From: Nathan Chancellor <nathan@kernel.org>
To: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Cc: stable@vger.kernel.org, regressions@lists.linux.dev,
masahiroy@kernel.org, Alexey Gladkov <legion@kernel.org>,
Nicolas Schier <nsc@kernel.org>
Subject: Re: [REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1
Date: Wed, 22 Oct 2025 01:02:22 +0200 [thread overview]
Message-ID: <20251021230222.GA2339441@ax162> (raw)
In-Reply-To: <CANBHLUjPbXYghPx5zDwLDcGKXb7v7+1u-bpZ=L9r=qW7vDZ=cg@mail.gmail.com>
+ Nicolas and Alexey just for visibility
On Tue, Oct 21, 2025 at 03:00:56PM +0100, Dimitri John Ledkov wrote:
> If one enrolls linux kernel by-hash into db (for example using
> virt-fw-vars), the secureboot fails with security violation as EDK2
> computation of authenticode for the linux binary doesn't match the
> enrolled hash.
>
> This is reproducible in AWS VMs, as well as locally with EDK2 builds
> with secureboot.
>
> Not affected v6.17
> Not affected v6.17.3
> Affected v6.17.4
> Affected v6.18-rc1
> Affected v6.18-rc2
>
> Suspected patches are:
>
> $ git log --oneline v6.17.3..v6.17.4 -- scripts/
> 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux
> 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux
> 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped
> 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped
>
> Reverting all of the above, makes secureboot with by-hash enrolled
> into db work again.
>
> I will try to bisect this further to determine the culprit. It feels
> like the strip potentially didn't update section offsets or their
> numbers or something like that.
A bisect would definitely help since the first sentence of this message
is almost complete gibberish to me :) Is this a part of the build
process somewhere or does this happen after vmlinux is produced?
Cheers,
Nathan
prev parent reply other threads:[~2025-10-21 23:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-21 14:00 [REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1 Dimitri John Ledkov
2025-10-21 16:07 ` Greg KH
2025-10-21 23:02 ` Nathan Chancellor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251021230222.GA2339441@ax162 \
--to=nathan@kernel.org \
--cc=dimitri.ledkov@surgut.co.uk \
--cc=legion@kernel.org \
--cc=masahiroy@kernel.org \
--cc=nsc@kernel.org \
--cc=regressions@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox