Julius Werner has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/76209?usp=email )

Change subject: vboot: Fix S3 resume with stage_cache ......................................................................

Patch Set 3:

(1 comment)

Patchset:

PS2:

This only applie to EC_GOOGLE_CHROMEEC=y case, Chromebooks that is. […]

Yeah, I guess there's no protection for that without CHROMEEC. It wouldn't be hard to implement a second back-end for this storage if we had one, I guess a TPM NVRAM space could work (although it would change on every firmware update which might cause flash wear, not sure for how many cycles those spaces were designed).

I'm also not sure this protection is super important, though, I think it was mostly implemented as paranoid defense-in-depth. Even if we don't store the hash we are still verifying the slot, so it's still original signed code, it might just be a different version. Mismatching versions like this may cause errors and weird behavior in some cases, but it seems very unlikely that it just happens to work out in such an odd way that an attacker manages to gain code execution from that.