From: Jan Kiszka <[email protected]> Keeping it between the last stub section data and the first section we append creates a problematic gap between section data in the file. This is not explicitly allowed by the Authenticode specification for PE files. That spec rather assumes that there is only extra data at the end of the file which it demands to be hashed as well. The formula provided in the spec to calculate the start and size of that extra data fails if there are gaps between sections. While signing tools and EDK2 seem to be fine with that, we are in a gray zone here with the generated image.
Avoid this by simply ripping out the symbol table before appending our extra sections. We do that by tracking the final end of all section data per PEHeaders, even across section additions in order to stay consistent with this new (internal) API. Signed-off-by: Jan Kiszka <[email protected]> --- Changes in v2: - typo fixes in commit message, no code changes tools/bg_gen_unified_kernel | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/bg_gen_unified_kernel b/tools/bg_gen_unified_kernel index dc5328c..afda8ce 100755 --- a/tools/bg_gen_unified_kernel +++ b/tools/bg_gen_unified_kernel @@ -102,6 +102,7 @@ class PEHeaders: exit(1) self.first_data = len(blob) + self.end_of_sections = 0 self.sections = [] for n in range(num_sections): @@ -115,6 +116,10 @@ class PEHeaders: if section.data_size and section.data_offs < self.first_data: self.first_data = section.data_offs + end_of_section = section.data_offs + section.data_size + if end_of_section > self.end_of_sections: + self.end_of_sections = end_of_section + self.sections.append(section) section_offs += 0x28 @@ -200,6 +205,10 @@ class PEHeaders: if sect.data_size > 0: sect.data_offs += file_relocation + end_of_section = section.data_offs + section.data_size + if end_of_section > self.end_of_sections: + self.end_of_sections = end_of_section + def main(): parser = argparse.ArgumentParser( @@ -235,10 +244,11 @@ def main(): pe_headers = PEHeaders('stub image', stub) stub_first_data = pe_headers.first_data + stub_end_of_sections = pe_headers.end_of_sections file_align = pe_headers.get_file_alignment() # Add extra section headers - current_offs = align(len(stub), file_align) + current_offs = align(stub_end_of_sections, file_align) sect_size = align(len(cmdline), file_align) cmdline_section = Section(b'.cmdline', sect_size, 0x30000, sect_size, current_offs, @@ -314,7 +324,7 @@ def main(): image += bytearray(pe_headers.first_data - len(image)) # Write remaining stub - image += stub[stub_first_data:] + image += stub[stub_first_data:stub_end_of_sections] # Write data of extra sections image += bytearray(cmdline_section.data_offs - len(image)) -- 2.35.3 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/f2638a6c-ede6-2f4c-1cd7-98dd5229f001%40siemens.com.
