 +87,13 @@ void TPMTokenLoader::SetCryptoTaskRunner(
   MaybeStartTokenInitialization();
 }
 
+void TPMTokenLoader::EnsureStarted() {
+  if (can_start_before_login_)
+    return;
+  can_start_before_login_ = true;
+  MaybeStartTokenInitialization();
+}
+
 TPMTokenLoader::~TPMTokenLoader() {
   if (!initialized_for_test_ && LoginState::IsInitialized())
     LoginState::Get()->RemoveObserver(this);
@@ -119,10 +127,9 @@ void TPMTokenLoader::MaybeStartTokenInitialization() {
   if (tpm_token_state_ != TPM_STATE_UNKNOWN || !crypto_task_runner_.get())
     return;
 
-  if (!LoginState::IsInitialized())
-    return;
-
-  bool start_initialization = LoginState::Get()->IsUserLoggedIn();
+  bool start_initialization =
+      (LoginState::IsInitialized() && LoginState::Get()->IsUserLoggedIn()) ||
+      can_start_before_login_;
 
   VLOG(1) << "StartTokenInitialization: " << start_initialization;
   if (!start_initialization)

chromeos/tpm/tpm_token_loader.h

@@ -66,6 +66,12 @@ class CHROMEOS_EXPORT TPMTokenLoader : public LoginState::Observer {
   void SetCryptoTaskRunner(
       const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner);
 
+  // Starts loading TPM system token, if not yet started. It should be called
+  // if the system token has to be loaded before a user logs in. By default (if
+  // |EnsureStarted| is not called) system token loading will start when the
+  // login state changes to LOGGED_IN_ACTIVE.
+  void EnsureStarted();
+
   // Checks if the TPM token is enabled. If the state is unknown, |callback|
   // will be called back once the TPM state is known.
   TPMTokenStatus IsTPMTokenEnabled(const TPMReadyCallback& callback);
@@ -116,6 +122,10 @@ class CHROMEOS_EXPORT TPMTokenLoader : public LoginState::Observer {
   int tpm_token_slot_id_;
   std::string tpm_user_pin_;
 
+  // Whether TPM system token loading may be started before user log in.
+  // This will be true iff |EnsureStarted| was called.
+  bool can_start_before_login_;
+
   base::ThreadChecker thread_checker_;
 
   // TaskRunner for crypto calls.