Currently, vboot will roll the firmware version in the TPM if:
* The firmware is marked successful (not trying a new one)
* The key version and/or firmware version in the firmware vblock is newer than that stored in the TPM

Enterprises would like to be able to retain the ability to roll back to an older version.  To let them do this on a per-device basis without opening everyone up to rollback attacks, add a NvStorage variable which will set an upper bound for roll-forward.  

NvStorage is full, so this will require increasing the NvStorage record size from 16 bytes to 64 byte.  That work will be tracked separately.

Unenrolled devices will use 0xFFFFFFFF, so will keep the same policy as now.

This is a RO firmware change.

See go/vboot-roll-forward