Aaron Durbin has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36544 )
Change subject: security/vboot: Add rw_region_only support to vboot ......................................................................
Patch Set 10:
Patch Set 10:
(1 comment)
Patch Set 10: Code-Review+1
(1 comment)
If RW and RO need different objects inside them I think it would make sense to generate them separately or even as a separate files, but that's part of a larger redesign. I guess this is good enough as a stop gap measure for now to support your use case.
Agreed I am definitely interested when a better solution is considered, perhaps adding a "region" option to the cbfs file properties instead of the current regions_for_file mechanism could be used. By doing that you could use the current regions_for_file assignment by default and allow it to be overridden by specifying the regions.
I personally think we need a tool for managing the complexities of building up an image w/ multiple CBFSes in it. Some history: this was talked about a few years back. The consensus, though not 100%, then was that people wanted to keep it in Makefiles. I think it's a harder to provide build up complex policies in a Makefile system. It may be time to rethink that conclusion.