Xen project Mailing List

Re: [PATCH v3] xen: Strip xen.efi by default

To: Jan Beulich <jbeulich@xxxxxxxx>, Frediano Ziglio <freddy77@xxxxxxxxx>

From: Demi Marie Obenour <demiobenour@xxxxxxxxx>

Date: Thu, 6 Nov 2025 05:40:59 -0500

Autocrypt: addr=demiobenour@xxxxxxxxx; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Thu, 06 Nov 2025 10:41:13 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 11/6/25 05:28, Jan Beulich wrote: > On 06.11.2025 10:58, Frediano Ziglio wrote: >> On Thu, 6 Nov 2025 at 03:52, Demi Marie Obenour <demiobenour@xxxxxxxxx> >> wrote: >>> Does objdump on the signed file return correct section names? >> >> From objdump -x >> >> Sections: >> Idx Name Size VMA LMA File off >> Algn >> 0 .text 0016c9ae ffff82d040200000 ffff82d040200000 00000320 >> 2**4 >> CONTENTS, ALLOC, LOAD, READONLY, CODE >> 1 .rodata 0006b9e8 ffff82d040400000 ffff82d040400000 0016cce0 >> 2**2 >> CONTENTS, ALLOC, LOAD, DATA >> 2 .buildid 00000035 ffff82d04046c000 ffff82d04046c000 001d86e0 >> 2**2 >> CONTENTS, ALLOC, LOAD, READONLY, DATA >> 3 .init.text 0004d123 ffff82d040600000 ffff82d040600000 001d8720 >> 2**2 >> CONTENTS, ALLOC, LOAD, READONLY, CODE >> 4 .init.data 0006c9b0 ffff82d040800000 ffff82d040800000 00225860 >> 2**2 >> CONTENTS, ALLOC, LOAD, DATA >> 5 .data.read_mostly 00028da8 ffff82d040a00000 ffff82d040a00000 >> 00292220 2**4 >> CONTENTS, ALLOC, LOAD, DATA >> 6 .data 0000feec ffff82d040a29000 ffff82d040a29000 002bafe0 >> 2**4 >> CONTENTS, ALLOC, LOAD, DATA >> 7 .bss 00223108 ffff82d040a39000 ffff82d040a39000 00000000 >> 2**4 >> ALLOC >> 8 .reloc 000016b8 ffff82d040c5d000 ffff82d040c5d000 002caee0 >> 2**2 >> CONTENTS, ALLOC, LOAD, READONLY, DATA >> 9 .sbat 000000a6 ffff82d040c5f000 ffff82d040c5f000 002cc5a0 >> 2**2 >> CONTENTS, READONLY >> >> Which looks correct. >> >> From hexdump -C I can see close to the end >> >> ... >> 002cc580 30 ae 38 ae 60 ae 00 00 00 80 a3 00 10 00 00 00 >> |0.8.`...........| >> 002cc590 a0 ae c0 ae e0 ae 00 00 00 00 00 00 00 00 00 00 >> |................| >> 002cc5a0 73 62 61 74 2c 31 2c 53 42 41 54 20 56 65 72 73 |sbat,1,SBAT >> Vers| >> 002cc5b0 69 6f 6e 2c 73 62 61 74 2c 31 2c 68 74 74 70 73 >> |ion,sbat,1,https| >> 002cc5c0 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 72 68 >> |://github.com/rh| >> 002cc5d0 62 6f 6f 74 2f 73 68 69 6d 2f 62 6c 6f 62 2f 6d >> |boot/shim/blob/m| >> 002cc5e0 61 69 6e 2f 53 42 41 54 2e 6d 64 0a 78 65 6e 2e >> |ain/SBAT.md.xen.| >> 002cc5f0 78 73 2c 31 2c 43 6c 6f 75 64 20 53 6f 66 74 77 |xs,1,Cloud >> Softw| >> 002cc600 61 72 65 20 47 72 6f 75 70 2c 78 65 6e 2c 34 2e |are >> Group,xen,4.