[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: grub2's binary is detecting as 'Malformed security header' by efitoo
|
From: |
Randy Goldenberg |
|
Subject: |
Re: grub2's binary is detecting as 'Malformed security header' by efitools |
|
Date: |
Tue, 23 Apr 2024 11:20:29 -0700 |
The edit does indeed cause secure booting with the image to fail, as the
checksum is not updated.
Restoring the original value for SizeOfImage restores secure boot
capability.
On Mon, Apr 22, 2024 at 12:35 PM Randy Goldenberg <
randy.goldenberg@gmail.com> wrote:
> My guess is that the problem is caused by the tool used for signing the
> image, presumably sbtool, which doesn't seem to have updated SizeOfImage.
>
> If you do a hexdump of the grub image and jump to the offset at the value
> given for SizeOfImage by objdump, it's apparent that that's where the data
> added by sbtool begins.
>
> The last line of the hexdump will give you the size of the image. If you
> edit the image, replacing the value of SizeOfImage (offset 000000d0) with
> the true size of the image (note: image is little
> endian), hash-to-efi-sig-list will then succeed.
>
> That's as far as my poking around has taken me. It's possible that the
> edit may break other things.
>
> On Fri, Apr 19, 2024 at 12:06 AM Haruki TSURUMOTO <tsu.root@gmail.com>
> wrote:
>
>> On 2024/04/19 6:54, Randy Goldenberg wrote:
>> > What version of grub2 are you using, and where did it come from?
>> >
>>
>> grub2-2.06-70.el9_3.2, come from AlmaLinux.
>>
>>
>> > On Thu, Apr 18, 2024 at 6:01 AM Haruki TSURUMOTO <tsu.root@gmail.com
>> > <mailto:tsu.root@gmail.com>> wrote:
>> >
>> > Hi, I am a engineer trying Secure Boot reviews.
>> >
>> > I have a question for grub2's binary.
>> >
>> > We need to add previous grub2's PE hash value to "vendor_dbx.esl"
>> (it
>> > will be emmbed our shim) to passing Secure Boot review clauses.
>> >
>> > We had tried to generate dbx file by efitools(
>> > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git
>> > <https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git>
>> )
>> > hash-to-efi-sig-list(1)
>> > however, we encountered such below error.
>> >
>> > "Failed to get hash of grubx64.efi: 2"
>> >
>> > We researched details of error reason, grub2 binary is detecting as
>> > 'Malformed security header' by efitools.
>> >
>> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
>> <
>> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120
>> >
>> >
>> > This is objdump's output.
>> > --
>> > $ objdump -x ./grubx64.efi | grep -E '(SizeOfImage|Security
>> Directory)'
>> > SizeOfImage 0026b000
>> > Entry 4 000000000026b000 00000640 Security Directory
>> > --
>> >
>> > Also this error is reproducible in very famous distirubtion.
>> > (e.g. Debian, Ubuntu, and Fedora)
>> >
>> > Anyone knows is this a efitool's bug?, or are we using the wrong
>> tools?
>> >
>> > --
>> > Haruki TSURUMOTO
>> >
>>
>