[PATCH] efi_loader: Allow overlapped extra data for PE hashing

Heinrich Schuchardt xypron.glpk at gmx.de
Fri Jun 24 10:53:38 CEST 2022


On 6/24/22 07:32, Su, Bao Cheng wrote:
> During PE hashing, when holes exists between sections, the extra data
> calculated could be a dupulicated region of the last section.
>
> Such PE image with holes existing between sections may contain the
> symbol table for the kernel, for example.
>
> The Authenticode_PE spec does not rule how to deal with such scenario,
> however, other tools such as pesign and sbsign both have the overlapped

Thanks for analyzing differences in hashing.

Above you mention holes between sections. Here you talk about
overlapping sections. These two cases are obviously distinct.

Please, provide an accurate description.

Examples (in text form) would be helpful.

Best regards

Heinrich

> regions hashed. And EDK2 hash the overlapped area as well.
>
> Signed-off-by: Baocheng Su <baocheng.su at siemens.com>
> ---
>   lib/efi_loader/efi_image_loader.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/efi_loader/efi_image_loader.c
> b/lib/efi_loader/efi_image_loader.c
> index 9611398885..d85fb6ba08 100644
> --- a/lib/efi_loader/efi_image_loader.c
> +++ b/lib/efi_loader/efi_image_loader.c
> @@ -481,7 +481,7 @@ bool efi_image_parse(void *efi, size_t len, struct
> efi_image_regions **regp,
>   		EFI_PRINT("extra data for hash: %zu\n",
>   			  len - (bytes_hashed + authsz));
>   		efi_image_region_add(regs, efi + bytes_hashed,
> -				     efi + len - authsz, 0);
> +				     efi + len - authsz, 1);
>   	}
>
>   	/* Return Certificates Table */



More information about the U-Boot mailing list