| >> 002cc610 32 30 2e 31 2d 37 2e 32 32 2e 67 33 65 30 36 37 >> |20.1-7.22.g3e067| >> 002cc620 32 36 62 2e 78 73 39 2c 6d 61 69 6c 74 6f 3a 73 >> |26b.xs9,mailto:s| >> 002cc630 65 63 75 72 69 74 79 40 78 65 6e 73 65 72 76 65 >> |ecurity@xenserve| >> 002cc640 72 2e 63 6f 6d 0a 00 00 00 00 00 00 00 00 00 00 >> |r.com...........| >> 002cc650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >> |................| >> 002cc660 2c 00 00 00 2e 69 6e 69 74 2e 74 65 78 74 00 2e >> |,....init.text..| >> 002cc670 69 6e 69 74 2e 64 61 74 61 00 2e 64 61 74 61 2e >> |init.data..data.| >> 002cc680 72 65 61 64 5f 6d 6f 73 74 6c 79 00 00 00 00 00 >> |read_mostly.....| >> 002cc690 9e 05 00 00 00 02 02 00 30 82 05 92 06 09 2a 86 >> |........0.....*.| >> 002cc6a0 48 86 f7 0d 01 07 02 a0 82 05 83 30 82 05 7f 02 >> |H..........0....| >> 002cc6b0 01 01 31 0f 30 0d 06 09 60 86 48 01 65 03 04 02 >> |..1.0...`.H.e...| >> 002cc6c0 01 05 00 30 5c 06 0a 2b 06 01 04 01 82 37 02 01 >> |...0\..+.....7..| >> 002cc6d0 04 a0 4e 30 4c 30 17 06 0a 2b 06 01 04 01 82 37 >> |..N0L0...+.....7| >> 002cc6e0 02 01 0f 30 09 03 01 00 a0 04 a2 02 80 00 30 31 >> |...0..........01| >> 002cc6f0 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 >> |0...`.H.e.......| >> 002cc700 20 e2 47 64 f8 e8 7b 62 eb 17 e0 13 0a 0d 93 02 | >> .Gd..{b........| >> 002cc710 7a d8 3b f0 20 a8 ee 3d 49 98 3f de c1 47 de 15 |z.;. >> ..=I.?..G..| >> 002cc720 43 a0 82 03 2c 30 82 03 28 30 82 02 10 a0 03 02 >> |C...,0..(0......| >> 002cc730 01 02 02 11 00 8f fc 11 bf 41 54 40 74 89 2c 53 >> |.........AT@t.,S| >> 002cc740 a5 78 c1 e8 32 30 0d 06 09 2a 86 48 86 f7 0d 01 >> |.x..20...*.H....| >> 002cc750 01 0b 05 00 30 1c 31 1a 30 18 06 03 55 04 03 13 >> |....0.1.0...U...| >> 002cc760 11 58 65 6e 53 65 72 76 65 72 20 58 65 6e 20 64 |.XenServer Xen >> d| >> 002cc770 65 76 30 1e 17 0d 32 35 30 33 32 30 31 36 35 35 >> |ev0...2503201655| >> 002cc780 30 37 5a 17 0d 33 37 30 31 31 39 30 33 31 34 30 >> |07Z..37011903140| >> 002cc790 37 5a 30 1c 31 1a 30 18 06 03 55 04 03 13 11 58 >> |7Z0.1.0...U....X| >> 002cc7a0 65 6e 53 65 72 76 65 72 20 58 65 6e 20 64 65 76 |enServer Xen >> dev| >> ... >> >> So, this confirms that the string table is there to support larger >> section names and the signature is there and it's working. > > But is it going to work on all EFI implementations, or merely the one you > tried? > Of course it would help if Demi could give more concrete pointers to > (possible) > implementations where there might be (known? suspected?) issues. > > Jan I misread the PE hashing code in EDK2. I assumed it mishandled the case where there is data *between* the sections and the signature, but it actually mishandles the case where there is data *after* the signature. I'll file an EDK2 PR to reject such images on the grounds that they could never have worked. -- Sincerely, Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.