On Wed, 2023-02-01 at 12:51 -0500, Jason A. Donenfeld wrote: > It's not a secret, but I have so little internet right now that I > can't even load a webpage, and I'm on my phone, hence the short > HTMLified emails. > > In brief, though, it gets rid of all modifications to the kernel > image all together, so it should fix your issue.
We've already tested it and established it doesn't because you simply added your rng data to the end of a different integrity protected file which now fails the integrity check instead of the kernel. I checked the kernel source as well; I thought you'd have done the usual thing and bumped the boot protocol version to steal space in __pad9, but you didn't apparently. To fix this up after the fact, I recommend that we still steal space in _pad9[] but we make it have enough space for a setup_data header as well as the 32 random bytes, so we've officially reserved the space, but in earlier kernels than this change gets to you can still use the setup_data_offset method, except that it now uses the empty space in _pad9 via the setup_data mechanism. That should find you space and get you out of having to expand any integrity protected files. The SEV direct boot will still work because there's a check further down that doesn't copy the modified header back over the kernel because it is ignored on efi stub boot anyway. James
