Re: [PATCH] kbuild: align modinfo section for Secureboot Authenticode EDK2 compat

[Nathan Chancellor <nathan@kernel.org>]

Hi Dimitri,

On Sun, Oct 26, 2025 at 08:21:00PM +0000, Dimitri John Ledkov wrote:
> Previously linker scripts would always generate vmlinuz that has sections
> aligned. And thus padded (correct Authenticode calculation) and unpadded

Was this something that was guaranteed to happen or did it just always
happen by coincidence? Is there a way to enforce this?

> calculation would be same. As in https://github.com/rhboot/pesign userspace
> tool would produce the same authenticode digest for both of the following
> commands:
> 
>     pesign --padding --hash --in ./arch/x86_64/boot/bzImage
>     pesign --nopadding --hash --in ./arch/x86_64/boot/bzImage
> 
> The commit 3e86e4d74c04 ("kbuild: keep .modinfo section in
> vmlinux.unstripped") added .modinfo section of variable length. Depending
> on kernel configuration it may or may not be aligned.
> 
> All userspace signing tooling correctly pads such section to calculation
> spec compliant authenticode digest.

I might be missing something here but .modinfo should not be in the
final vmlinux since it gets stripped out via the strip_relocs rule in
scripts/Makefile.vmlinux. Does this matter because an unaligned .modinfo
section could potentially leave sections after it in the linker scripts
unaligned as well?

> However, if bzImage is not further processed and is attempted to be loaded
> directly by EDK2 firmware, it calculates unpadded Authenticode digest and

Could this affect other bootloaders as well? I noticed this report about
rEFInd and pointed them here in case it was related:

https://lore.kernel.org/CAB95QARfqSUNJCCgyPcTPu0-hk10e-sOVVMrnpKd6OdV_PHrGA@mail.gmail.com/

> fails to correct accept/reject such kernel builds even when propoer
> Authenticode values are enrolled in db/dbx. One can say EDK2 requires
> aligned/padded kernels in Secureboot.
> 
> Thus add ALIGN(8) to the .modinfo section, to esure kernels irrespective of
> modinfo contents can be loaded by all existing EDK2 firmware builds.
> 
> Fixes: 3e86e4d74c04 ("kbuild: keep .modinfo section in vmlinux.unstripped")

I took this change via the Kbuild tree for 6.18-rc1 so I can pick this
up for kbuild-fixes or Arnd can take this if he has anything pending for
fixes in the asm-generic tree.

> Cc: stable@vger.kernel.org
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
> ---
>  include/asm-generic/vmlinux.lds.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
> index 8a9a2e732a65b..e04d56a5332e6 100644
> --- a/include/asm-generic/vmlinux.lds.h
> +++ b/include/asm-generic/vmlinux.lds.h
> @@ -832,7 +832,7 @@ defined(CONFIG_AUTOFDO_CLANG) || defined(CONFIG_PROPELLER_CLANG)
>  
>  /* Required sections not related to debugging. */
>  #define ELF_DETAILS							\
> -		.modinfo : { *(.modinfo) }				\
> +		.modinfo : { *(.modinfo) . = ALIGN(8); }		\
>  		.comment 0 : { *(.comment) }				\
>  		.symtab 0 : { *(.symtab) }				\
>  		.strtab 0 : { *(.strtab) }				\
> -- 
> 2.51.0
>