[PATCH 0/2] kexec-tools: Truncate PE file if it is signed
Pingfan Liu
piliu at redhat.com
Thu Dec 5 18:44:41 PST 2024
Note: This series is compatible with the ongoing kernel patches '[PATCH
0/2] Kexec: Sign Image before packing into EFI STUB' [1]. It ensures
functionality when kexec_file_load enforces signature verification on
arm64, LoongArch, and RISC-V.
*** Issue ***
In the linux kernel drivers/firmware/efi/libstub/Makefile.zboot, the
original Image is padded with zero, using the following instruction:
truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
Hence pe-zboot.c decomopresses and gets Image plus trailing zeroes.
These trailing zeroes don't affect loading the original PE file. But
they do raise an issue during the signature verfication. The root cause is
that the kernel function:
static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
struct pefile_context *ctx,
struct shash_desc *desc)
treats [pebuf, pebuf+pelen] as valid payload, which includes the
trailing zeroes. But that is not the truth.
*** Solution ***
In pratice, the table of attribute certificates come at the end of a
PE file. This patch utilizes that fact and truncates at the boundary of the
certificate table to get the original Image.
[1]: https://lore.kernel.org/linux-efi/20241206021000.8953-1-piliu@redhat.com/T/#t
Cc: Simon Horman <horms at kernel.org>
To: kexec at lists.infradead.org
Pingfan Liu (2):
PE: Extract get_pehdr_offset() for reuse
pe-zboot: Truncate the trailing zero if Image is signed
include/pe.h | 47 ++++++++++++++++++++++++++++++++++++++++++
kexec/kexec-pe-zboot.c | 25 +++++++++++++++++++---
kexec/kexec-uki.c | 17 ---------------
3 files changed, 69 insertions(+), 20 deletions(-)
--
2.41.0
More information about the kexec
mailing list