Kyösti Mälkki has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/41694 )
Change subject: [NOTFORMERGE] mb/facebook/fbg1701: Remove C_ENV_BOOTBLOCK_SIZE ......................................................................
Patch Set 1:
Thanks for sharing your arguments. I had a look and I think you are right. We can use VERIFY_FILE instead of VERIFY_BLOCK. In fact the verify block was a legacy from our original implementation in Braswell where we treated the actual boot block and the public key as one block. We will have a look and do some testing on this to make sure the coreboot implementation matches the signing scripts.
Changing to file verification for the boot block should solve all of the issues you mention. The issue with a locked boot block can be solved in another way and is anyhow board specific.
Wim, thanks. I need to coordinate some amd/picasso changes for top-aligned bootblock too, so it's likely early July before I would need a solution here. But sounds now like you could drop VERIFY_BLOCK implementation as independent work.