Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36544 )
Change subject: security/vboot: Add rw_region_only support to vboot ......................................................................
Patch Set 4:
Patch Set 4:
Patch Set 4:
(1 comment)
The idea behind this is that the update image needs to be created more often than the "factory image" containing the correct RO partition. So this should be as easy as possible so it would even be acceptable to have an update-image without the payload (as the RO part won't be used anyway). During development of the initial image we can simply start out by adding the small payload to both the RO and RW regions. So the number of manual actions required will be limited.
I think with chromeos new 'factory' images are always created regardless if the RO partition is already locked.
For my understanding why do you think it is easier to add the larger payload later? Now I can build the large payload with the coreboot tree and generate the image with the correct payload in one go. How would that work in your case?
I just think that handling payloads outside of the coreboot build system makes more sense when shipping images, especially if you want different things in RO vs RW.