It appears that CheckSum header is set to zero's in the initial vmlinuz unsigned binary build. Computed to some value in the signed binary by sbsign, and later computed and updated again by sbattach --detach tool.
My question is who is wrong, and what is best to update?
Should sbattach --remove reset CheckSum field to zero?
Should upstream linux kernel build produce vmlinuz with a correct CheckSum instead of zeros? (or is it binutils?)
Should Ubuntu itself roundtrip upstream linux kernel through sbsign/sbattach --remove to get valid CheckSum field in our unsigned kernels to make them roundtrip safe?
What do other build systems do? and what do other signing tools do?
Looking at Ubuntu unsigned grub builds they have CheckSum zero.
Using pesign to strip signature it seems to calculate the updated CheckSum as well.
Note that pesign seems to calculate the checksum different to the one that sbattach calculates after removing the signature......
Is this yet another spec ambiguity, meaning unsigned binaries CheckSum is under defined, and calculated differently by different things, and thus should be ignored?
I feel like proposing for sbattach --remove and pesign --remove-signature to reset CheckSum to zero if no signatures are present, such that one can back the same binaries as the ones submitted for signing at the end of the build. What does everyone else think?
I will change Ubuntu sbattach --remove to reset checksum to zero after removing all signatures, to ensure that sbsign & sbattach --remove are round-trip safe.
Currently in Ubuntu we use sbsigntool sbsign & sbattach --attach / --detach to sign EFI binaries, add/remove signatures.
Unfortunately, currently sbsign, sbattach --detach is not roundtrip safe.
It appears that CheckSum header is set to zero's in the initial vmlinuz unsigned binary build. Computed to some value in the signed binary by sbsign, and later computed and updated again by sbattach --detach tool.
My question is who is wrong, and what is best to update?
Looking at Ubuntu unsigned grub builds they have CheckSum zero.
Using pesign to strip signature it seems to calculate the updated CheckSum as well.
Note that pesign seems to calculate the checksum different to the one that sbattach calculates after removing the signature......
Is this yet another spec ambiguity, meaning unsigned binaries CheckSum is under defined, and calculated differently by different things, and thus should be ignored?
I feel like proposing for sbattach --remove and pesign --remove-signature to reset CheckSum to zero if no signatures are present, such that one can back the same binaries as the ones submitted for signing at the end of the build. What does everyone else think?