If one enrolls linux kernel by-hash into db (for example using virt-fw-vars), the secureboot fails with security violation as EDK2 computation of authenticode for the linux binary doesn't match the enrolled hash.
This is reproducible in AWS VMs, as well as locally with EDK2 builds with secureboot.
Not affected v6.17 Not affected v6.17.3 Affected v6.17.4 Affected v6.18-rc1 Affected v6.18-rc2
Suspected patches are:
$ git log --oneline v6.17.3..v6.17.4 -- scripts/ 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped
Reverting all of the above, makes secureboot with by-hash enrolled into db work again.
I will try to bisect this further to determine the culprit. It feels like the strip potentially didn't update section offsets or their numbers or something like that.