Re: grub2's binary is detecting as 'Malformed security header' by efitoo

help-grub

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: grub2's binary is detecting as 'Malformed security header' by efitoo

From:	Randy Goldenberg
Subject:	Re: grub2's binary is detecting as 'Malformed security header' by efitools
Date:	Mon, 22 Apr 2024 12:35:38 -0700

My guess is that the problem is caused by the tool used for signing the
image, presumably sbtool, which doesn't seem to have updated SizeOfImage.

If you do a hexdump of the grub image and jump to the offset at the value
given for SizeOfImage by objdump, it's apparent that that's where the data
added by sbtool begins.

The last line of the hexdump will give you the size of the image.  If you
edit the image, replacing the value of SizeOfImage (offset 000000d0) with
the true size of the image (note: image is little
endian), hash-to-efi-sig-list will then succeed.

That's as far as my poking around has taken me.  It's possible that the
edit may break other things.

On Fri, Apr 19, 2024 at 12:06 AM Haruki TSURUMOTO <tsu.root@gmail.com>
wrote:

> On 2024/04/19 6:54, Randy Goldenberg wrote:
> > What version of grub2 are you using, and where did it come from?
> >
>
> grub2-2.06-70.el9_3.2, come from AlmaLinux.
>
>
> > On Thu, Apr 18, 2024 at 6:01 AM Haruki TSURUMOTO <tsu.root@gmail.com
> > <mailto:tsu.root@gmail.com>> wrote:
> >
> >     Hi, I am a engineer trying Secure Boot reviews.
> >
> >     I have a question for grub2's binary.
> >
> >     We need to add previous grub2's PE hash value to "vendor_dbx.esl" (it
> >     will be emmbed our shim) to passing Secure Boot review clauses.
> >
> >     We had tried to generate dbx file by efitools(
> >     https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
> >     <https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git>
> )
> >     hash-to-efi-sig-list(1)
> >     however, we encountered such below error.
> >
> >     "Failed to get hash of grubx64.efi: 2"
> >
> >     We researched details of error reason, grub2 binary is detecting as
> >     'Malformed security header' by efitools.
> >
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
> <
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
> >
> >
> >     This is objdump's output.
> >     --
> >     $ objdump -x ./grubx64.efi | grep -E '(SizeOfImage|Security
> Directory)'
> >     SizeOfImage        0026b000
> >     Entry 4 000000000026b000 00000640 Security Directory
> >     --
> >
> >     Also this error is reproducible in very famous distirubtion.
> >     (e.g. Debian, Ubuntu, and Fedora)
> >
> >     Anyone knows is this a efitool's bug?, or are we using the wrong
> tools?
> >
> >     --
> >     Haruki TSURUMOTO
> >
>

[Prev in Thread]

Current Thread

[Next in Thread]

grub2's binary is detecting as 'Malformed security header' by efitools, Haruki TSURUMOTO, 2024/04/18
- Re: grub2's binary is detecting as 'Malformed security header' by efitools, Randy Goldenberg, 2024/04/18
  - Re: grub2's binary is detecting as 'Malformed security header' by efitools, Haruki TSURUMOTO, 2024/04/19
    - Re: grub2's binary is detecting as 'Malformed security header' by efitools, Randy Goldenberg <=
    - Re: grub2's binary is detecting as 'Malformed security header' by efitools, Randy Goldenberg, 2024/04/22
    - Re: grub2's binary is detecting as 'Malformed security header' by efitools, Randy Goldenberg, 2024/04/23

Prev by Date: Re: grub2's binary is detecting as 'Malformed security header' by efitools
Next by Date: Re: grub2's binary is detecting as 'Malformed security header' by efitools
Previous by thread: Re: grub2's binary is detecting as 'Malformed security header' by efitools
Next by thread: Re: grub2's binary is detecting as 'Malformed security header' by efitools
Index(es):
- Date
- Thread