rwsig: protect all flash before jumping to RW
On "normal" EC, we do protect RW as part of software sync, which would
call flash_command_protect (which indirectly calls flash_protect_at_boot).
Here, we don't want to (and can't) rely on the host to tell us to protect
the RW, so we need to protect it ourselves before jumping to RW.
This does feel a little redundant with rollback_lock though, since ALL
will protect both RW and ROLLBACK: a later CL will fix that up.
BRANCH=none
BUG=b:35587171
TEST=flashwp true; reboot; RO protects all flash before booting to RW
Change-Id: I820cabb01d1ca4aa47b81fc013a1670134a6be09
Reviewed-on: https://chromium-review.googlesource.com/476453
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
diff --git a/common/rwsig.c b/common/rwsig.c
index 244e201..a4ba19e 100644
--- a/common/rwsig.c
+++ b/common/rwsig.c
@@ -9,6 +9,7 @@
#include "console.h"
#include "ec_commands.h"
+#include "flash.h"
#include "rollback.h"
#include "rsa.h"
#include "rwsig.h"
@@ -32,10 +33,28 @@
void rwsig_jump_now(void)
{
+ /* Protect all flash before jumping to RW. */
+
/*
- * TODO(b/35587171): This should also check RW flash is protected.
+ * This may do nothing if WP is not enabled, RO is not
+ * protected, or if ALL_AT_BOOT is already set.
*/
- system_run_image_copy(SYSTEM_IMAGE_RW);
+ flash_set_protect(EC_FLASH_PROTECT_ALL_AT_BOOT, -1);
+
+ if (!(flash_get_protect() & EC_FLASH_PROTECT_ALL_NOW) &&
+ flash_get_protect() & EC_FLASH_PROTECT_ALL_AT_BOOT) {
+ /*
+ * If flash protection is still not enabled (some chips may
+ * be able to enable it immediately), reboot.
+ */
+ cflush();
+ system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS);
+ }
+
+ /* When system is locked, only boot to RW is all flash is protected. */
+ if (!system_is_locked() ||
+ flash_get_protect() & EC_FLASH_PROTECT_ALL_NOW)
+ system_run_image_copy(SYSTEM_IMAGE_RW);
}
/*