CONFIG_VBOOT enables vboot, the verified boot scheme. The issue here is the submodule, which is drawn in through CONFIG_VBOOT_LIB. Besides vboot, other users of it are: the TPM drivers, Eltan's mboot, AMD PSP verstage, Intel CSE lite, and CBFS hashing (which has nothing to do with verified boot right now, although that could change).

And even if "just ifdef stuff in CBFS with CONFIG_VBOOT_LIB" creates a working image, that doesn't solve the problem that cbfstool has its own CBFS implementation (so it also needs to be ifguarded that way, which is a bit annoying because util/* doesn't use Kconfig at this time), and with just "ifguarding things", there's some work left to do to handle "cbfstool coreboot.rom add -A sha256 ..." properly: should it error out generically (as if -A is unknown)? provide a useful error message? just ignore the flag?

It's not quite that straightforward.