2 files changed, 125 insertions, 0 deletions
diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
index 7b60d6b583..15db156d4f 100644
--- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
+++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
@@ -1,4 +1,7 @@
 require systemd.inc
+FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:"
+SRC_URI += "file://0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch"
 inherit native
diff --git a/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch b/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch
new file mode 100644
index 0000000000..3be56cb9c0
--- /dev/null
+++ b/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch
@@ -0,0 +1,122 @@
+From 60d76dce7b013406412bc9720dbf05fb558ea099 Mon Sep 17 00:00:00 2001
+From: Daan De Meyer <daan.j.demeyer@gmail.com>
+Date: Tue, 4 Feb 2025 09:24:26 +0100
+Subject: [PATCH] ukify/measure: Revert changes to use SizeOfImage from Linux
+ PE binary
+With 19812661f1f65ebe777d1626b5abf6475faababc, we make sure at runtime
+in the stub itself that SizeOfImage from the Linux EFISTUB PE binary is
+taken into account, so there's no need to take this into account in ukify
+itself. By reverting the ukify change, we again ensure that Misc_VirtualSize
+reflects the actual size of the Linux EFISTUB PE binary in the .linux section
+which lots of tooling depends on. It also makes sure we don't measure a bunch
+of extra zeroes in the stub which should fix systemd-pcrlock measurements as
+well.
+This effectively reverts 2188c759f97e40b97ebe3e94e82239f36b525b10 and
+0005411352f9bda0d9887c37b9e75a2bce6c1133.
+Fixes #35851
+---
+ src/measure/measure.c | 32 --------------------------------
+ src/ukify/ukify.py    | 16 ++--------------
+ 2 files changed, 2 insertions(+), 46 deletions(-)
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38801c91292fde004bec0974ed5602984701e03b]
+diff --git a/src/measure/measure.c b/src/measure/measure.c
+index e583444e0bf..2057ce2a0e6 100644
+--- a/src/measure/measure.c
+++ b/src/measure/measure.c
+@@ -544,38 +544,6 @@ static int measure_kernel(PcrState *pcr_states, size_t n) {
+                         m += sz;
+                 }
+ 
+-                if (c == UNIFIED_SECTION_LINUX) {
+-                        _cleanup_free_ PeHeader *pe_header = NULL;
+-
+-                        r = pe_load_headers(fd, /*ret_dos_header=*/ NULL, &pe_header);
+-                        if (r < 0)
+-                                log_warning_errno(r, "Failed to parse kernel image file '%s', ignoring: %m", arg_sections[c]);
+-                        else if (m < pe_header->optional.SizeOfImage) {
+-                                memzero(buffer, BUFFER_SIZE);
+-
+-                                /* Our EFI stub measures VirtualSize bytes of the .linux section into PCR 11.
+-                                 * Notably, VirtualSize can be larger than the section's size on disk. In
+-                                 * that case the extra space is initialized with zeros, so the stub ends up
+-                                 * measuring a bunch of zeros. To accommodate this, we have to measure the
+-                                 * same number of zeros here. We opt to measure extra zeros here instead of
+-                                 * modifying the stub to only measure the number of bytes on disk as we want
+-                                 * newer ukify + systemd-measure to work with older versions of the stub and
+-                                 * as of 6.12 the kernel image's VirtualSize won't be larger than its size on
+-                                 * disk anymore (see https://github.com/systemd/systemd/issues/34578#issuecomment-2382459515).
+-                                 */
+-
+-                                while (m < pe_header->optional.SizeOfImage) {
+-                                        uint64_t sz = MIN(BUFFER_SIZE, pe_header->optional.SizeOfImage - m);
+-
+-                                        for (size_t i = 0; i < n; i++)
+-                                                if (EVP_DigestUpdate(mdctx[i], buffer, sz) != 1)
+-                                                        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to run digest.");
+-
+-                                        m += sz;
+-                                }
+-                        }
+-                }
+-
+                 fd = safe_close(fd);
+ 
+                 if (m == 0) /* We skip over empty files, the stub does so too */
+diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
+index 3f36aa7af6b..08e7622c499 100755
+--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
+@@ -388,7 +388,6 @@ class Section:
+     tmpfile: Optional[IO[Any]] = None
+     measure: bool = False
+     output_mode: Optional[str] = None
+-    virtual_size: Optional[int] = None
+ 
+     @classmethod
+     def create(cls, name: str, contents: Union[str, bytes, Path, None], **kwargs: Any) -> 'Section':
+@@ -918,10 +917,7 @@ def pe_add_sections(uki: UKI, output: str) -> None:
+ 
+         new_section.set_file_offset(offset)
+         new_section.Name = section.name.encode()
+-        if section.virtual_size is not None:
+-            new_section.Misc_VirtualSize = section.virtual_size
+-        else:
+-            new_section.Misc_VirtualSize = len(data)
+        new_section.Misc_VirtualSize = len(data)
+         # Non-stripped stubs might still have an unaligned symbol table at the end, making their size
+         # unaligned, so we make sure to explicitly pad the pointer to new sections to an aligned offset.
