Re: grub2's binary is detecting as 'Malformed security header' by efitools

[Haruki TSURUMOTO]

On 2024/04/19 6:54, Randy Goldenberg wrote:
> What version of grub2 are you using, and where did it come from?

grub2-2.06-70.el9_3.2, come from AlmaLinux.


> On Thu, Apr 18, 2024 at 6:01 AM Haruki TSURUMOTO <tsu.root@gmail.com 
> <mailto:tsu.root@gmail.com>> wrote:
>
>     Hi, I am a engineer trying Secure Boot reviews.
>
>     I have a question for grub2's binary.
>
>     We need to add previous grub2's PE hash value to "vendor_dbx.esl" (it
>     will be emmbed our shim) to passing Secure Boot review clauses.
>
>     We had tried to generate dbx file by efitools(
>     https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
>     <https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git> )
>     hash-to-efi-sig-list(1)
>     however, we encountered such below error.
>
>     "Failed to get hash of grubx64.efi: 2"
>
>     We researched details of error reason, grub2 binary is detecting as
>     'Malformed security header' by efitools.
>     
> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
>  
> <https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120>
>
>     This is objdump's output.
>     --
>     $ objdump -x ./grubx64.efi | grep -E '(SizeOfImage|Security Directory)'
>     SizeOfImage        0026b000
>     Entry 4 000000000026b000 00000640 Security Directory
>     --
>
>     Also this error is reproducible in very famous distirubtion.
>     (e.g. Debian, Ubuntu, and Fedora)
>
>     Anyone knows is this a efitool's bug?, or are we using the wrong tools?
>
>     --
>     Haruki TSURUMOTO