Fix broken CRC32 checks for signed bzimage files.#2547
Conversation
Codecov ReportBase: 73.66% // Head: 73.67% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #2547 +/- ##
=======================================
Coverage 73.66% 73.67%
=======================================
Files 405 405
Lines 41231 41281 +50
=======================================
+ Hits 30374 30414 +40
- Misses 10857 10867 +10
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
…signed images. Fixes #2513. CRC32 checks are broken for signed images because the image signing process changes the bootcode data, therefore the CRC32 in the original image is invalid. This PR adds basic support for parsing PE files (https://learn.microsoft.com/en-us/windows/win32/debug/pe-format) and resets the PE checksum and Certificate Table which restores the bootcode contents back to their pre-signing state and the CRC32 checksums pass. This code does not add PE checksum verification or kernel signature verification. 2x signed test kernels are added: * bzImage-debian-signed-linux5.10.0-6-amd64_5.10.28-1_amd64 which is signed using sbsigntools (changes PE checksum & Certificate Table) * bzImage-rockylinux9 (https://download.rockylinux.org/pub/rocky/9/BaseOS/x86_64/os/images/pxeboot/vmlinuz) (changes Certificate Table only) Signed-off-by: Avi <avibrender@gmail.com>
rminnich
left a comment
rminnich
left a comment
There was a problem hiding this comment.
The data files add a lot ... is there some way to shrink them? Just commit only the header? If not, no problem.
rminnich
added
the
Awaiting author
Unfortunately they can't be shrunk because the kernel image is already compressed. I tried to gzip bzImage-rockylinux9 but it's basically the same size before and after. I think it's valuable to keep the entire file because the actual signature is appended to the end of the file... and one day we will want to add signature verification, so we'll need that data. WDYT? |
2 participants
Fixes #2513.
CRC32 checks are broken for signed images because the image signing process changes the bootcode data, therefore the CRC32 in the original image is invalid.
This PR adds basic support for parsing PE files (https://learn.microsoft.com/en-us/windows/win32/debug/pe-format) and resets the PE checksum and Certificate Table which restores the bootcode contents back to their pre-signing state and the CRC32 checksums pass.
This code does not add PE checksum verification or kernel signature verification.
2x signed test kernels are added:
Signed-off-by: Avi avibrender@gmail.com