[PATCH v2] efi_loader: PE hashing for image with gap between sections

Su, Bao Cheng baocheng.su at siemens.com
Thu Jul 7 08:40:42 CEST 2022 

Some PE image has gap between sections. These gaps could be kernel
symbol table that does not belong to any sections.

For such kind of image, after the last section is added into the
hashing, the bytes_hashed is less than the (PE file size - Size of
AttributeCertificateTable). According to Step 14 of `Calculating the PE
Image Hash` in the `Windows Authenticode Portable Executable Signature
Format` Version 1.0 — March 21, 2008:

"
Create a value called FILE_SIZE, which is not part of the signature.
Set
this value to the image's file size, acquired from the underlying file
system. If FILE_SIZE is greater than SUM_OF_BYTES_HASHED, the file
contains extra data that must be added to the hash. This data begins at
the SUM_OF_BYTES_HASHED file offset, and its length is: (File Size) -
((Size of AttributeCertificateTable) + SUM_OF_BYTES_HASHED)
"

Some overlapped data could be added into the hashing again. Some other
tools such as sbgisn/pesign/EDK2 behave just as the Step 14 when
dealing
with such kind of PE image. However currently u-boot just ignores this
overlapped data and refuses to hash them again.

By toggling the `nocheck` of the efi_image_region_add to 1, the
overlapping checking could be avoided.

Signed-off-by: Baocheng Su <baocheng.su at siemens.com>
---

Changes in v2:
- Reword the commit message for better understanding.

 lib/efi_loader/efi_image_loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/efi_loader/efi_image_loader.c
b/lib/efi_loader/efi_image_loader.c
index 9611398885..d85fb6ba08 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -481,7 +481,7 @@ bool efi_image_parse(void *efi, size_t len, struct
efi_image_regions **regp,
 		EFI_PRINT("extra data for hash: %zu\n",
 			  len - (bytes_hashed + authsz));
 		efi_image_region_add(regs, efi + bytes_hashed,
-				     efi + len - authsz, 0);
+				     efi + len - authsz, 1);
 	}
 
 	/* Return Certificates Table */
-- 
2.30.2

More information about the U-Boot mailing list