rwsig: protect all flash before jumping to RW

On "normal" EC, we do protect RW as part of software sync, which would
call flash_command_protect (which indirectly calls flash_protect_at_boot).

Here, we don't want to (and can't) rely on the host to tell us to protect
the RW, so we need to protect it ourselves before jumping to RW.

This does feel a little redundant with rollback_lock though, since ALL
will protect both RW and ROLLBACK: a later CL will fix that up.

BRANCH=none
BUG=b:35587171
TEST=flashwp true; reboot; RO protects all flash before booting to RW

Change-Id: I820cabb01d1ca4aa47b81fc013a1670134a6be09
Reviewed-on: https://chromium-review.googlesource.com/476453
Commit-Ready: Nicolas Boichat <drinkcat@chromium.org>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

common/rwsig.c

@@ -9,6 +9,7 @@
 
 #include "console.h"
 #include "ec_commands.h"
+#include "flash.h"
 #include "rollback.h"
 #include "rsa.h"
 #include "rwsig.h"
@@ -32,10 +33,28 @@ static uint32_t * const rw_rst =
 
 void rwsig_jump_now(void)
 {
+	/* Protect all flash before jumping to RW. */
+
 	/*
-	 * TODO(b/35587171): This should also check RW flash is protected.
+	 * This may do nothing if WP is not enabled, RO is not
+	 * protected, or if ALL_AT_BOOT is already set.
 	 */
-	system_run_image_copy(SYSTEM_IMAGE_RW);
+	flash_set_protect(EC_FLASH_PROTECT_ALL_AT_BOOT, -1);
+
+	if (!(flash_get_protect() & EC_FLASH_PROTECT_ALL_NOW) &&
+	      flash_get_protect() & EC_FLASH_PROTECT_ALL_AT_BOOT) {
+		/*
+		 * If flash protection is still not enabled (some chips may
+		 * be able to enable it immediately), reboot.
+		 */
+		cflush();
+		system_reset(SYSTEM_RESET_HARD | SYSTEM_RESET_PRESERVE_FLAGS);
+	}
+
+	/* When system is locked, only boot to RW is all flash is protected. */
+	if (!system_is_locked() ||
+	    flash_get_protect() & EC_FLASH_PROTECT_ALL_NOW)
+		system_run_image_copy(SYSTEM_IMAGE_RW);
 }
 
 /*