[Bug 1574372] Re: sbsign crashes randomly

Fri Aug 13 02:32:01 UTC 2021

Hi.

I've tried to sign my efi unified kernel stub and uefi didn't load it
saying 'signature verification failed'. I've signed the image with a
different tool (osslsigncode) and it works now. It seems to be a bug in
sbsign. Also, verification using sbverify doesn't work for the properly
signed image which can be loaded by uefi. The difference is in hashes
the utilities calculate for such files (the screenshot is attached). To
reproduce the issue, you can take any manually created unified kernel
image (tutorial I used to create it:
https://wiki.archlinux.org/title/Systemd-
boot#Preparing_a_unified_kernel_image) and try signing it with both
tools.

Maybe the problem is because there are some gaps in the image between
sections since it's been created like this:

$ objcopy \
    --add-section .osrel="/usr/lib/os-release" --change-section-vma .osrel=0x20000 \
    --add-section .cmdline="/etc/kernel/cmdline" --change-section-vma .cmdline=0x30000 \
    --add-section .splash="/usr/share/systemd/bootctl/splash-arch.bmp" --change-section-vma .splash=0x40000 \
    --add-section .linux="vmlinuz-file" --change-section-vma .linux=0x2000000 \
    --add-section .initrd="initrd-file" --change-section-vma .initrd=0x3000000 \
    "/usr/lib/systemd/boot/efi/linuxx64.efi.stub" "linux.efi"

However, anyway, the tool should work properly for any file...

Regards,
Anatoliy

** Attachment added: "pestudio_ZzHyi19A3x.png"
   https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1574372/+attachment/5517653/+files/pestudio_ZzHyi19A3x.png

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1574372

Title:
  sbsign crashes randomly

Status in sbsigntool package in Ubuntu:
  Fix Released

Bug description:
  The sbsign program in Ubuntu 16.04 is segfaulting randomly:

  root at gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
  warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
  warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
  warning: overwriting existing signature
  Segmentation fault (core dumped)
  root at gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
  warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
  warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
  root at gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
  warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
  warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
  root at gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
  warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
  warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
  root at gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
  warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
  warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
  warning: overwriting existing signature
  Segmentation fault (core dumped)

  Note that on two of those five runs, the program segfaulted. This
  problem is new with Ubuntu 16.04; it did not occur with Ubuntu 16.04
  or 15.10.

  Here's my version information:

  $ lsb_release -rd
  Description:	Ubuntu 16.04 LTS
  Release:	16.04

  $ apt-cache policy sbsigntool
  sbsigntool:
    Installed: 0.6-0ubuntu10
    Candidate: 0.6-0ubuntu10
    Version table:
   *** 0.6-0ubuntu10 500
          500 http://nessus.rodsbooks.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

  I'm attaching a crash dump from /var/crash.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1574372/+subscriptions