Despite all the changes here as well as in gnu-efi upstream, we still had issues with wholes in the arm 32-bit EFI binaries we built when using gnu-efi 3.0.19 or newer. These wholes did not prevent to sign the binaries, and also sbverify was validating them successfully but it already warned that the result could lead to different checksums. And that was actually the case for U-Boot as EFI provider.
There were multiple reasons for the wholes such as empty sections that still used space or the wdfuncs section that could not be known to the linker script of gnu-efi but required in the final EFI image. This series resolves the wholes while keeping things fine for older gnu-efi versions. Successfully tested with buster (3.0.9) through trixie (3.0.19 + [1]) on all supported archs (riscv64 only on trixie). Jan [1] https://github.com/ncroxon/gnu-efi/commit/24a4cd0e5653fd84b004c00c808c45cc3fb7a7e2 Jan Kiszka (3): Align EFI linking options with recent gnu-efi Do exploit constructors for registering drivers Makefile: Drop no longer needed assembly rule Makefile.am | 24 +++++++++++++--------- configure.ac | 8 +++++++- drivers/watchdog/wdfuncs_end.c | 10 ++++++--- drivers/watchdog/wdfuncs_start.c | 10 ++++++--- include/utils.h | 19 ++++++++++++----- main.c | 35 ++++++++++++++++++++++++-------- scripts/cppcheck.sh | 5 +++-- 7 files changed, 79 insertions(+), 32 deletions(-) -- 2.43.0 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to efibootguard-dev+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/efibootguard-dev/cover.1755862361.git.jan.kiszka%40siemens.com.
