Open russfink opened 1 year ago
julian-klode
commented
1 year ago Read the source code for pe.c, function generate_hash().
Specifically it skips
in the header, then it hashes each section in order
and then it is done.
julian-klode
commented
1 year ago FWIW, this is the same hash as generated by pesign:
[key 2]
[SHA-256]
96a5f3df19d44c12dd30dbefc84f498faced9ca7e136e7261066e536f0a14d57
jak@jak-t14-g3:~/Projects/Ubuntu/shim:master$ sudo pesign --hash -i /boot/efi/EFI/ubuntu/grubx64.efi -o /dev/stdout
hash: 96a5f3df19d44c12dd30dbefc84f498faced9ca7e136e7261066e536f0a14d57with the caveat IIUC (taken from https://github.com/Foxboron/sbctl/issues/85) that pesign does not hash the file correctly if it doesn't have any signatures.
julian-klode
commented
1 year ago For loading an UKI directly (or chainloading shims), you need to disable the ExitBootServices check - build shim with DISABLE_EBS_PROTECTION=1, otherwise you need to load your UKIs through a compliant boot loader.
More a question than an issue. I'm trying to enroll a hash of my unified kernel EFI image (UKI) into MOK. The hash that the MOK screen computes is different than any SHA256 I can compute myself - I've tried sha256sum'ing the EFI image, pesign -h the image, appending iconv -t UCS-2 copy of the password in a file and catting that before/after the EFI image, but I cannot get the hashes to match.
Is there some way to compute this sha256 hash without running through manual MOK hash enrollment, then using mokutil to capture what it produced?
(The bigger issue that I'm trying to work around is that shim does not seem to let my UKI boot. I've signed the internal vmlinuz and the external EFI, but it shows my splash screen then gives "Bootloader has not verified loaded image. System is compromised. halting." I am using the hash as a workaround to this issue. If you have any tips on making that work, that's probably what I need. Even if I could see some debug output, that would be grand.)
Thanks for your advice - I'm grateful to have this shim tool.