Re: [Xen-devel] Booting signed xen.efi through shim

[Tamas K Lengyel <tamas@xxxxxxxxxxxxx>]

On Mon, Sep 18, 2017 at 2:58 AM, Jan Beulich <JBeulich@xxxxxxxx> wrote:
>>>> On 14.09.17 at 18:20, <tamas@xxxxxxxxxxxxx> wrote:
>> Of course, you can grab them from here:
>> https://drive.google.com/drive/folders/0B5duyI9SzNtWaXE0cjM1QzZJbVk?usp=shar
>> ing
>
> So the dumps of the two (using my own tool) are identical except for
> the expected difference due to the certificate. In particular neither
> image has any strange relocation types afaics, and both have the
> sort of unexpected, but also supposedly benign
> IMAGE_SCN_LNK_NRELOC_OVFL flag set for .bss. Hence I'm afraid ...
>
>> I've verified that xen-signed.efi boots with Secureboot enabled when
>> booted directly but doesn't boot through the shim.
>
> ... you'll need to do some debugging in order to figure out what's
> going on here. With the above the prime suspect is the shim though,
> fiddling with the image after loading it into memory. So perhaps
> dumping the .reloc section contents in order to compare it with
> what's in the image may be a suitable approach.
>
> Jan

Yeap, the shim pretty simply removed the .reloc section as it was
marked discardable and did the relocations for Xen. So with that
removed from the shim I no longer get the error and I see that the
dom0 kernel gets verified using the shim lock protocol. I still didn't
get dom0 to boot for some reason but that might be an unrelated issue
(and I have no serial console right now). Nevertheless, progress!

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel