Package: systemd-boot-efi
Version: 252.6-1
Hi,
booting in Secure Boot mode with a self-signed systemd-bootaa64.efi
works well on arm64. However, trying to boot via shimaa64.efi fails with
the following error:
shim.c:866:load_image() attempting to load \EFI\BOOT\grubaa64.efi
pe.c:844:verify_sbat_section() No .sbat section data
Verification failed: Security Policy Violation
Looking for the SBAT section in systemd-bootaa64.efi confirms that
indeed it is missing:
objdump -x /usr/lib/systemd/boot/efi/systemd-bootaa64.efi | grep .sbat # <- no
output
Instead, on amd64:
$ objdump -x /usr/lib/systemd/boot/efi/systemd-bootx64.efi | grep .sbat
7 .sbat 00d9 00028040 00028040 0001dc00 2**2
[136](sec 8)(fl 0x00)(ty0)(scl 3) (nx 0) 0x sbat
Note that .sbat is not the only section missing. On arm64 there's only
.text and .data:
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 0001a000 1000 1000 1000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 2000 0001b000 0001b000 0001b000 2**2
CONTENTS, ALLOC, LOAD, DATA
While amd64 has:
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00015710 5000 5000 0400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .reloc000c 0001b000 0001b000 00015c00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 64b8 0001c000 0001c000 00015e00 2**4
CONTENTS, ALLOC, LOAD, DATA
3 .dynamic 0100 00023000 00023000 0001c400 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rela 1038 00024000 00024000 0001c600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 0018 00026000 00026000 0001d800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .sdmagic 002b 00028000 00028000 0001da00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .sbat 00d9 00028040 00028040 0001dc00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .osrel003f 00028120 00028120 0001de00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA