Re: [PATCH] efi_loader: Fix section alignment on EFI binaries

Fri, 03 Jan 2025 12:21:10 -0800 

On 10.12.24 17:01, Ilias Apalodimas wrote:

When creating EFI binaries, the alignment of the text section isn't
correctly factored in. As a result trying to load signed EFI binaries
throws an error with:

efi_image_region_add() efi_image_region_add: new region already part of another
Image not authenticated


You are reporting here two different problems here:

* We create EFI binaries that sbsign does not want to sign and U-Boot
does not accept for secure boot.
* efi_image_region_add() creates a message that does not match the
situation.

Will you prepare a second patch for the latter?



Running the binary through sbverify has a similar warning
sbverify ./lib/efi_loader/helloworld.efi
warning: gap in section table:
     .text   : 0x00001000 - 0x00001c00,
     .data   : 0x00002000 - 0x00002200,
gaps in the section table may result in different checksums
warning: data remaining[7680 vs 12720]: gaps between PE/COFF sections?
.....

If we include the alignment in the text section, the signed binary boots
fine, and the relevant sbverify warning goes away
sbverify ./lib/efi_loader/helloworld.efi
warning: data remaining[8704 vs 12720]: gaps between PE/COFF sections?
.....


Does EDK II complain?



We should look into the remaining warning at some point as well
regarding the gaps between PE/COFF sections.

Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org>
---
  arch/arm/lib/elf_aarch64_efi.lds | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/lib/elf_aarch64_efi.lds b/arch/arm/lib/elf_aarch64_efi.lds
index 5dd98091698c..e382254a6cf5 100644
--- a/arch/arm/lib/elf_aarch64_efi.lds
+++ b/arch/arm/lib/elf_aarch64_efi.lds
@@ -32,9 +32,9 @@ SECTIONS
        .rela.plt : { *(.rela.plt) }
        .rela.got : { *(.rela.got) }
        .rela.data : { *(.rela.data) *(.rela.data*) }
+       . = ALIGN(4096);


If we make this change, we should do so for all UEFI architectures!

Only OUTPUT_FORMAT and OUTPUT_ARCH need to be architecture specific in
the linker scripts. Can't we use an INCLUDE statement (cf.
https://sourceware.org/binutils/docs/ld/File-Commands.html)?

Of aarch64, arm, riscv32, riscv64 only the arm script differs heavily
for no good reason. We should get rid of this exception.

Best regards

Heinrich


        _etext = .;
        _text_size = . - _text;
-       . = ALIGN(4096);
        .data : {
                _data = .;
                *(.sdata)

Reply via email to