From: Simon Horman <horms@kernel.org>
To: Pingfan Liu <piliu@redhat.com>
Cc: kexec@lists.infradead.org
Subject: Re: [PATCH 2/2] pe-zboot: Truncate the trailing zero if Image is signed
Date: Fri, 13 Dec 2024 12:43:13 +0000 [thread overview]
Message-ID: <20241213124313.GV2110@kernel.org> (raw)
In-Reply-To: <20241206024445.10442-3-piliu@redhat.com>
On Fri, Dec 06, 2024 at 10:44:43AM +0800, Pingfan Liu wrote:
> *** Issue ***
> In the linux kernel drivers/firmware/efi/libstub/Makefile.zboot, the
> original Image is padded with zero, using the following instruction:
> truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
>
> Hence pe-zboot.c decomopresses and gets Image plus trailing zeroes.
>
> These trailing zeroes don't affect loading the original PE file. But
> they do raise an issue during the signature verfication. The root cause is
> that the kernel function:
> static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
> struct pefile_context *ctx,
> struct shash_desc *desc)
> treats [pebuf, pebuf+pelen] as valid payload, which includes the
> trailing zeroes. But that is not the truth.
>
> *** Solution ***
> In pratice, the table of attribute certificates come at the end of a
> PE file. This patch utilizes that fact and truncates at the boundary of the
> certificate table to get the original Image.
>
> Signed-off-by: Pingfan Liu <piliu@redhat.com>
> Cc: Simon Horman <horms@kernel.org>
> To: kexec@lists.infradead.org
Thanks, applied after addressing some minor spelling issues
in the patch description.
prev parent reply other threads:[~2024-12-13 12:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-06 2:44 [PATCH 0/2] kexec-tools: Truncate PE file if it is signed Pingfan Liu
2024-12-06 2:44 ` [PATCH 1/2] PE: Extract get_pehdr_offset() for reuse Pingfan Liu
2024-12-13 12:43 ` Simon Horman
2024-12-06 2:44 ` [PATCH 2/2] pe-zboot: Truncate the trailing zero if Image is signed Pingfan Liu
2024-12-13 12:43 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241213124313.GV2110@kernel.org \
--to=horms@kernel.org \
--cc=kexec@lists.infradead.org \
--cc=piliu@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.