[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: grub2's binary is detecting as 'Malformed security header' by efitoo
|
From: |
Randy Goldenberg |
|
Subject: |
Re: grub2's binary is detecting as 'Malformed security header' by efitools |
|
Date: |
Mon, 22 Apr 2024 13:18:09 -0700 |
Correction:
s/sbtool/sbsign/
On Mon, Apr 22, 2024 at 12:35 PM Randy Goldenberg <
randy.goldenberg@gmail.com> wrote:
> My guess is that the problem is caused by the tool used for signing the
> image, presumably sbtool, which doesn't seem to have updated SizeOfImage.
>
> If you do a hexdump of the grub image and jump to the offset at the value
> given for SizeOfImage by objdump, it's apparent that that's where the data
> added by sbtool begins.
>
> The last line of the hexdump will give you the size of the image. If you
> edit the image, replacing the value of SizeOfImage (offset 000000d0) with
> the true size of the image (note: image is little
> endian), hash-to-efi-sig-list will then succeed.
>
> That's as far as my poking around has taken me. It's possible that the
> edit may break other things.
>
> On Fri, Apr 19, 2024 at 12:06 AM Haruki TSURUMOTO <tsu.root@gmail.com>
> wrote:
>
>> On 2024/04/19 6:54, Randy Goldenberg wrote:
>> > What version of grub2 are you using, and where did it come from?
>> >
>>
>> grub2-2.06-70.el9_3.2, come from AlmaLinux.
>>
>>
>> > On Thu, Apr 18, 2024 at 6:01 AM Haruki TSURUMOTO <tsu.root@gmail.com
>> > <mailto:tsu.root@gmail.com>> wrote:
>> >
>> > Hi, I am a engineer trying Secure Boot reviews.
>> >
>> > I have a question for grub2's binary.
>> >
>> > We need to add previous grub2's PE hash value to "vendor_dbx.esl"
>> (it
>> > will be emmbed our shim) to passing Secure Boot review clauses.
>> >
>> > We had tried to generate dbx file by efitools(
>> > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
>> > <https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git>
>> )
>> > hash-to-efi-sig-list(1)
>> > however, we encountered such below error.
>> >
>> > "Failed to get hash of grubx64.efi: 2"
>> >
>> > We researched details of error reason, grub2 binary is detecting as
>> > 'Malformed security header' by efitools.
>> >
>> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
>> <
>> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
>> >
>> >
>> > This is objdump's output.
>> > --
>> > $ objdump -x ./grubx64.efi | grep -E '(SizeOfImage|Security
>> Directory)'
>> > SizeOfImage 0026b000
>> > Entry 4 000000000026b000 00000640 Security Directory
>> > --
>> >
>> > Also this error is reproducible in very famous distirubtion.
>> > (e.g. Debian, Ubuntu, and Fedora)
>> >
>> > Anyone knows is this a efitool's bug?, or are we using the wrong
>> tools?
>> >
>> > --
>> > Haruki TSURUMOTO
>> >
>>
>