Your message dated Tue, 22 Aug 2023 11:53:02 +0200
with message-id <c9368c3b-3397-42ee-b17d-c19944051...@debian.org>
and subject line Re: Bug#1033569: systemd-boot-efi: Secure Boot via shim broken
on arm64 due to missing SBAT section
has caused the Debian Bug report #1033569,
regarding systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing
SBAT section
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1033569: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033569
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: systemd-boot-efi
Version: 252.6-1
Hi,
booting in Secure Boot mode with a self-signed systemd-bootaa64.efi
works well on arm64. However, trying to boot via shimaa64.efi fails with
the following error:
shim.c:866:load_image() attempting to load \EFI\BOOT\grubaa64.efi
pe.c:844:verify_sbat_section() No .sbat section data
Verification failed: Security Policy Violation
Looking for the SBAT section in systemd-bootaa64.efi confirms that
indeed it is missing:
objdump -x /usr/lib/systemd/boot/efi/systemd-bootaa64.efi | grep .sbat # <- no
output
Instead, on amd64:
$ objdump -x /usr/lib/systemd/boot/efi/systemd-bootx64.efi | grep .sbat
7 .sbat 000000d9 0000000000028040 0000000000028040 0001dc00 2**2
[136](sec 8)(fl 0x00)(ty 0)(scl 3) (nx 0) 0x0000000000000000 sbat
Note that .sbat is not the only section missing. On arm64 there's only
.text and .data:
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 0001a000 0000000000001000 0000000000001000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 00002000 000000000001b000 000000000001b000 0001b000 2**2
CONTENTS, ALLOC, LOAD, DATA
While amd64 has:
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00015710 0000000000005000 0000000000005000 00000400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .reloc 0000000c 000000000001b000 000000000001b000 00015c00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 000064b8 000000000001c000 000000000001c000 00015e00 2**4
CONTENTS, ALLOC, LOAD, DATA
3 .dynamic 00000100 0000000000023000 0000000000023000 0001c400 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rela 00001038 0000000000024000 0000000000024000 0001c600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000018 0000000000026000 0000000000026000 0001d800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .sdmagic 0000002b 0000000000028000 0000000000028000 0001da00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .sbat 000000d9 0000000000028040 0000000000028040 0001dc00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .osrel 0000003f 0000000000028120 0000000000028120 0001de00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
--- End Message ---
--- Begin Message ---
Version: 254-1
On Fri, 31 Mar 2023 09:12:52 +0200 Michael Biebl <bi...@debian.org> wrote:
Control: tags -1 + fixed-upstream
Am 28.03.23 um 20:46 schrieb Emanuele Rocca:
> Hi,
>
> On Mon, Mar 27, 2023 at 06:23:57PM +0200, Michael Biebl wrote:
>> Please consider raising this issue upstream
>
> There's no need, the bug is fixed in main (currently at 3a051522).
Ah nice, good to know.
Marking accordingly
> It is however reproducible checking out tag v253, so presumably upstream
> version v254 will be the first release fixing this.
>
> I see that there's been quite some work in the area, eg. commit 2afeaf16.
Yeah, the way systemd-boot is built has been reworked completely.
Closing this issue for v254.
Regards,
Michael
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
