In the most general case, the flash layout looks something like this:

  +---------------------+
  | Reserved for EC use |
  +---------------------+

  +---------------------+
  |     Vblock B        |
  +---------------------+
  |  RW firmware B      |
  +---------------------+

  +---------------------+
  |     Vblock A        |
  +---------------------+
  |  RW firmware A      |
  +---------------------+

  +---------------------+
  |       FMAP          |
  +---------------------+
  |   Public root key   |
  +---------------------+
  |  Read-only firmware |
  +---------------------+


BIOS firmware (and kernel) put the vblock info at the start of each image
where it's easy to find. The Blizzard EC expects the firmware vector table
to come first, so we have to put the vblock at the end. This means we have
to know where to look for it, but that's built into the FMAP and the RO
firmware anyway, so that's not an issue.

The RO firmware doesn't need a vblock of course, but it does need some
reserved space for vboot-related things.

Using SHA256/RSA4096, the vblock is 2468 bytes (0x9a4), while the public
root key is 1064 bytes (0x428) and the current FMAP is 644 bytes (0x284). If
we reserve 4K at the top of each FW image, that should give us plenty of
room for vboot-related stuff.