+         new_section.PointerToRawData = round_up(len(pe.__data__), pe.OPTIONAL_HEADER.FileAlignment)
+@@ -1166,6 +1162,7 @@ def make_uki(opts: UkifyConfig) -> None:
+         ('.uname',   opts.uname,      True),
+         ('.splash',  opts.splash,     True),
+         ('.pcrpkey', pcrpkey,         True),
+        ('.linux',   linux,           True),
+         ('.initrd',  initrd,          True),
+         ('.ucode',   opts.microcode,  True),
+     ]  # fmt: skip
+@@ -1182,15 +1179,6 @@ def make_uki(opts: UkifyConfig) -> None:
+     for section in opts.sections:
+         uki.add_section(section)
+ 
+-    if linux is not None:
+-        try:
+-            virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage
+-        except pefile.PEFormatError:
+-            print(f'{linux} is not a valid PE file, not using SizeOfImage.')
+-            virtual_size = None
+-
+-        uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size))
+-
+     # Don't add a sbat section to profile PE binaries.
+     if opts.join_profiles or not opts.profile:
+         if linux is not None:
+-- 
+2.43.0

diff --git a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb index 7b60d6b583..15db156d4f 100644 --- a/meta/recipes-core/systemd/systemd-boot-native_257.1.bb +++ b/meta/recipes-core/systemd/systemd-boot-native_257.1.bb
@@ -1,4 +1,7 @@
1	require systemd.inc	1	require systemd.inc
		2	FILESEXTRAPATHS =. "${FILE_DIRNAME}/systemd:"
		3
		4	SRC_URI += "file://0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch"
2		5
3	inherit native	6	inherit native
4		7


diff --git a/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch b/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch new file mode 100644 index 0000000000..3be56cb9c0 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-ukify-measure-Revert-changes-to-use-SizeOfImage-from.patch
@@ -0,0 +1,122 @@
		1	From 60d76dce7b013406412bc9720dbf05fb558ea099 Mon Sep 17 00:00:00 2001
		2	From: Daan De Meyer <daan.j.demeyer@gmail.com>
		3	Date: Tue, 4 Feb 2025 09:24:26 +0100
		4	Subject: [PATCH] ukify/measure: Revert changes to use SizeOfImage from Linux
		5	PE binary
		6
		7	With 19812661f1f65ebe777d1626b5abf6475faababc, we make sure at runtime
		8	in the stub itself that SizeOfImage from the Linux EFISTUB PE binary is
		9	taken into account, so there's no need to take this into account in ukify
		10	itself. By reverting the ukify change, we again ensure that Misc_VirtualSize
		11	reflects the actual size of the Linux EFISTUB PE binary in the .linux section
		12	which lots of tooling depends on. It also makes sure we don't measure a bunch
		13	of extra zeroes in the stub which should fix systemd-pcrlock measurements as
		14	well.
		15
		16	This effectively reverts 2188c759f97e40b97ebe3e94e82239f36b525b10 and
		17	0005411352f9bda0d9887c37b9e75a2bce6c1133.
		18
		19	Fixes #35851
		20	---
		21	src/measure/measure.c \| 32 --------------------------------
		22	src/ukify/ukify.py \| 16 ++--------------
		23	2 files changed, 2 insertions(+), 46 deletions(-)
		24
		25	Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
		26
		27	Upstream-Status: Backport [https://github.com/systemd/systemd/commit/38801c91292fde004bec0974ed5602984701e03b]
		28
		29	diff --git a/src/measure/measure.c b/src/measure/measure.c
		30	index e583444e0bf..2057ce2a0e6 100644
		31	--- a/src/measure/measure.c
		32	+++ b/src/measure/measure.c
		33	@@ -544,38 +544,6 @@ static int measure_kernel(PcrState *pcr_states, size_t n) {
		34	m += sz;
		35	}
		36
		37	- if (c == UNIFIED_SECTION_LINUX) {
		38	- _cleanup_free_ PeHeader *pe_header = NULL;
		39	-
		40	- r = pe_load_headers(fd, /ret_dos_header=/ NULL, &pe_header);
		41	- if (r < 0)
		42	- log_warning_errno(r, "Failed to parse kernel image file '%s', ignoring: %m", arg_sections[c]);
		43	- else if (m < pe_header->optional.SizeOfImage) {
		44	- memzero(buffer, BUFFER_SIZE);
		45	-
		46	- /* Our EFI stub measures VirtualSize bytes of the .linux section into PCR 11.
