3 files changed, 15 insertions, 7 deletions

diff --git a/common/rwsig.c b/common/rwsig.c
index a4ba19e937..600c3eeaad 100644
--- a/common/rwsig.c
+++ b/common/rwsig.c
@@ -185,8 +185,13 @@ int rwsig_check_signature(void)
 	/*
 	 * Signature verified: we know that rw_rollback_version is valid, check
 	 * if rollback information should be updated.
+	 *
+	 * When system is locked, we only increment the rollback if RW is
+	 * currently protected.
 	 */
-	if (rw_rollback_version != min_rollback_version) {
+	if (rw_rollback_version != min_rollback_version &&
+			((!system_is_locked() ||
+			flash_get_protect() & EC_FLASH_PROTECT_RW_NOW))) {
 		/*
 		 * This will fail if the rollback block is protected (RW image
 		 * will unprotect that block later on).
@@ -201,12 +206,6 @@ int rwsig_check_signature(void)
 			good = 0;
 		}
 	}
-
-	/*
-	 * Lock the ROLLBACK region, this will cause the board to reboot if the
-	 * region is not already protected.
-	 */
-	rollback_lock();
 #endif
 out:
 	CPRINTS("RW verify %s", good ? "OK" : "FAILED");
diff --git a/common/update_fw.c b/common/update_fw.c
index 7a51e6977f..c08e8322b5 100644
--- a/common/update_fw.c
+++ b/common/update_fw.c
@@ -145,6 +145,14 @@ void fw_update_start(struct first_response_pdu *rpdu)
 	vb21_key = (const struct vb21_packed_key *)CONFIG_RO_PUBKEY_ADDR;
 	rpdu->common.key_version = htobe32(vb21_key->key_version);
 #endif
+
+#ifdef HAS_TASK_RWSIG
+	/* Do not allow the update to start if RWSIG is still running. */
+	if (rwsig_get_status() == RWSIG_IN_PROGRESS) {
+		CPRINTF("RWSIG in progress\n");
+		rpdu->return_value = htobe32(UPDATE_RWSIG_BUSY);
+	}
+#endif
 }
 
 void fw_update_command_handler(void *body,
diff --git a/include/update_fw.h b/include/update_fw.h
index e575500b19..5788779cb2 100644
--- a/include/update_fw.h
+++ b/include/update_fw.h
@@ -185,6 +185,7 @@ enum {
 	UPDATE_MALLOC_ERROR = 7,
 	UPDATE_ROLLBACK_ERROR = 8,
 	UPDATE_RATE_LIMIT_ERROR = 9,
+	UPDATE_RWSIG_BUSY = 10,
 };
 
 #endif  /* ! __CROS_EC_UPDATE_FW_H */