On 24.06.22 10:53, Heinrich Schuchardt wrote:
On 6/24/22 07:32, Su, Bao Cheng wrote:
During PE hashing, when holes exists between sections, the extra data calculated could be a dupulicated region of the last section.
Such PE image with holes existing between sections may contain the symbol table for the kernel, for example.
The Authenticode_PE spec does not rule how to deal with such scenario, however, other tools such as pesign and sbsign both have the overlapped
Thanks for analyzing differences in hashing.
Above you mention holes between sections. Here you talk about overlapping sections. These two cases are obviously distinct.
Please, provide an accurate description.
Yeah, I also gave that feedback internally already as it left me a bit confused.
Examples (in text form) would be helpful.
There is apparently no good PE dump tooling available, so I try to describe our scenario verbally:
We are generating a unified kernel image, similar to what systemd does, for ARM and ARM64 [1]. The stub has .text and .data sections, and then follows the symbol table (some versions of binutils allow to suppress it, other not, sigh). When appending the actual payload to that (kernel image, command line, initrd, dtbs), those sections are added right after the symbol table, creating an unhashed gap between the last stub section and the first appended one. That unified linux.efi is then signed and should be verifiable and bootable (as it is with EDK2).
HTH, Jan
[1] https://github.com/siemens/efibootguard/blob/master/docs/UNIFIED-KERNEL.md