rwsig/update_fw: Prevent race in rollback protection

There is a window where the rollback information in RW could
potentially be updated during RW signature verification. We make
sure this cannot happen by:
 - Preventing update over USB while RWSIG is running
 - When system is locked, only update rollback information if
   RW region is locked: this guarantees that RW cannot be modified
   from boot until RW is validated, and then until rollback
   information is updated.

Also, remove rollback_lock() in rwsig_check_signature:
rwsig_jump_now() protects all flash, which also protects rollback.
This reduces the number of required reboots on rollback update.

BRANCH=none
BUG=b:35586219
BUG=b:35587171
TEST=Add long delay in rwsig_check_signature, make sure EC cannot
     be updated while verification is in progress.

Change-Id: I7a51fad8a64b7e258b3a7e15d75b3dab64ce1c94
Reviewed-on: https://chromium-review.googlesource.com/479176
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/common/update_fw.c b/common/update_fw.c
index 7a51e6977f..c08e8322b5 100644
--- a/common/update_fw.c
+++ b/common/update_fw.c
@@ -145,6 +145,14 @@ void fw_update_start(struct first_response_pdu *rpdu)
 	vb21_key = (const struct vb21_packed_key *)CONFIG_RO_PUBKEY_ADDR;
 	rpdu->common.key_version = htobe32(vb21_key->key_version);
 #endif
+
+#ifdef HAS_TASK_RWSIG
+	/* Do not allow the update to start if RWSIG is still running. */
+	if (rwsig_get_status() == RWSIG_IN_PROGRESS) {
+		CPRINTF("RWSIG in progress\n");
+		rpdu->return_value = htobe32(UPDATE_RWSIG_BUSY);
+	}
+#endif
 }
 
 void fw_update_command_handler(void *body,