Attention is currently required from: Raul Rangel, Julius Werner, Patrick Rudolph. Tim Wawrzynczak has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/59679 )
Change subject: intel: cse_lite: Use cbfs_unverified_area API ......................................................................
Patch Set 2: Code-Review+2
(2 comments)
Patchset:
PS2: FYI there is more incoming..... https://review.coreboot.org/c/coreboot/+/59685/9
File src/soc/intel/common/block/cse/cse_lite.c:
https://review.coreboot.org/c/coreboot/+/59679/comment/7e2de894_3160442b PS2, Line 676: cbfs_unverified_area_map
Ah, I think you wanted to avoid the vboot penalty on always hashing the firmware? It looks like the […]
Yes, the vboot loading/hashing time penalty was too much to bear on every boot, so as you noticed, the hash is stored in FW_MAIN_A or _B and thus the root of trust is extended to the new region by verifying the hash matches the region (only when it is required to be accessed). Once verification is moved to access-time only, then yes we can move the file back into FW_MAIN_X and drop the extra hash file.