Clarify rollback index protection in README.md file. am: 1614f552a5 am: 459fde11d5 am: 30a7217a17 am: 7ba1b00785 Change-Id: Id77dff055890b0dd0f11e51e7b4d74ab64e42c58

commit: bea31836bd08f86d7f928ab953c79f7e6746e3a1 [log] [tgz]
author: David Zeuthen <zeuthen@google.com> Tue May 16 19:33:04 2017 +0000
committer: android-build-merger <android-build-merger@google.com> Tue May 16 19:33:04 2017 +0000
tree: b3dbfd58e8f511650df883ff1cca5082ed91eba4
parent: d3201be54d7e6a81e39fbdd4ef55b18289cc7c1c [diff]
parent: 7ba1b00785e2fc9a7913f8e0f5f71fca49b6fe83 [diff]
diff --git a/README.md b/README.md
index 8421383..31d579b 100644
--- a/README.md
+++ b/README.md

@@ -628,10 +628,11 @@
 
 * If the device is LOCKED, only an OS signed by an embedded
   verification key (see the previous section) shall be
-  accepted. Additionally, the rollback indexes in the verified image
-  must not exceed those stored on the device and
-  `stored_rollback_index[n]` on the device are expected to be updated
-  as specified in the previous section.
+  accepted. Additionally, `rollback_index[n]` as stored in the
+  verified image must be greater or equal than what's in
+  `stored_rollback_index[n]` on the device (for all `n`) and the
+  `stored_rollback_index[n]` array is expected to be updated as
+  specified in the previous section.
     + If the key used for verification was set by the end user, and
       the device has a screen, it must show a warning with the key
       fingerprint to convey that the device is booting a custom
commit	bea31836bd08f86d7f928ab953c79f7e6746e3a1	[log] [tgz]
author	David Zeuthen <zeuthen@google.com>	Tue May 16 19:33:04 2017 +0000
committer	android-build-merger <android-build-merger@google.com>	Tue May 16 19:33:04 2017 +0000
tree	b3dbfd58e8f511650df883ff1cca5082ed91eba4
parent	d3201be54d7e6a81e39fbdd4ef55b18289cc7c1c [diff]
parent	7ba1b00785e2fc9a7913f8e0f5f71fca49b6fe83 [diff]