Page MenuHomeFreeBSD

uefisign: handle empty sections
ClosedPublic

Authored by vangyzen on Apr 6 2021, 2:58 PM.
Tags
None
Referenced Files
F93238614: D29606.id86967.diff
Sun, Sep 8, 9:15 AM
F93219680: D29606.id.diff
Sun, Sep 8, 6:17 AM
Unknown Object (File)
Wed, Sep 4, 7:00 AM
Unknown Object (File)
Sat, Aug 24, 2:29 AM
Unknown Object (File)
Sat, Aug 24, 2:29 AM
Unknown Object (File)
Sat, Aug 24, 2:28 AM
Unknown Object (File)
Sat, Aug 24, 1:52 AM
Unknown Object (File)
Tue, Aug 20, 11:09 PM

Details

Summary

loader.efi has an empty set_Xfic section. Handle it correctly.

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
[...]
3 set_Xcom      00000168  00000000000d4000  00000000000d4000  000d0e00  2**2
	      CONTENTS, ALLOC, LOAD, DATA
4 set_Xfic      00000000  00000000000d4168  00000000000d4168  00000000  2**2
	      ALLOC, LOAD, DATA
5 .sdata        00000448  00000000000d5000  00000000000d5000  000d1000  2**2
	      CONTENTS, ALLOC, LOAD, DATA
[...]

MFC after: 1 week
Sponsored by: Dell EMC Isilon

Test Plan

uefisign signs loader.efi, and uefisign -V says it's signed:

$ uefisign -Vv loader.efi.signed
file contains signature
computed SHA256 digest a2fad11ba39e04c55ec6480f06f45e467388eab1fea6fb59e8e7e39b602aaf00; digest len 32
to dump PKCS7:
    dd if='loader.efi.signed' bs=1 skip=898568 | openssl pkcs7 -inform DER -print
to dump raw ASN.1:
    openssl asn1parse -i -inform DER -offset 898568 -in 'loader.efi.signed'

@andy.y.liu_dell.com tested on a physical machine with Secure Boot enabled. It booted successfully. (Thanks!)

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

No objections, but please note that 'uefisign -V' doesn't actually verify the signature. It would be useful to try to actually boot the signed binary.

This revision is now accepted and ready to land.Apr 6 2021, 3:13 PM

No objections, but please note that 'uefisign -V' doesn't actually verify the signature. It would be useful to try to actually boot the signed binary.

Yes, I'm chasing that right now.

Thanks for the review.

This revision was automatically updated to reflect the committed changes.