[coreboot-gerrit] [S] Change in coreboot[master]: soc/amd/common: Add a config to keep signed AMD/PSP FW separately

Attention is currently required from: Jason Glenesk, Raul Rangel, Marshall Dawson, Kangheui Won, Matt DeVillier, Paul Menzel, Fred Reitberger, Karthik Ramasubramanian, Felix Held.

Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59867 )

Change subject: soc/amd/common: Add a config to keep signed AMD/PSP FW separately ......................................................................

Patch Set 13:

(1 comment)

Commit Message:

https://review.coreboot.org/c/coreboot/+/59867/comment/3d48850d_a2cc57d5 PS13, Line 10: SIGNED_AMDFW_

am not sure if all the AMD boards are going to enable CBFS verification.

The long-term plan is definitely to move all Chrome OS platforms to RW CBFS verification, and then maybe eventually deprecate and remove the old "verify whole FW_MAIN section at once" code path. But this is still a ways out -- it will not be in for Skyrim and possible but I don't want to make promises for the generation after that.

2. With CBFS verification enabled, every time a file is accessed the header for all the files in the CBFS are accessed to ensure they are not corrupted. With this approach, we went from 1 file to atleast 20 files to my knowledge. That will lead to more SPI ROM reads and potentially a slow down.

This concern should be mitigated by the metadata cache, so you shouldn't need to worry.

In general I agree with Karthik that this seems to make most sense for now (and if you want something in time for Skyrim this seems to be the only option). Later once we got all the RW CBFS verification in place we can come back and reevaluate if we want to make any changes, but at first glance this approach doesn't necessarily seem worse.