https://sourceware.org/bugzilla/show_bug.cgi?id=30830
Bug ID: 30830
Summary: stripping PE binary fails to delete security directory
entry
Product: binutils
Version: 2.41
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: binutils
Assignee: unassigned at sourceware dot org
Reporter: medhefgo at web dot de
Target Milestone: ---
Given a signed PE/EFI binary, running `strip` on it will remove the signatures
contained in it, but leave the security data directory entry inside the PE
optional header as-is. This renders the binary unbootable as it gets rejected
by firmware/EDK2.
Using signed grub2 from debian as example:
$ qemu-system-x86_64 -bios /usr/share/edk2/x64/OVMF.fd -kernel
grubx64.efi.signed
(This boots to grub cmdline.)
$ strip grubx64.efi.signed
$ sbverify --list grubx64.efi.signed
warning: checksum areas are greater than image size. Invalid section table?
No signature table present
$ qemu-system-x86_64 -bios /usr/share/edk2/x64/OVMF.fd -kernel
grubx64.efi.signed
(Fails to boot grub.)
Manually changing the security directory pointer and size to 0 will allow
booting again and also make sbverify happy again.
--
You are receiving this mail because:
You are on the CC list for the bug.
