Bug#1033569: systemd-boot-efi: Secure Boot via shim broken on arm64 due to missing SBAT section

Emanuele Rocca ema at debian.org
Mon Mar 27 15:53:40 BST 2023 

Package: systemd-boot-efi
Version: 252.6-1

Hi,

booting in Secure Boot mode with a self-signed systemd-bootaa64.efi
works well on arm64. However, trying to boot via shimaa64.efi fails with
the following error:

  shim.c:866:load_image() attempting to load \EFI\BOOT\grubaa64.efi
  pe.c:844:verify_sbat_section() No .sbat section data
  Verification failed: Security Policy Violation

Looking for the SBAT section in systemd-bootaa64.efi confirms that
indeed it is missing:

 objdump -x /usr/lib/systemd/boot/efi/systemd-bootaa64.efi | grep .sbat # <- no output

Instead, on amd64:

 $ objdump -x /usr/lib/systemd/boot/efi/systemd-bootx64.efi | grep .sbat
   7 .sbat         000000d9  0000000000028040  0000000000028040  0001dc00 2**2
 [136](sec  8)(fl 0x00)(ty    0)(scl   3) (nx 0) 0x0000000000000000 sbat

Note that .sbat is not the only section missing. On arm64 there's only
.text and .data:

  Sections:
  Idx Name          Size      VMA               LMA               File off  Algn
    0 .text         0001a000  0000000000001000  0000000000001000  00001000  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, CODE
    1 .data         00002000  000000000001b000  000000000001b000  0001b000  2**2
                    CONTENTS, ALLOC, LOAD, DATA

While amd64 has:

  Sections:
  Idx Name          Size      VMA               LMA               File off  Algn
    0 .text         00015710  0000000000005000  0000000000005000  00000400  2**4
                    CONTENTS, ALLOC, LOAD, READONLY, CODE
    1 .reloc        0000000c  000000000001b000  000000000001b000  00015c00  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, DATA
    2 .data         000064b8  000000000001c000  000000000001c000  00015e00  2**4
                    CONTENTS, ALLOC, LOAD, DATA
    3 .dynamic      00000100  0000000000023000  0000000000023000  0001c400  2**2
                    CONTENTS, ALLOC, LOAD, DATA
    4 .rela         00001038  0000000000024000  0000000000024000  0001c600  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, DATA
    5 .dynsym       00000018  0000000000026000  0000000000026000  0001d800  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, DATA
    6 .sdmagic      0000002b  0000000000028000  0000000000028000  0001da00  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, DATA
    7 .sbat         000000d9  0000000000028040  0000000000028040  0001dc00  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, DATA
    8 .osrel        0000003f  0000000000028120  0000000000028120  0001de00  2**2
                    CONTENTS, ALLOC, LOAD, READONLY, DATA

More information about the Pkg-systemd-maintainers mailing list