[REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1

[REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1

[Dimitri John Ledkov]

If one enrolls linux kernel by-hash into db (for example using
virt-fw-vars), the secureboot fails with security violation as EDK2
computation of authenticode for the linux binary doesn't match the
enrolled hash.

This is reproducible in AWS VMs, as well as locally with EDK2 builds
with secureboot.

Not affected v6.17
Not affected v6.17.3
Affected v6.17.4
Affected v6.18-rc1
Affected v6.18-rc2

Suspected patches are:

$ git log --oneline  v6.17.3..v6.17.4 -- scripts/
8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux
7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux
5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped
86f364ee58420 kbuild: always create intermediate vmlinux.unstripped

Reverting all of the above, makes secureboot with by-hash enrolled
into db work again.

I will try to bisect this further to determine the culprit. It feels
like the strip potentially didn't update section offsets or their
numbers or something like that.

-- 
Regards,

Dimitri.

Re: [REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1

[Greg KH]

On Tue, Oct 21, 2025 at 03:00:56PM +0100, Dimitri John Ledkov wrote:
> If one enrolls linux kernel by-hash into db (for example using
> virt-fw-vars), the secureboot fails with security violation as EDK2
> computation of authenticode for the linux binary doesn't match the
> enrolled hash.
> 
> This is reproducible in AWS VMs, as well as locally with EDK2 builds
> with secureboot.
> 
> Not affected v6.17
> Not affected v6.17.3
> Affected v6.17.4
> Affected v6.18-rc1
> Affected v6.18-rc2

great, we are bug compatible :)

Once this is fixed in Linus's tree, we will be glad to take the fix into
the stable branch.

thanks,

greg k-h

Re: [REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1

[Nathan Chancellor]

+ Nicolas and Alexey just for visibility

On Tue, Oct 21, 2025 at 03:00:56PM +0100, Dimitri John Ledkov wrote:
> If one enrolls linux kernel by-hash into db (for example using
> virt-fw-vars), the secureboot fails with security violation as EDK2
> computation of authenticode for the linux binary doesn't match the
> enrolled hash.
> 
> This is reproducible in AWS VMs, as well as locally with EDK2 builds
> with secureboot.
> 
> Not affected v6.17
> Not affected v6.17.3
> Affected v6.17.4
> Affected v6.18-rc1
> Affected v6.18-rc2
> 
> Suspected patches are:
> 
> $ git log --oneline  v6.17.3..v6.17.4 -- scripts/
> 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux
> 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux
> 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped
> 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped
> 
> Reverting all of the above, makes secureboot with by-hash enrolled
> into db work again.
> 
> I will try to bisect this further to determine the culprit. It feels
> like the strip potentially didn't update section offsets or their
> numbers or something like that.

A bisect would definitely help since the first sentence of this message
is almost complete gibberish to me :) Is this a part of the build
process somewhere or does this happen after vmlinux is produced?

Cheers,
Nathan