[REGRESSION] Secureboot violation for linux enrolled by-hash into db v6.17.4 and v6.18-rc1
If one enrolls linux kernel by-hash into db (for example using virt-fw-vars), the secureboot fails with security violation as EDK2 computation of authenticode for the linux binary doesn't match the enrolled hash.
This is reproducible in AWS VMs, as well as locally with EDK2 builds with secureboot.
Not affected v6.17 Not affected v6.17.3 Affected v6.17.4 Affected v6.18-rc1 Affected v6.18-rc2
Suspected patches are:
$ git log --oneline v6.17.3..v6.17.4 -- scripts/ 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped
Reverting all of the above, makes secureboot with by-hash enrolled into db work again.
I will try to bisect this further to determine the culprit. It feels like the strip potentially didn't update section offsets or their numbers or something like that.
On Tue, Oct 21, 2025 at 03:00:56PM +0100, Dimitri John Ledkov wrote:
If one enrolls linux kernel by-hash into db (for example using virt-fw-vars), the secureboot fails with security violation as EDK2 computation of authenticode for the linux binary doesn't match the enrolled hash.
This is reproducible in AWS VMs, as well as locally with EDK2 builds with secureboot.
Not affected v6.17 Not affected v6.17.3 Affected v6.17.4 Affected v6.18-rc1 Affected v6.18-rc2
great, we are bug compatible :)
Once this is fixed in Linus's tree, we will be glad to take the fix into the stable branch.
thanks,
greg k-h
+ Nicolas and Alexey just for visibility
On Tue, Oct 21, 2025 at 03:00:56PM +0100, Dimitri John Ledkov wrote:
If one enrolls linux kernel by-hash into db (for example using virt-fw-vars), the secureboot fails with security violation as EDK2 computation of authenticode for the linux binary doesn't match the enrolled hash.
This is reproducible in AWS VMs, as well as locally with EDK2 builds with secureboot.
Not affected v6.17 Not affected v6.17.3 Affected v6.17.4 Affected v6.18-rc1 Affected v6.18-rc2
Suspected patches are:
$ git log --oneline v6.17.3..v6.17.4 -- scripts/ 8e5e13c8df9e6 kbuild: Add '.rel.*' strip pattern for vmlinux 7b80f81ae3190 kbuild: Restore pattern to avoid stripping .rela.dyn from vmlinux 5b5cdb1fe434e kbuild: keep .modinfo section in vmlinux.unstripped 86f364ee58420 kbuild: always create intermediate vmlinux.unstripped
Reverting all of the above, makes secureboot with by-hash enrolled into db work again.
I will try to bisect this further to determine the culprit. It feels like the strip potentially didn't update section offsets or their numbers or something like that.
A bisect would definitely help since the first sentence of this message is almost complete gibberish to me :) Is this a part of the build process somewhere or does this happen after vmlinux is produced?
Cheers, Nathan
linux-stable-mirror@lists.linaro.org
-
Dimitri John Ledkov -
Greg KH -
Nathan Chancellor