What version of grub2 are you using, and where did it come from? On Thu, Apr 18, 2024 at 6:01 AM Haruki TSURUMOTO <tsu.r...@gmail.com> wrote:
> Hi, I am a engineer trying Secure Boot reviews. > > I have a question for grub2's binary. > > We need to add previous grub2's PE hash value to "vendor_dbx.esl" (it > will be emmbed our shim) to passing Secure Boot review clauses. > > We had tried to generate dbx file by efitools( > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git ) > hash-to-efi-sig-list(1) > however, we encountered such below error. > > "Failed to get hash of grubx64.efi: 2" > > We researched details of error reason, grub2 binary is detecting as > 'Malformed security header' by efitools. > > https://git.kernel.org/pub/scm/linux/kernel/git/jejb/efitools.git/tree/lib/pecoff.c#n120 > > This is objdump's output. > -- > $ objdump -x ./grubx64.efi | grep -E '(SizeOfImage|Security Directory)' > SizeOfImage 0026b000 > Entry 4 000000000026b000 00000640 Security Directory > -- > > Also this error is reproducible in very famous distirubtion. > (e.g. Debian, Ubuntu, and Fedora) > > Anyone knows is this a efitool's bug?, or are we using the wrong tools? > > -- > Haruki TSURUMOTO >
