Issue #607 has been updated by Maximilian Brune. Status changed from Response Needed to Resolved Priority changed from High to Low
Not an issue after all, since Makefiles lazy evaluation of variables is used. ---------------------------------------- Bug #607: vboot-vscvd-ranges are never populated correctly https://ticket.coreboot.org/issues/607#change-2129 * Author: Maximilian Brune * Status: Resolved * Priority: Low * Category: chipset configuration * Target version: none * Start date: 2025-08-20 * Affected hardware: all hardware that uses VBOOT_GSCVD ---------------------------------------- I worked on the amdfwread tool and I noticed that it is used by AMD common Makefiles for VBOOT: https://github.com/coreboot/coreboot/blob/ee347d88120bca22d64a1581cd91eee786e2d7db/src/soc/amd/common/Makefile.mk#L65 It apparently creates a file called "ro-amdfw-list" which contains address ranges for the regions that are needed by VBOOT toolings so that it knows which regions to protect with a signature? The problem is that I noticed that the file is read before it even exists: https://github.com/coreboot/coreboot/blob/ee347d88120bca22d64a1581cd91eee786e2d7db/src/soc/amd/phoenix/Makefile.mk#L375 The file is created during "build_complete", but it is queried at the beginning of the build process, which causes the "vboot-gscvd-ranges" variable to contain "error" entries instead of actual regions. Looking at the code, it seems this has never worked from the beginning. Since this potentially security relevant (although I don't know to which degree since I am unfamiliar with the GSCVD implementation), it should be addressed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: https://ticket.coreboot.org/my/account _______________________________________________ coreboot mailing list -- [email protected] To unsubscribe send an email to [email protected]
