[PATCH] efi_loader: Allow overlapped extra data for PE hashing

Jan Kiszka jan.kiszka at siemens.com
Fri Jun 24 11:44:15 CEST 2022


On 24.06.22 10:53, Heinrich Schuchardt wrote:
> On 6/24/22 07:32, Su, Bao Cheng wrote:
>> During PE hashing, when holes exists between sections, the extra data
>> calculated could be a dupulicated region of the last section.
>>
>> Such PE image with holes existing between sections may contain the
>> symbol table for the kernel, for example.
>>
>> The Authenticode_PE spec does not rule how to deal with such scenario,
>> however, other tools such as pesign and sbsign both have the overlapped
> 
> Thanks for analyzing differences in hashing.
> 
> Above you mention holes between sections. Here you talk about
> overlapping sections. These two cases are obviously distinct.
> 
> Please, provide an accurate description.

Yeah, I also gave that feedback internally already as it left me a bit
confused.

> 
> Examples (in text form) would be helpful.

There is apparently no good PE dump tooling available, so I try to
describe our scenario verbally:

We are generating a unified kernel image, similar to what systemd does,
for ARM and ARM64 [1]. The stub has .text and .data sections, and then
follows the symbol table (some versions of binutils allow to suppress
it, other not, sigh). When appending the actual payload to that (kernel
image, command line, initrd, dtbs), those sections are added right after
the symbol table, creating an unhashed gap between the last stub section
and the first appended one. That unified linux.efi is then signed and
should be verifiable and bootable (as it is with EDK2).

HTH,
Jan

[1]
https://github.com/siemens/efibootguard/blob/master/docs/UNIFIED-KERNEL.md

-- 
Siemens AG, Technology
Competence Center Embedded Linux


More information about the U-Boot mailing list