Wim Vervoorn has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/36544 )
Change subject: security/vboot: Add rw_region_only support to vboot ......................................................................
Patch Set 7:
(1 comment)
I explained a bit more how this feature works. I hope this addresses your concern about the possibility to do bad things (like removing the bootblock, romstage or verstage) using this option.
This simply isn't possible. For what remains you can do equally bad things using the RO region only support.
https://review.coreboot.org/c/coreboot/+/36544/7/src/security/vboot/Kconfig File src/security/vboot/Kconfig:
https://review.coreboot.org/c/coreboot/+/36544/7/src/security/vboot/Kconfig@... PS7, Line 224: "Files that should ONLY be copied to RW"
I don't like this. You can insert bad stuff here like bootblock. […]
I don't have any problems to guard this feature with an enabling config to be added in the board Kconfig. I agree with you that you should know what you are doing when you use it.
I don't think this is as bad as you think it is. If you add the bootblock to the list nothing will happen. This option only works for files that would normally end up in all regions so the critical ones won't be affected anyhow.