From: Nathan Chancellor <nathan@kernel.org>
To: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Cc: stable@vger.kernel.org, regressions@lists.linux.dev,
masahiroy@kernel.org, Alexey Gladkov <legion@kernel.org>,
Nicolas Schier <nsc@kernel.org>
Subject: Re: [REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1
Date: Wed, 22 Oct 2025 01:02:22 +0200 [thread overview]
Message-ID: <20251021230222.GA2339441@ax162> (raw)
In-Reply-To: <CANBHLUjPbXYghPx5zDwLDcGKXb7v7+1u-bpZ=L9r=qW7vDZ=cg@mail.gmail.com>
+ Nicolas and Alexey just for visibility
On Tue, Oct 21, 2025 at 03:00:56PM +0100, Dimitri John Ledkov wrote:
> If one enrolls linux kernel by-hash into db (for example using
> virt-fw-vars), the secureboot fails with security violation as EDK2
> computation of authenticode for the linux binary doesn't match the
> enrolled hash.
>
> This is reproducible in AWS VMs, as well as locally with EDK2 builds
> with secureboot.
>
> Not affected v6.17
> Not affected v6.17.3
> Affected v6.17.4
> Affected v6.18-rc1
> Affected v6.18-rc2
>
> Suspected patches are:
>
> $ git log --oneline v6.17.3..v6.17.4 -- scripts/
> 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux
> 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux
> 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped
> 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped
>
> Reverting all of the above, makes secureboot with by-hash enrolled
> into db work again.
>
> I will try to bisect this further to determine the culprit. It feels
> like the strip potentially didn't update section offsets or their
> numbers or something like that.
A bisect would definitely help since the first sentence of this message
is almost complete gibberish to me :) Is this a part of the build
process somewhere or does this happen after vmlinux is produced?
Cheers,
Nathan
prev parent reply other threads:[~2025-10-21 23:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 14:00 [REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1 Dimitri John Ledkov
2025-10-21 16:07 ` Greg KH
2025-10-21 23:02 ` Nathan Chancellor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251021230222.GA2339441@ax162 \
--to=nathan@kernel.org \
--cc=dimitri.ledkov@surgut.co.uk \
--cc=legion@kernel.org \
--cc=masahiroy@kernel.org \
--cc=nsc@kernel.org \
--cc=regressions@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.