Correction: s/sbtool/sbsign/
On Mon, Apr 22, 2024 at 12:35 PM Randy Goldenberg < [email protected]> wrote: > My guess is that the problem is caused by the tool used for signing the > image, presumably sbtool, which doesn't seem to have updated SizeOfImage. > > If you do a hexdump of the grub image and jump to the offset at the value > given for SizeOfImage by objdump, it's apparent that that's where the data > added by sbtool begins. > > The last line of the hexdump will give you the size of the image. If you > edit the image, replacing the value of SizeOfImage (offset 000000d0) with > the true size of the image (note: image is little > endian), hash-to-efi-sig-list will then succeed. > > That's as far as my poking around has taken me. It's possible that the > edit may break other things. > > On Fri, Apr 19, 2024 at 12:06 AM Haruki TSURUMOTO <[email protected]> > wrote: > >> On 2024/04/19 6:54, Randy Goldenberg wrote: >> > What version of grub2 are you using, and where did it come from? >> > >> >> grub2-2.06-70.el9_3.2, come from AlmaLinux. >> >> >> > On Thu, Apr 18, 2024 at 6:01 AM Haruki TSURUMOTO <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Hi, I am a engineer trying Secure Boot reviews. >> > >> > I have a question for grub2's binary. >> > >> > We need to add previous grub2's PE hash value to "vendor_dbx.esl" >> (it >> > will be emmbed our shim) to passing Secure Boot review clauses. >> > >> > We had tried to generate dbx file by efitools( >> > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git >> > <https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git> >> ) >> > hash-to-efi-sig-list(1) >> > however, we encountered such below error. >> > >> > "Failed to get hash of grubx64.efi: 2" >> > >> > We researched details of error reason, grub2 binary is detecting as >> > 'Malformed security header' by efitools. >> > >> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120 >> < >> https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120 >> > >> > >> > This is objdump's output. >> > -- >> > $ objdump -x ./grubx64.efi | grep -E '(SizeOfImage|Security >> Directory)' >> > SizeOfImage 0026b000 >> > Entry 4 000000000026b000 00000640 Security Directory >> > -- >> > >> > Also this error is reproducible in very famous distirubtion. >> > (e.g. Debian, Ubuntu, and Fedora) >> > >> > Anyone knows is this a efitool's bug?, or are we using the wrong >> tools? >> > >> > -- >> > Haruki TSURUMOTO >> > >> >