		47	- * Notably, VirtualSize can be larger than the section's size on disk. In
		48	- * that case the extra space is initialized with zeros, so the stub ends up
		49	- * measuring a bunch of zeros. To accommodate this, we have to measure the
		50	- * same number of zeros here. We opt to measure extra zeros here instead of
		51	- * modifying the stub to only measure the number of bytes on disk as we want
		52	- * newer ukify + systemd-measure to work with older versions of the stub and
		53	- * as of 6.12 the kernel image's VirtualSize won't be larger than its size on
		54	- * disk anymore (see https://github.com/systemd/systemd/issues/34578#issuecomment-2382459515).
		55	- */
		56	-
		57	- while (m < pe_header->optional.SizeOfImage) {
		58	- uint64_t sz = MIN(BUFFER_SIZE, pe_header->optional.SizeOfImage - m);
		59	-
		60	- for (size_t i = 0; i < n; i++)
		61	- if (EVP_DigestUpdate(mdctx[i], buffer, sz) != 1)
		62	- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to run digest.");
		63	-
		64	- m += sz;
		65	- }
		66	- }
		67	- }
		68	-
		69	fd = safe_close(fd);
		70
		71	if (m == 0) /* We skip over empty files, the stub does so too */
		72	diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
		73	index 3f36aa7af6b..08e7622c499 100755
		74	--- a/src/ukify/ukify.py
		75	+++ b/src/ukify/ukify.py
		76	@@ -388,7 +388,6 @@ class Section:
		77	tmpfile: Optional[IO[Any]] = None
		78	measure: bool = False
		79	output_mode: Optional[str] = None
		80	- virtual_size: Optional[int] = None
		81
		82	@classmethod
		83	def create(cls, name: str, contents: Union[str, bytes, Path, None], **kwargs: Any) -> 'Section':
		84	@@ -918,10 +917,7 @@ def pe_add_sections(uki: UKI, output: str) -> None:
		85
		86	new_section.set_file_offset(offset)
		87	new_section.Name = section.name.encode()
		88	- if section.virtual_size is not None:
		89	- new_section.Misc_VirtualSize = section.virtual_size
		90	- else:
		91	- new_section.Misc_VirtualSize = len(data)
		92	+ new_section.Misc_VirtualSize = len(data)
		93	# Non-stripped stubs might still have an unaligned symbol table at the end, making their size
		94	# unaligned, so we make sure to explicitly pad the pointer to new sections to an aligned offset.
		95	new_section.PointerToRawData = round_up(len(pe.__data__), pe.OPTIONAL_HEADER.FileAlignment)
		96	@@ -1166,6 +1162,7 @@ def make_uki(opts: UkifyConfig) -> None:
		97	('.uname', opts.uname, True),
		98	('.splash', opts.splash, True),
		99	('.pcrpkey', pcrpkey, True),
		100	+ ('.linux', linux, True),
		101	('.initrd', initrd, True),
		102	('.ucode', opts.microcode, True),
		103	] # fmt: skip
		104	@@ -1182,15 +1179,6 @@ def make_uki(opts: UkifyConfig) -> None:
		105	for section in opts.sections:
		106	uki.add_section(section)
		107
		108	- if linux is not None:
		109	- try:
		110	- virtual_size = pefile.PE(linux, fast_load=True).OPTIONAL_HEADER.SizeOfImage
		111	- except pefile.PEFormatError:
		112	- print(f'{linux} is not a valid PE file, not using SizeOfImage.')
		113	- virtual_size = None
		114	-
		115	- uki.add_section(Section.create('.linux', linux, measure=True, virtual_size=virtual_size))
		116	-
		117	# Don't add a sbat section to profile PE binaries.
		118	if opts.join_profiles or not opts.profile:
		119	if linux is not None:
		120	--
		121	2.43.0
		122