Wind River Support Network

HomeDefectsLIN1023-1176
Not to be fixed

LIN1023-1176 : sbsign: warning: data remaining[1150464 vs 1307573]: gaps between PE/COFF sections?

Created: Jun 30, 2023    Updated: Dec 11, 2024
Resolved Date: Dec 6, 2023
Found In Version: 10.23.30.1
Severity: Standard
Applicable for: Wind River Linux LTS 23
Component/s: Userspace

Description

root@intel-x86-64:~# sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/bootx64.efi /boot/efi/EFI/BOOT/bootx64.efi
warning: data remaining[1150464 vs 1307573]: gaps between PE/COFF sections?
warning: data remaining[1150464 vs 1307576]: gaps between PE/COFF sections?
Signing Unsigned original image

Steps to Reproduce

used binary image which was built from testing team:
http://pek-lpgtest7408//buildarea1/SharedImage/LTS23/LTS23_STD_BINARY/intel-x86-64/

Follow the steps from https://jira.wrs.com/secure/attachment/369358/support-customer-keys-for-secure-boot.txt


2. Create certificates/keys

For Secure Boot, we need private keys and certificates in multiple formats:

.key
    PEM format private keys for EFI binary and EFI signature list signing.
.crt
    PEM format certificates.
.cer
    DER format certificates.
.esl
    Certificates in an EFI Signature List.
.auth
    Certificates in an EFI Signature List with an authentication header.


Create a GUID for owner identification:

$ uuidgen --random > GUID.txt


Create Platform key (PK):

$ openssl req -newkey rsa:4096 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Platform Key/" -out PK.crt
$ openssl x509 -outform DER -in PK.crt -out PK.cer
$ cert-to-efi-sig-list -g "$(< GUID.txt)" PK.crt PK.esl
$ sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth


Create Key Exchange Key (KEK):

$ openssl req -newkey rsa:4096 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Key Exchange Key/" -out KEK.crt
$ openssl x509 -outform DER -in KEK.crt -out KEK.cer
$ cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl
$ sign-efi-sig-list -g "$(< GUID.txt)" -k PK.key -c PK.crt KEK KEK.esl KEK.auth



Create Signature Database key (db):

$ openssl req -newkey rsa:4096 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Signature Database key/" -out db.crt
$ openssl x509 -outform DER -in db.crt -out db.cer
$ cert-to-efi-sig-list -g "$(< GUID.txt)" db.crt db.esl
$ sign-efi-sig-list -g "$(< GUID.txt)" -k KEK.key -c KEK.crt db db.esl db.auth



3. Sign files

Rename bootx64.efi to grubx64.efi:
$ mv /boot/efi/EFI/BOOT/bootx64.efi /boot/efi/EFI/BOOT/grubx64.efi

Rename shimx64.efi to bootx64.efi:
$ mv /boot/efi/EFI/BOOT/shimx64.efi /boot/efi/EFI/BOOT/bootx64.efi

Singe shim, grub and kernel:

$ sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/bootx64.efi /boot/efi/EFI/BOOT/bootx64.efi
$ sbsign --key db.key --cert db.crt --output /boot/efi/EFI/BOOT/grubx64.efi /boot/efi/EFI/BOOT/grubx64.efi
$ sbsign --key db.key --cert db.crt --output /boot/1/vmlinuz /boot/1/vmlinuz


4. Enroll keys

Create a directory /etc/secureboot/keys with the following directory structure -

/etc/secureboot/keys
├── db
├── dbx
├── KEK
└── PK

For example using:

$ mkdir -p /etc/secureboot/keys/{db,dbx,KEK,PK}

Then copy each of the .auth files into their respective locations (e.g. PK.auth into /etc/secureboot/keys/PK and so on). 

If you want to verify the changes sbkeysync will make to the system's UEFI keystore, use:

$ sbkeysync --pk --dry-run --verbose
  • Linkedin
  • Facebook
  • Twitter
  • Youtube