sbsigntool fix (was Re: [PATCH] Fix PE/COFF checksum calculation)
James Bottomley
James.Bottomley at HansenPartnership.com
Fri Jul 26 23:23:57 BST 2019
On Thu, 2019-06-13 at 16:57 +0100, Steve McIntyre wrote:
> On Thu, Jun 13, 2019 at 08:54:21AM -0700, James Bottomley wrote:
> > On Thu, 2019-06-13 at 13:53 +0100, Steve McIntyre wrote:
> > > Sharing with others too. No idea if James is having mail problems
> > > or
> > > something...
> >
> > Sorry, no, sbsigntool has been somewhat low on my list of things to
> > look after for a while (I was hoping after engine support it would
> > just
> > be complete).
> >
> > Let me actually dust off the git tree and have a look at the
> > problem.
>
> ACK, thanks!
OK, I looked at this but there's no way of checking or validating the
change: the PECOFF checksum value is defined helpfully as 'whatever
comes out of IMAGHELP.DLL'. For EFI binaries this means it could be
any random number and we never check it so originally we did just that
(or more accurately assigned it to zero). Steve Langasek later patched
the tools to an algorithm he claimed he'd verified with IMAGHELP.DLL,
in this commit:
commit be1f3d8350c6d86fa5fd36bd22c94bf86e106dbb
Author: Steve Langasek <steve.langasek at canonical.com>
Date: Wed Jan 27 11:06:02 2016 -0800
Update the PE checksum field using the somewhat-underdocumented
algorithm, so that we match the Microsoft implementation in our
signature generation.
You're saying what he did was wrong and thus shouldn't have matched the
Microsoft tools. How have you verified this?
James
More information about the Efi
mailing list