rwsig: do not jump if reset source is hard pin reset

According to the new MCU secure update model, EC should wait for host if
reset source is reset-pin.

BRANCH=none
BUG=b:37584134
TEST=on rose, toggle reset pin from host. EC should stay in RO, showing

     [0.426089 Hard pin-reset detected, disable RW jump]

     in console.

Change-Id: Ie1908cb0744773e2e3ca8b3d8c627b8a9ef4567f
Reviewed-on: https://chromium-review.googlesource.com/485199
Commit-Ready: Wei-Ning Huang <wnhuang@chromium.org>
Tested-by: Wei-Ning Huang <wnhuang@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>

2 files changed, 21 insertions, 3 deletions

diff --git a/common/main.c b/common/main.c
index d517636f0e..c1f4bbdce6 100644
--- a/common/main.c
+++ b/common/main.c
@@ -168,9 +168,21 @@ test_mockable __keep int main(void)
 	 *
 	 * Only the Read-Only firmware needs to do the signature check.
 	 */
-	if (system_get_image_copy() == SYSTEM_IMAGE_RO &&
-	    rwsig_check_signature())
-		rwsig_jump_now();
+	if (system_get_image_copy() == SYSTEM_IMAGE_RO) {
+#if defined(CONFIG_RWSIG_DONT_CHECK_ON_PIN_RESET)
+		/*
+		 * If system was reset by reset-pin, do not jump and wait for
+		 * command from host
+		 */
+		if (system_get_reset_flags() == RESET_FLAG_RESET_PIN) {
+			CPRINTS("Hard pin-reset detected, disable RW jump");
+		} else
+#endif
+		{
+			if (rwsig_check_signature())
+				rwsig_jump_now();
+		}
+	}
 #endif
 
 	/*
diff --git a/include/config.h b/include/config.h
index 3a989294ee..00e1f50e4b 100644
--- a/include/config.h
+++ b/include/config.h
@@ -1819,6 +1819,12 @@
 #undef CONFIG_RWSIG
 
 /*
+ * Disable rwsig jump when the reset source is hard pin-reset. This only work
+ * for the case where rwsig task is not used.
+ */
+#undef CONFIG_RWSIG_DONT_CHECK_ON_PIN_RESET
+
+/*
  * When RWSIG verification is performed as a task, time to wait from signature
  * verification to an automatic jump to RW (if AP does not request the wait to
  * be interrupted).