Ubuntu
sbsigntool package

sbsign - gaps in the section table may result in different checksums

Bug #1575971 reported by mat troi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sbsigntool (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

sbsign -est/test-key.rsa --cert openssl_test/test-cert.pem --output shim_delete_please build/amd64/shim.efi
warning: gap in section table:
    .dynsym : 0x000e4a00 - 0x000f1600,
    /14 : 0x000f1752 - 0x000f1f52,
gaps in the section table may result in different checksums
warning: data remaining[990720 vs 1092659]: gaps between PE/COFF sections?

When signing my shim.efi binary with sbsigntool I received the above warnings. I did a little bit of googling and found if the shim is compiled with gnu-efi 3.0q or earlier, this could be an issue; but my shim.efi is compiled with gnu-efi 3.0u.

The end result from the error cause my shim not bootable. I tried to sign with pesign and everything works, so I think the error is in sbsigntool.

Revision history for this message
mat troi (mattroisang) wrote :

I realized because my linker script is incorrect, the section was not aligned correctly, and this is why when I fed it to sbsigntool it has the
warning: gap in section table:
    .dynsym : 0x000e4a00 - 0x000f1600,
    /14 : 0x000f1752 - 0x000f1f52,
gaps in the section table may result in different checksums

Output from objdump with wrong linker script (note the last section):
Sections:
Idx Name Size VMA LMA File off Algn
  0 .eh_frame 00013ab0 0000000000005000 0000000000005000 00000400 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .text 000872f9 0000000000019000 0000000000019000 00014000 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .reloc 0000000a 00000000000a1000 00000000000a1000 0009b400 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .data 000240f8 00000000000a2000 00000000000a2000 0009b600 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  4 .dynamic 000000f0 00000000000c7000 00000000000c7000 000bf800 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 00024ed0 00000000000c8000 00000000000c8000 000bfa00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym 0000cbe8 00000000000ed000 00000000000ed000 000e4a00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .vendor_cert 00000611 0000000000103352 0000000000103352 000f1752 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

With updated linker script, I only get this line now:
warning: data remaining[990720 vs 1092659]: gaps between PE/COFF sections?

However the shim binary is still not bootable.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

shim upstream had lots of improvements in this area.

Changed in sbsigntool (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.