Issue #607 has been reported by Maximilian Brune. ---------------------------------------- Bug #607: vboot-vscvd-ranges are never populated correctly https://ticket.coreboot.org/issues/607
* Author: Maximilian Brune * Status: Response Needed * Priority: High * Category: chipset configuration * Target version: none * Start date: 2025-08-20 * Affected hardware: all hardware that uses VBOOT_GSCVD ---------------------------------------- I worked on the amdfwread tool and I noticed that it is used by AMD common Makefiles for VBOOT: https://github.com/coreboot/coreboot/blob/ee347d88120bca22d64a1581cd91eee786e2d7db/src/soc/amd/common/Makefile.mk#L65 It apparently creates a file called "ro-amdfw-list" which contains address ranges for the regions that are needed by VBOOT toolings so that it knows which regions to protect with a signature? The problem is that I noticed that the file is read before it even exists: https://github.com/coreboot/coreboot/blob/ee347d88120bca22d64a1581cd91eee786e2d7db/src/soc/amd/phoenix/Makefile.mk#L375 The file is created during "build_complete", but it is queried at the beginning of the build process, which causes the "vboot-gscvd-ranges" variable to contain "error" entries instead of actual regions. Looking at the code, it seems this has never worked from the beginning. Since this potentially security relevant (although I don't know to which degree since I am unfamiliar with the GSCVD implementation), it should be addressed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: https://ticket.coreboot.org/my/account _______________________________________________ coreboot mailing list -- [email protected] To unsubscribe send an email to [email protected]
