[Bug 2044606] [NEW] Reset Checksum upon removing all signatures
Dimitri John Ledkov
2044606 at bugs.launchpad.net
Sat Nov 25 15:20:40 UTC 2023
Public bug reported:
When compiling grub, shim, kernels the unsigned binaries are typically
produced with a checksum set to zero in PE header.
The checksum is updated upon signing.
To ensure signing a binary, and removing signatures from it, is round
trip safe - one needs to zero out the checksum.
Otherwise it is difficult to prove that signing/unsigned/kernel.efi
builds of the kernel are the same, which leads to different hmacs of it,
as has been highlighted during FIPS certification.
Upstream shim was notified about this at
https://github.com/rhboot/shim/issues/612
** Affects: sbsigntool (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/2044606
Title:
Reset Checksum upon removing all signatures
Status in sbsigntool package in Ubuntu:
New
Bug description:
When compiling grub, shim, kernels the unsigned binaries are typically
produced with a checksum set to zero in PE header.
The checksum is updated upon signing.
To ensure signing a binary, and removing signatures from it, is round
trip safe - one needs to zero out the checksum.
Otherwise it is difficult to prove that signing/unsigned/kernel.efi
builds of the kernel are the same, which leads to different hmacs of
it, as has been highlighted during FIPS certification.
Upstream shim was notified about this at
https://github.com/rhboot/shim/issues/612
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/2044606/+subscriptions
More information about the foundations-bugs
mailing list