Attention is currently required from: Yu-Ping Wu. Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/64547 )
Change subject: Makefile.inc: Add bootblock to CBFS before others ......................................................................
Patch Set 4:
(1 comment)
Commit Message:
https://review.coreboot.org/c/coreboot/+/64547/comment/4a6cfb9b_7ea6d549 PS2, Line 9: cbfstool
The problem is that it still needs to be updated again every time a new CBFS file is added. […]
Yes, I think that's exactly what it will need to have.
The way this works on Arm is that coreboot generates bootblock.raw.bin, then usually a platform-specific utility (this would roughly be the equivalent to your ifwitool, I think) transforms that into a bootblock.bin that wraps the code in the required platform-specific encoding including headers, checksums, etc. Finally the Makefiles copy that bootblock.bin into the BOOTBLOCK FMAP section.
cbfstool scans the whole FMAP section for the metadata hash magic number, so no matter how it is packaged, as long as it's not compressed or encrypted or anything it will find it. Then it can update the hash as needed. For cases where that area is covered by a checksum or something, there's a mechanism in cbfstool/platform_fixups.c to detect which kind of platform image it is and then update the necessary hashes.
This framework worked pretty well for the platforms we've tried for now (Qualcomm and MediaTek), since cbfstool doesn't need to know how to generate the whole platform-specific data structure from scratch, it just needs to know how to find and update any checksums in it. I hope this will transfer to the x86 cases as well. So you would still have your ifwitool or whatever to initially create the IFWI, but cbfstool would need to know how to recompute any checksums in it after it has updated it in-place. It would be nice if we could standardize on all these platforms using the name "BOOTBLOCK" for the FMAP section that contains the bootblock (even if it's technically an "IFWI" or whatever), but we can make cbfstool look for other sections too if necessary.
I think +Karthik has been looking into implementing this for AMD -- that one is definitely on our roadmap. For IFWI I was told that this only worked that way on APL/GLK, and starting with JSL the mechanism changed again to something more in line with the big core Intel chips (with bootblock in CBFS). Is that true? If so, I think we (Google) are currently not really planning to work on supporting CBFS verification for APL/GLK and expect the issue to just obsolete itself eventually. But if anyone else wants to implement support for it, they're of course welcome to do so.