Arthur Heymans has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36544 )
Change subject: security/vboot: Add rw_region_only support to vboot ......................................................................
Patch Set 9:
(1 comment)
Patch Set 9:
Patch Set 7:
(1 comment)
Patch Set 7:
(1 comment)
I explained a bit more how this feature works. I hope this addresses your concern about the possibility to do bad things (like removing the bootblock, romstage or verstage) using this option.
This simply isn't possible. For what remains you can do equally bad things using the RO region only support.
No RO only leaves you with a broken RW, which isn't as bad in general.
Can you address my idea of generating only the RW region? That along with flashrom being able to flash fmap regions should cover your use case better. It's also a quite useful feature in general.
I overlooked responding to your idea to generate on the RW region. The issue is that I haven't found anything in the documentation to do this in an easy way. The coreboot build systen doesn't really let me do this. I know it's possible by using the tools and creating components seperately but not in an easy to use "make" type of way. If I am missing something please let me know.
It's not perfect but if COREBOOT is not in VBOOT_PARTITIONS, you get a pretty empty stub. Might be possible to improve that further to not populate it at all?
https://review.coreboot.org/c/coreboot/+/36544/9//COMMIT_MSG Commit Message:
https://review.coreboot.org/c/coreboot/+/36544/9//COMMIT_MSG@10 PS9, Line 10: it is required to make sure some components : are only added to the RW_REGION. 'required to make sure' begs more questions. Please try to sketch a use case where this might be useful here.