pe-zboot: Truncate the trailing zero if Image is signed
*** Issue ***
In the linux kernel drivers/firmware/efi/libstub/Makefile.zboot, the
original Image is padded with zero, using the following instruction:
truncate -s $$(hexdump -s16 -n4 -e '"%u"' $<) $@
Hence pe-zboot.c decompress and gets Image plus trailing zeroes.
These trailing zeroes don't affect loading the original PE file. But
they do raise an issue during the signature verification. The root cause is
that the kernel function:
static int pefile_digest_pe_contents(const void *pebuf, unsigned int pelen,
struct pefile_context *ctx,
struct shash_desc *desc)
treats [pebuf, pebuf+pelen] as valid payload, which includes the
trailing zeroes. But that is not the truth.
*** Solution ***
In practice, the table of attribute certificates come at the end of a
PE file. This patch utilizes that fact and truncates at the boundary of the
certificate table to get the original Image.
Signed-off-by: Pingfan Liu <piliu@redhat.com>
To: kexec@lists.infradead.org
2 files changed