Improve the HW_RANDOM_TPM check

RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if
HW_RANDOM_TPM is enabled.

The Clip OS description:
Do not credit entropy included in Linux’s entropy pool when generated
by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
Fast and robust initialization of Linux’s CSPRNG is instead achieved
thanks to the TPM’s HWRNG.

kconfig_hardened_check/__init__.py

@@ -482,9 +482,12 @@ def add_kconfig_checks(l, arch):
     l += [OR(KconfigCheck('self_protection', 'clipos', 'EFI_DISABLE_PCI_DMA', 'y'),
              efi_not_set)]
     l += [KconfigCheck('self_protection', 'clipos', 'SLAB_MERGE_DEFAULT', 'is not set')]
-    l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set')]
-    l += [KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set')]
-    l += [KconfigCheck('self_protection', 'clipos', 'CONFIG_HW_RANDOM_TPM', 'y')]
+    hw_random_tpm_is_set = KconfigCheck('self_protection', 'clipos', 'HW_RANDOM_TPM', 'y')
+    l += [hw_random_tpm_is_set]
+    l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_BOOTLOADER', 'is not set'),
+              hw_random_tpm_is_set)]
+    l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDOM_TRUST_CPU', 'is not set'),
+              hw_random_tpm_is_set)]
     l += [AND(KconfigCheck('self_protection', 'clipos', 'RANDSTRUCT_PERFORMANCE', 'is not set'),
               KconfigCheck('self_protection', 'clipos', 'GCC_PLUGIN_RANDSTRUCT_PERFORMANCE', 'is not set'),
               randstruct_is_set)]