Bug 1005884 - Signing grub using sbsigntools prints warnings
Signing grub using sbsigntools prints warnings
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: grub (Show other bugs)
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Jan Grulich
Release Test Team
Depends On:
  Show dependency treegraph
Reported: 2013-09-09 11:10 EDT by Ralf Spenneberg
Modified: 2014-11-20 16:27 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-11-20 16:26:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ralf Spenneberg 2013-09-09 11:10:12 EDT
Description of problem:
To use RHEL 6 in an UEFI Secure Boot environment I need to sign the grub binary.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install the sbsigntools from source
2. Generate keys for signing
3. Sign the grub binary using 

sbsign --key signing.key --cert signing.pem.crt grub.efi

Actual results:
warning: gap in section table:
    .text   : 0x00000400 - 0x0001e200,
    .reloc  : 0x0001e209 - 0x0001e609,
warning: gap in section table:
    .reloc  : 0x0001e209 - 0x0001e609,
    .data   : 0x0001e600 - 0x00032c00,
gaps in the section table may result in different checksums
warning: data remaining[228864 vs 251274]: gaps between PE/COFF sections?

Expected results:
No warnings. 

Additional info:
Hashing the grub via the mokmanager of shim does not work. Maybe because of the gaps in the section tables.
Comment 2 RHEL Product and Program Management 2013-10-13 22:19:20 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Peter Jones 2014-11-20 16:26:43 EST
We don't support Secure Boot in any way in RHEL 6.  On releases where we do support Secure Boot, we don't provide sbsign or support using it for anything.

In any event, the problem you're seeing is with sbsign, not in grub.

Note You need to log in before you can comment on or make changes to this bug.