vathpela
commented
1 year ago Yikes! Thanks for the heads up, I'll check it out in the morning.
Closed iokomin closed 1 year ago
vathpela
commented
1 year ago Yikes! Thanks for the heads up, I'll check it out in the morning.
vathpela
commented
1 year ago This should be remedied by #535 .
iokomin
commented
1 year ago @vathpela the fix is a straightforward and indeed addresses older binutils issue, thanks for it! Built shim with the patch using ol7 binutils version - confirm that .sbatlevel section looks fine now, sanity testing for revocation scenarios also passed.
Commit https://github.com/rhboot/shim/commit/0eb07e11b20680200d3ce9c5bc59299121a75388 introduced compatibility issue with binutils versions prior to 2.36. Shim built with older versions might not handle sbat policy properly.
Evaluation: .sbatlevel section data composed from strings using .asciz asm directive:
https://github.com/rhboot/shim/blob/11491619f4336fef41c3519877ba242161763580/sbat_var.S#L16-L20
Strings provided as macro and as a result treated as a list of string literals. binutils versions <= 2.35 adds zero byte after each string literal from the macro. For binutils-2.30-117.0.3.el8.x86_64 on Oracle Linux 8, observed section output for cmd
$ objdump -s -j .sbatlevel shimx64.efi:Expected output:
Intended behavior for these .asciz directives - for multiple string arguments not separated by commas to be concatenated together and only one final zero byte to be stored. This feature/fix apparently introduced in binutils v2.36, see commit https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=3d955acb36f483c05724181da5ffba46b1303c43
@vathpela it may affect rhel7 submission https://github.com/rhboot/shim-review/issues/293 please check.