From: Jan Kiszka <jan.kis...@siemens.com>
Someone decided to sign the kernel stub. The generator does not expect
that and delivers in inconsistent UKI as output. We could address that
by removing the stub signature, but it is simply not worth it, given
that signing the stub never makes sense. Instead, detect the unexpected
input and simply reject it.
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
---
tools/bg_gen_unified_kernel | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/bg_gen_unified_kernel b/tools/bg_gen_unified_kernel
index 8fc9b05..0051bf4 100755
--- a/tools/bg_gen_unified_kernel
+++ b/tools/bg_gen_unified_kernel
@@ -55,6 +55,7 @@ class PEHeaders:
OPT_OFFS_FILE_ALIGNMENT = [0x24, 0x24]
OPT_OFFS_SIZE_OF_IMAGE = [0x38, 0x38]
OPT_OFFS_SIZE_OF_HEADERS = [0x3C, 0x3C]
+ OPT_OFFS_CERT_TABLE_SIZE = [0x84, 0x94]
def __init__(self, name, blob):
# Parse headers: DOS, COFF, optional header
@@ -255,6 +256,12 @@ def main():
stub = args.stub.read()
pe_headers = PEHeaders('stub image', stub)
+
+ if pe_headers.get_opt_header_field(PEHeaders.OPT_OFFS_CERT_TABLE_SIZE) > 0:
+ print("Signed stub image detected which is neither supported nor "
+ "makes any sense", file=sys.stderr)
+ exit(1)
+
stub_first_data = pe_headers.first_data
stub_end_of_sections = pe_headers.end_of_sections
file_align = pe_headers.get_file_alignment()
--
2.43.0
--
You received this message because you are subscribed to the Google Groups "EFI
Boot Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to efibootguard-dev+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/efibootguard-dev/f59f6f4ace1819c8ee886f521ceca4c448d2deb9.1730627538.git.jan.kiszka%40siemens.com.
