Bug#1033569: systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing SBAT section

2023-03-31 Thread Michael Biebl 

Control: tags -1 + fixed-upstream

Am 28.03.23 um 20:46 schrieb Emanuele Rocca:

Hi,

On Mon, Mar 27, 2023 at 06:23:57PM +0200, Michael Biebl wrote:

Please consider raising this issue upstream


There's no need, the bug is fixed in main (currently at 3a051522).


Ah nice, good to know.
Marking accordingly


It is however reproducible checking out tag v253, so presumably upstream
version v254 will be the first release fixing this.

I see that there's been quite some work in the area, eg. commit 2afeaf16.


Yeah, the way systemd-boot is built has been reworked completely.

Regards,
Michael



OpenPGP_signature
Description: OpenPGP digital signature

Bug#1033569: systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing SBAT section

2023-03-28 Thread Emanuele Rocca 
Hi,

On Mon, Mar 27, 2023 at 06:23:57PM +0200, Michael Biebl wrote:
> Please consider raising this issue upstream

There's no need, the bug is fixed in main (currently at 3a051522).

It is however reproducible checking out tag v253, so presumably upstream
version v254 will be the first release fixing this.

I see that there's been quite some work in the area, eg. commit 2afeaf16.

Thanks,
  Emanuele

Bug#1033569: systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing SBAT section

2023-03-27 Thread Michael Biebl 

Control: tags -1 + upstream

Thanks for the bug report.

Please consider raising this issue upstream at
https://github.com/systemd/systemd/issues





OpenPGP_signature
Description: OpenPGP digital signature

Bug#1033569: systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing SBAT section

2023-03-27 Thread Emanuele Rocca 
Package: systemd-boot-efi
Version: 252.6-1

Hi,

booting in Secure Boot mode with a self-signed systemd-bootaa64.efi
works well on arm64. However, trying to boot via shimaa64.efi fails with
the following error:

  shim.c:866:load_image() attempting to load \EFI\BOOT\grubaa64.efi
  pe.c:844:verify_sbat_section() No .sbat section data
  Verification failed: Security Policy Violation

Looking for the SBAT section in systemd-bootaa64.efi confirms that
indeed it is missing:

 objdump -x /usr/lib/systemd/boot/efi/systemd-bootaa64.efi | grep .sbat # <- no 
output

Instead, on amd64:

 $ objdump -x /usr/lib/systemd/boot/efi/systemd-bootx64.efi | grep .sbat
   7 .sbat 00d9  00028040  00028040  0001dc00 2**2
 [136](sec  8)(fl 0x00)(ty0)(scl   3) (nx 0) 0x sbat

Note that .sbat is not the only section missing. On arm64 there's only
.text and .data:

  Sections:
  Idx Name  Size  VMA   LMA   File off  Algn
0 .text 0001a000  1000  1000  1000  2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 2000  0001b000  0001b000  0001b000  2**2
CONTENTS, ALLOC, LOAD, DATA

While amd64 has:

  Sections:
  Idx Name  Size  VMA   LMA   File off  Algn
0 .text 00015710  5000  5000  0400  2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .reloc000c  0001b000  0001b000  00015c00  2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 64b8  0001c000  0001c000  00015e00  2**4
CONTENTS, ALLOC, LOAD, DATA
3 .dynamic  0100  00023000  00023000  0001c400  2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rela 1038  00024000  00024000  0001c600  2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym   0018  00026000  00026000  0001d800  2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .sdmagic  002b  00028000  00028000  0001da00  2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .sbat 00d9  00028040  00028040  0001dc00  2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .osrel003f  00028120  00028120  0001de00  2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA