From patchwork Tue Feb 4 13:54:55 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56641 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B097C02196 for ; Tue, 4 Feb 2025 13:55:18 +0000 (UTC) Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com [209.85.167.53]) by mx.groups.io with SMTP id smtpd.web10.116789.1738677309486957672 for ; Tue, 04 Feb 2025 05:55:09 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=sAo2WdyC; spf=pass (domain: linaro.org, ip: 209.85.167.53, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f53.google.com with SMTP id 2adb3069b0e04-540215984f0so6171941e87.1 for ; Tue, 04 Feb 2025 05:55:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738677308; x=1739282108; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=STJc855sjRAF2XD9UzVhClu2/kemU5PH8qtCoSz8MMs=; b=sAo2WdyCE0ZaxOVALZ2osA4+mfDUoLUT9YMQHJtKq6iompeI159bHmHhf0oFtxiMgp VpW7bhdmwS9lyQNhkGST1vc7Nt1rZzJfD9B4Y58EB3XqR+I30Z9YvZvlZBA8+FO040a5 J+ylMhTsMYQwZHcFJVO8eCuZaJNoVd8y0pM6b28IRj9WIfuv0OYM1pcwxE/1yo7MKUA+ WIxPxAZIxMYFCkISgYFScxRfDc2Tp4anP8rBUULzFKou8z7d4WaDbwuQ/6enAeSR0Wq7 66tQQ6gOYZ/mufM9AAiwqNuFWkyqqsqRJuNlD8orE3p0LsZ0O1HX0XH2oRSNFpmKcNTo IDGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738677308; x=1739282108; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=STJc855sjRAF2XD9UzVhClu2/kemU5PH8qtCoSz8MMs=; b=uGPn64In8SccRsbQBLq09g+8skm76jWDZyNovT30vtBnHCMeO+y5NxWHWr3knw/0qI jdfvZQWKO8V8EG1PQPndQvKpG2Q3IjjVUd0EYZTzdFd73TbrXR4vjUyg49FqjmPL7vOH TPO14odNLYak3P1QM3c4ZqWytneGqXLnYBdllFMjCRpTjrKRJ2AFcZXhUds8KtBma2Th cACk56nku8IeKbzpVZ8cmCVE2mWY2P+BnRwIPk4fu8RKdZHBJX5+mrafyOQs6oR3/8oA fMI2I2ZNbETrV9EdsPWb9HaIezKFWQSvlLuS7xBOupRcdEEiaSluz1efAa4iAljEQuF6 +koA== X-Gm-Message-State: AOJu0YxummZHJErSRuHDrQbUODUj0n9XyvY6lamYm4O2oQotkCb4qH/V 0Ig9NNqz2Dh5IoGmNVoRojy9zgS5LXbE9S8z3d2OQYXUmohLubABSj4ilIGvPyiUh99TTZSgzA3 4GkU= X-Gm-Gg: ASbGncv+pTsi8Mc9nmKSrnPDd5s1CTGdDSOuP/BFuMITVvRFTBTZ01R7bxTDJSPijYj yehhRRWkmmztWuqh0PO3SiebhlPEEz8rb+V4EcksdQFZfHPE0ql9U4i2dnNUEKfvxAvNJQA17w4 73mm4tTKLrU+wS2B1Po3IKYAqW+vrhWd8EbWe4ZhOHD/n/HW+o4mX747B9qvDdyVLAco7+xuuOq 7gnWIollgwhYcLduMfG9qrArIEyBruXE+4xCJBXXcWrChRpCw49G1JLvBQeEv0GJiJCBopy7YPH gMohQkg7kQNGSvNlTs7gF66SGNvEpdBuyP+Mz7W0LL9+EksSqG9xiJgB81pO X-Google-Smtp-Source: AGHT+IH8Zvb250oBUhKGjCuiV6sWReirQ1hbGohEhHTgcSTPliWum6DXVZDoEGYDNeVNEVOMDYvChg== X-Received: by 2002:ac2:46ef:0:b0:543:c3d9:418d with SMTP id 2adb3069b0e04-543e4be9663mr7305297e87.22.1738677307555; Tue, 04 Feb 2025 05:55:07 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebeb07a0sm1578017e87.123.2025.02.04.05.55.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Feb 2025 05:55:05 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Mikko Rapeli Subject: [PATCH v2 1/3] systemd-boot-native: undelete but disable configure and compile tasks Date: Tue, 4 Feb 2025 15:54:55 +0200 Message-ID: <20250204135457.1219477-1-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Feb 2025 13:55:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210797 The tasks were deleted and do_patch() was run after do_install() which means that patches applied in SRC_URI were not in the ukify.py binary installed. Mark the tasks as noexec since they don't need to do anything. Signed-off-by: Mikko Rapeli --- meta/recipes-core/systemd/systemd-boot-native_257.1.bb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 58db408dcf..5b4b63c294 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -2,13 +2,12 @@ require systemd.inc inherit native -deltask do_configure -deltask do_compile +do_configure[noexec] = "1" +do_compile[noexec] = "1" do_install () { install -Dm 0755 ${S}/src/ukify/ukify.py ${D}${bindir}/ukify } -addtask install after do_unpack PACKAGES = "${PN}" From patchwork Tue Feb 4 13:54:56 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56643 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A53DC02194 for ; Tue, 4 Feb 2025 13:55:18 +0000 (UTC) Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) by mx.groups.io with SMTP id smtpd.web10.116791.1738677312589833946 for ; Tue, 04 Feb 2025 05:55:12 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=SxouLSkk; spf=pass (domain: linaro.org, ip: 209.85.167.47, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f47.google.com with SMTP id 2adb3069b0e04-5401bd6ccadso5826503e87.2 for ; Tue, 04 Feb 2025 05:55:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738677311; x=1739282111; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=E86CcozagmLsYaKrTI35C23FsWAcVJRx2zN2PM6uAWY=; b=SxouLSkkQpEniJZrUb8Y0dnbtDy3fLMFxSZC6mafMUNM57z2D3D6vU1DPt2+aDWI4t 4dSR8KXFoI2ceZUwAjkyouh9DbS7z19XPwXsnvsI0gS1Xi4JCJerCOEC04dyYTM9V2k4 nIGUNJ4sAZHc4qd1aaAp0cUOcTrR4MxhBmUQ6AfWjoYr9s5Lrc8WYPRexIG0sjUgn/sc VrKk6uYd0SXK4PbnbXa9uqJNYW24oVfyHIOllATsYLn46JxMRUeqdr16+n4MsWpuIxt0 NeYWo97Odi0l6106uuQZCVo1YUhXW12Ob0VOjOG4gcjvvmFyAaiK3l69o5R4fg6XhRSX deUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738677311; x=1739282111; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E86CcozagmLsYaKrTI35C23FsWAcVJRx2zN2PM6uAWY=; b=R06GemNz+kY7vh/2NHkbTGeTyUJFddY4JrjuBNtVSx87uooBq8Is0qnu8rq7LQykgE vE26ImnqMeic8FXNNp9tNJUggvmZvxRudDxOcQyirQfgibXgaPTROKpdnUlWnEGv4gDQ hjKSozG0+yimi+qNRAdcI+laXg3+Rkk9S1rzVD509XxiYSw7+Us1/1Nu2hx2C2LCgcN1 BjjDu2SB1UwIt7u7BuRaoJ4Emr1DwhPkZtKcuIiR+tjJdCUjeLG7XqlRDYnkyG/kPlz9 8XCGG5kAbLuR0XwV6oP5fcdpNyrwdR58YXn8zdsGwQDFE9CZ3BQQ+Jsp0sf7SReVVLIw MLaw== X-Gm-Message-State: AOJu0Yzn/mVRwEeBBe/m4Rz3SlNhq6/smOH1S3Y3bo/VuEgAd/gVr7xX H/+A3/b/MwUprhDOs0ir2cBd5E1A6g+tDfbwQzt5DO3kU7GRA8c9MZl7J8lzLgpXe6bh94R09sl +n0Q= X-Gm-Gg: ASbGncvHxWBo92YhtmNskSyS+iV3WvzOFUJ6SnKf9CwcWIr5wPO+tJ4mkitA3J0YsvV z2J3KdQ5dC8Am0w082JNCX9ro1zxt9p0ztt1PW8+oRcSn9VkMh0blCByseEEH7RTXqDq/5R2m/w khsjpaz6cjkP+ZDFE3kElpWhEDMCfW/ohD6+ZSXACfsAeEbpSEmEFhEB8YpqloI/1RGZXgHio09 bitq7wpryefOiO7+nE487DGOQjyoI1HMMJlHJGkqRhzArA0VD5aeH86HZSLWavoLWZPQO3wdsVT fyiU5TC2hC/jAUtIYbRx4Vi6PELaY+oSJKorzGK/7rat0PubHcfJW9kadJH9 X-Google-Smtp-Source: AGHT+IGsp2l3Gn/vKPYoTb7fcgHZ7l9EkX6gspYU3u9vblaJaHKgCxWJo6IEG1q4UJi78yGsfRZl9Q== X-Received: by 2002:a05:6512:4026:b0:540:1f7d:8b9c with SMTP id 2adb3069b0e04-543e4c3fd10mr9323266e87.45.1738677310622; Tue, 04 Feb 2025 05:55:10 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebeb07a0sm1578017e87.123.2025.02.04.05.55.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Feb 2025 05:55:10 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Mikko Rapeli Subject: [PATCH v2 2/3] uki.bbclass: capture ukify command stdout and stderr Date: Tue, 4 Feb 2025 15:54:56 +0200 Message-ID: <20250204135457.1219477-2-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250204135457.1219477-1-mikko.rapeli@linaro.org> References: <20250204135457.1219477-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Feb 2025 13:55:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210798 ukify tool can show important warnings and even errors if it fails so capture the logs. Signed-off-by: Mikko Rapeli --- meta/classes-recipe/uki.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/uki.bbclass b/meta/classes-recipe/uki.bbclass index 92f690526d..ccda042ab4 100644 --- a/meta/classes-recipe/uki.bbclass +++ b/meta/classes-recipe/uki.bbclass @@ -190,6 +190,7 @@ python do_uki() { # Run the ukify command bb.debug(2, "uki: running command: %s" % (ukify_cmd)) - bb.process.run(ukify_cmd, shell=True) + out, err = bb.process.run(ukify_cmd, shell=True) + bb.debug(2, "%s\n%s" % (out, err)) } addtask uki after do_rootfs before do_deploy do_image_complete do_image_wic From patchwork Tue Feb 4 13:54:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 56642 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AE65C02197 for ; Tue, 4 Feb 2025 13:55:18 +0000 (UTC) Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by mx.groups.io with SMTP id smtpd.web10.116794.1738677316829132356 for ; Tue, 04 Feb 2025 05:55:17 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@linaro.org header.s=google header.b=jGv6SYLC; spf=pass (domain: linaro.org, ip: 209.85.167.45, mailfrom: mikko.rapeli@linaro.org) Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-5401bd6ccadso5826560e87.2 for ; Tue, 04 Feb 2025 05:55:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1738677315; x=1739282115; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VIqmf4Vh/vUjx4bkq5bh7BF3FJk6rv3fTJ0xDTtNUSM=; b=jGv6SYLCq6K85Ji9ESEkh0zV4vNGzhGluDnTYv72RsbzxOLWgBOIyRdx+sz/aG2t+3 VQCVK/rzG6KigRbXOih+lLgtpZZ3hnoHWcNuPRBGDS5YLFD/YekhafUNyVzsWsJdcMKp rjl0Eivwi/7LVRR2TF6nEf7AyH93zl32/zk8i8FJO+kvhNgh4DA4OfIXlGo3vUwq5gwR 3IMpKT99GxHQWes0VwYgZrnTyQU/ncWkkviH4XMgznhd4WIoMAKls1eutj0drt9UIqjF 5PAJWwW6YXxDv/A40JRDx4TQeKIKpE7ST+9PN8DGlnXzE3MBKbGDTGNr7Ic1W42wd/Sj xYmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738677315; x=1739282115; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VIqmf4Vh/vUjx4bkq5bh7BF3FJk6rv3fTJ0xDTtNUSM=; b=hCL/1tRC0mttEE8Y6F0eSBiAMZOXv9PHdLlDJNzFZM85hhnDDN4ScaAR67VZdbix2F cto6zcVjMiwsf19Kaa3JEycfarLfZcdj0XUeyyYgfGRCMQZOipmKmAHbEgGhHHcuKNjV n6VuQFRoAYekxZr5Ptw08izzABkQtJiBqZNxCr5cw+XTS20xe3P8UX6o4vjFdf30cWO5 CYa7bdNMT2gn2dlXZek8vSyGgh1jBx4KJz7A1re/ngGIP9179FD6Bw/BOPj8EnjHqhpP 95KOxtgdS1JVN/2WNztpjTvckAI5zi8Elj0tfGYjBhqa3NnFmn/TsBg+lnh6Bo4NK4wq eRBw== X-Gm-Message-State: AOJu0YyBqRMPW3X3TcBmL/URyUBe216M/fpiqmClGTH+Ar2Eda18pMA6 3Y59wI8sn+uMJrRkanxVeI7pKiQXnsFVVhxoxIVkXCDEn5Idyanzo9lv1KqZJxutvuyar1lBsEj s0G8= X-Gm-Gg: ASbGncuILjTJUY9CoY9gNJ4V6owQ8yeu34TlkPRtHmB8Hsq+1/DCSo/PvbqlOjfDUcG +wIdLpRONcHOnpu3sKKchb/Mmhr5NlOyD8r+BXAUGecs4e25a8fp2/RkpJ3H85iosz8ayfbhHEv mT8iHheaH2ihVDLs9EuyIyqQehZriIUPUJcZhDdXW/8UTV5u6kYc2YaZE98BNFyJLopfY0DDfbd BBXs13oFZa7EoAP6k/jbmtuHJ3zZRBddUTA8QckIqH2JJBcrYGFjvL8sQrbD4BRj92TcCcLpzUq WtZsqD0Z4m54qkxHsw/Ps3WI+c5YPn1ADCu5ulkLfM0cQXb3VhJbn8mUHnJq X-Google-Smtp-Source: AGHT+IHXcSVJvS8gz7HNx/oJILDE16sKBluvUH3CsqpG4WV+sRp4i6W+uIjlnrBS18SHKUXi878hFg== X-Received: by 2002:a05:6512:6cd:b0:543:e4ac:1df4 with SMTP id 2adb3069b0e04-543e4bdff35mr8177417e87.7.1738677314842; Tue, 04 Feb 2025 05:55:14 -0800 (PST) Received: from localhost.localdomain (78-27-76-97.bb.dnainternet.fi. [78.27.76.97]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-543ebeb07a0sm1578017e87.123.2025.02.04.05.55.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 04 Feb 2025 05:55:13 -0800 (PST) From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Cc: Mikko Rapeli , Jon Mason , meta-arm@lists.yoctoproject.org Subject: [PATCH v2 3/3] systemd-boot-native: fix kernel signature for secureboot Date: Tue, 4 Feb 2025 15:54:57 +0200 Message-ID: <20250204135457.1219477-3-mikko.rapeli@linaro.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20250204135457.1219477-1-mikko.rapeli@linaro.org> References: <20250204135457.1219477-1-mikko.rapeli@linaro.org> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 04 Feb 2025 13:55:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/210799 systemd update from 256 to 257 broke kernel secureboot signatures inside signed UKI files with u-boot based UEFI firmware, e.g. meta-arm and qemuarm64-secureboot machine config and secureboot: $ cd meta-arm $ kas build ci/poky.yml:ci/qemuarm64-secureboot.yml:ci/uefi-secureboot.yml:ci/testimage.yml systemd-boot itself is secureboot signed and verified by firmware. Same for the UKI file which combines kernel, initramfs etc. Then kernel from UKI is additionally executed using UEFI firmware calls which check signatures so the kernel binary inside signed UKI needs to be signed with same keys too. PE file padding added to systemd ukify in 257 release broke kernel signature validation for u-boot and sbsign/sbverify tools. EDK2 based firmware like OVMF may not be affected because systemd-boot is able to disable signature checking after a signed UKI has been loaded. This feature is not supported by u-boot. Upstream systemd bug report: https://github.com/systemd/systemd/issues/35851 Backport of: https://github.com/systemd/systemd/commit/38801c91292fde004bec0974ed5602984701e03b Cc: Jon Mason Cc: meta-arm@lists.yoctoproject.org Signed-off-by: Mikko Rapeli --- .../systemd/systemd-boot-native_257.1.bb | 3 + ...vert-changes-to-use-SizeOfImage-from.patch | 120 ++++++++++++++++++ 2 files changed, 123 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 5b4b63c294..967ac57fc5 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb @@ -1,4 +1,7 @@ require systemd.inc +FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:" + +SRC_URI += "file://0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch" inherit native diff --git a/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch b/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch new file mode 100644 index 0000000000..3db8be2288 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch @@ -0,0 +1,120 @@ +From 60d76dce7b013406412bc9720dbf05fb558ea099 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Tue, 4 Feb 2025 09:24:26 +0100 +Subject: [PATCH] ukify/measure: Revert changes to use SizeOfImage from Linux + PE binary + +With 19812661f1f65ebe777d1626b5abf6475faababc, we make sure at runtime +in the stub itself that SizeOfImage from the Linux EFISTUB PE binary is +taken into account, so there's no need to take this into account in ukify +itself. By reverting the ukify change, we again ensure that Misc_VirtualSize +reflects the actual size of the Linux EFISTUB PE binary in the .linux section +which lots of tooling depends on. It also makes sure we don't measure a bunch +of extra zeroes in the stub which should fix systemd-pcrlock measurements as +well. + +This effectively reverts 2188c759f97e40b97ebe3e94e82239f36b525b10 and +0005411352f9bda0d9887c37b9e75a2bce6c1133. + +Fixes #35851 +--- + src/measure/measure.c | 32 -------------------------------- + src/ukify/ukify.py | 16 ++-------------- + 2 files changed, 2 insertions(+), 46 deletions(-) + +Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38801c91292fde004bec0974ed5602984701e03b] + +diff --git a/src/measure/measure.c b/src/measure/measure.c +index e583444e0bf..2057ce2a0e6 100644 +--- a/src/measure/measure.c ++++ b/src/measure/measure.c +@@ -544,38 +544,6 @@ static int measure_kernel(PcrState *pcr_states, size_t n) { + m += sz; + } + +- if (c == UNIFIED_SECTION_LINUX) { +- _cleanup_free_ PeHeader *pe_header = NULL; +- +- r = pe_load_headers(fd, /*ret_dos_header=*/ NULL, &pe_header); +- if (r < 0) +- log_warning_errno(r, "Failed to parse kernel image file '%s', ignoring: %m", arg_sections[c]); +- else if (m < pe_header->optional.SizeOfImage) { +- memzero(buffer, BUFFER_SIZE); +- +- /* Our EFI stub measures VirtualSize bytes of the .linux section into PCR 11. +- * Notably, VirtualSize can be larger than the section's size on disk. In +- * that case the extra space is initialized with zeros, so the stub ends up +- * measuring a bunch of zeros. To accommodate this, we have to measure the +- * same number of zeros here. We opt to measure extra zeros here instead of +- * modifying the stub to only measure the number of bytes on disk as we want +- * newer ukify + systemd-measure to work with older versions of the stub and +- * as of 6.12 the kernel image's VirtualSize won't be larger than its size on +- * disk anymore (see https://github.com/systemd/systemd/issues/34578#issuecomment-2382459515). +- */ +- +- while (m < pe_header->optional.SizeOfImage) { +- uint64_t sz = MIN(BUFFER_SIZE, pe_header->optional.SizeOfImage - m); +- +- for (size_t i = 0; i < n; i++) +- if (EVP_DigestUpdate(mdctx[i], buffer, sz) != 1) +- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to run digest."); +- +- m += sz; +- } +- } +- } +- + fd = safe_close(fd); + + if (m == 0) /* We skip over empty files, the stub does so too */ +diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py +index 3f36aa7af6b..08e7622c499 100755 +--- a/src/ukify/ukify.py ++++ b/src/ukify/ukify.py +@@ -388,7 +388,6 @@ class Section: + tmpfile: Optional[IO[Any]] = None + measure: bool = False + output_mode: Optional[str] = None +- virtual_size: Optional[int] = None + + @classmethod + def create(cls, name: str, contents: Union[str, bytes, Path, None], **kwargs: Any) -> 'Section': +@@ -918,10 +917,7 @@ def pe_add_sections(uki: UKI, output: str) -> None: + + new_section.set_file_offset(offset) + new_section.Name = section.name.encode() +- if section.virtual_size is not None: +- new_section.Misc_VirtualSize = section.virtual_size +- else: +- new_section.Misc_VirtualSize = len(data) ++ new_section.Misc_VirtualSize = len(data) + # Non-stripped stubs might still have an unaligned symbol table at the end, making their size + # unaligned, so we make sure to explicitly pad the pointer to new sections to an aligned offset. + new_section.PointerToRawData = round_up(len(pe.__data__), pe.OPTIONAL_HEADER.FileAlignment) +@@ -1166,6 +1162,7 @@ def make_uki(opts: UkifyConfig) -> None: + ('.uname', opts.uname, True), + ('.splash', opts.splash, True), + ('.pcrpkey', pcrpkey, True), ++ ('.linux', linux, True), + ('.initrd', initrd, True), + ('.ucode', opts.microcode, True), + ] # fmt: skip +@@ -1182,15 +1179,6 @@ def make_uki(opts: UkifyConfig) -> None: + for section in opts.sections: + uki.add_section(section) + +- if linux is not None: +- try: +- virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage +- except pefile.PEFormatError: +- print(f'{linux} is not a valid PE file, not using SizeOfImage.') +- virtual_size = None +- +- uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size)) +- + # Don't add a sbat section to profile PE binaries. + if opts.join_profiles or not opts.profile: + if linux is not None: +-- +2.43.0 +