Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#1033569: systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing SBAT section

330 views
Skip to first unread message

Emanuele Rocca

unread,
Mar 27, 2023, 11:00:05 AM3/27/23
to
Package: systemd-boot-efi
Version: 252.6-1

Hi,

booting in Secure Boot mode with a self-signed systemd-bootaa64.efi
works well on arm64. However, trying to boot via shimaa64.efi fails with
the following error:

shim.c:866:load_image() attempting to load \EFI\BOOT\grubaa64.efi
pe.c:844:verify_sbat_section() No .sbat section data
Verification failed: Security Policy Violation

Looking for the SBAT section in systemd-bootaa64.efi confirms that
indeed it is missing:

objdump -x /usr/lib/systemd/boot/efi/systemd-bootaa64.efi | grep .sbat # <- no output

Instead, on amd64:

$ objdump -x /usr/lib/systemd/boot/efi/systemd-bootx64.efi | grep .sbat
7 .sbat 000000d9 0000000000028040 0000000000028040 0001dc00 2**2
[136](sec 8)(fl 0x00)(ty 0)(scl 3) (nx 0) 0x0000000000000000 sbat

Note that .sbat is not the only section missing. On arm64 there's only
.text and .data:

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 0001a000 0000000000001000 0000000000001000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 00002000 000000000001b000 000000000001b000 0001b000 2**2
CONTENTS, ALLOC, LOAD, DATA

While amd64 has:

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00015710 0000000000005000 0000000000005000 00000400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .reloc 0000000c 000000000001b000 000000000001b000 00015c00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 000064b8 000000000001c000 000000000001c000 00015e00 2**4
CONTENTS, ALLOC, LOAD, DATA
3 .dynamic 00000100 0000000000023000 0000000000023000 0001c400 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rela 00001038 0000000000024000 0000000000024000 0001c600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000018 0000000000026000 0000000000026000 0001d800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .sdmagic 0000002b 0000000000028000 0000000000028000 0001da00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .sbat 000000d9 0000000000028040 0000000000028040 0001dc00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .osrel 0000003f 0000000000028120 0000000000028120 0001de00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA

Michael Biebl

unread,
Mar 27, 2023, 12:30:04 PM3/27/23
to
Control: tags -1 + upstream

Thanks for the bug report.

Please consider raising this issue upstream at
https://github.com/systemd/systemd/issues



OpenPGP_signature

Emanuele Rocca

unread,
Mar 28, 2023, 2:50:03 PM3/28/23
to
Hi,

On Mon, Mar 27, 2023 at 06:23:57PM +0200, Michael Biebl wrote:
> Please consider raising this issue upstream

There's no need, the bug is fixed in main (currently at 3a051522).

It is however reproducible checking out tag v253, so presumably upstream
version v254 will be the first release fixing this.

I see that there's been quite some work in the area, eg. commit 2afeaf16.

Thanks,
Emanuele

Michael Biebl

unread,
Mar 31, 2023, 3:20:05 AM3/31/23
to
Control: tags -1 + fixed-upstream

Am 28.03.23 um 20:46 schrieb Emanuele Rocca:
> Hi,
>
> On Mon, Mar 27, 2023 at 06:23:57PM +0200, Michael Biebl wrote:
>> Please consider raising this issue upstream
>
> There's no need, the bug is fixed in main (currently at 3a051522).

Ah nice, good to know.
Marking accordingly

> It is however reproducible checking out tag v253, so presumably upstream
> version v254 will be the first release fixing this.
>
> I see that there's been quite some work in the area, eg. commit 2afeaf16.

Yeah, the way systemd-boot is built has been reworked completely.

Regards,
Michael

OpenPGP_signature
0 new messages