[PATCH 2/2] pe-zboot: Truncate the trailing zero if Image is signed
Simon Horman
horms at kernel.org
Fri Dec 13 04:43:13 PST 2024
On Fri, Dec 06, 2024 at 10:44:43AM +0800, Pingfan Liu wrote:
> *** Issue ***
> In the linux kernel drivers/firmware/efi/libstub/Makefile.zboot, the
> original Image is padded with zero, using the following instruction:
> truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
>
> Hence pe-zboot.c decomopresses and gets Image plus trailing zeroes.
>
> These trailing zeroes don't affect loading the original PE file. But
> they do raise an issue during the signature verfication. The root cause is
> that the kernel function:
> static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
> struct pefile_context *ctx,
> struct shash_desc *desc)
> treats [pebuf, pebuf+pelen] as valid payload, which includes the
> trailing zeroes. But that is not the truth.
>
> *** Solution ***
> In pratice, the table of attribute certificates come at the end of a
> PE file. This patch utilizes that fact and truncates at the boundary of the
> certificate table to get the original Image.
>
> Signed-off-by: Pingfan Liu <piliu at redhat.com>
> Cc: Simon Horman <horms at kernel.org>
> To: kexec at lists.infradead.org
Thanks, applied after addressing some minor spelling issues
in the patch description.
More information about the kexec
mailing list