From 7ecd1d6d3c23b6acb13f90062d062647ddb4fed3 Mon Sep 17 00:00:00 2001
From: Randall Spangler <rspangler@chromium.org>
Date: Fri, 25 May 2012 14:57:09 -0700
Subject: Add system_is_locked() to prevent sysjump on consumer systems

This returns true when both HW and SW write protect are enabled.

Once WP is enabled, sysjump will be locked out.

system_is_locked() can be used to gate other dangerous-ish commands too.

Signed-off-by: Randall Spangler <rspangler@chromium.org>

BUG=chrome-os-partner:7468
TEST=manual

sysinfo -> unlocked, copy A
sysjump B -> works
flashwp lock
reboot
(make sure flashinfo shows WP asserted and flash locked; note there is a
 HW bug on proto1 which makes this flaky)
sysinfo -> locked, copy A
sysjump B -> fails
(remove WP screw)
reboot hard
flashwp unlock

Change-Id: I849b573675c2c1cb4c44b9a05d6973e38247ca23
---
 common/main.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'common/main.c')

diff --git a/common/main.c b/common/main.c
index 6b4dfb704c..74a698460e 100644
--- a/common/main.c
+++ b/common/main.c
@@ -110,6 +110,11 @@ int main(void)
 	 * Note that steps above here may be done TWICE per boot, once in the
 	 * RO image and once in the RW image. */
 	vboot_init();
+
+	/* If system is locked, disable system jumps now that vboot has had its
+	 * chance to jump to a RW image. */
+	if (system_is_locked())
+		system_disable_jump();
 #endif
 
 	/* Initialize other driver modules.  These can occur in any order.
-- 
cgit v1.2.1