On Fri, Dec 06, 2024 at 10:44:43AM +0800, Pingfan Liu wrote: > *** Issue *** > In the linux kernel drivers/firmware/efi/libstub/Makefile.zboot, the > original Image is padded with zero, using the following instruction: > truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@ > > Hence pe-zboot.c decomopresses and gets Image plus trailing zeroes. > > These trailing zeroes don't affect loading the original PE file. But > they do raise an issue during the signature verfication. The root cause is > that the kernel function: > static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen, > struct pefile_context *ctx, > struct shash_desc *desc) > treats [pebuf, pebuf+pelen] as valid payload, which includes the > trailing zeroes. But that is not the truth. > > *** Solution *** > In pratice, the table of attribute certificates come at the end of a > PE file. This patch utilizes that fact and truncates at the boundary of the > certificate table to get the original Image. > > Signed-off-by: Pingfan Liu <piliu@xxxxxxxxxx> > Cc: Simon Horman <horms@xxxxxxxxxx> > To: kexec@xxxxxxxxxxxxxxxxxxx Thanks, applied after addressing some minor spelling issues in the patch description.
