From 5466f381ddf04f407fcf1996a9c26642abd9f2fa Mon Sep 17 00:00:00 2001 From: Jeremy Kerr Date: Mon, 13 Aug 2012 13:49:40 +0800 Subject: [PATCH] image: Use size of image data when writing images When detaching a signature, we need to know the size of the non-signature data. So, add a data_size member to struct image, and populate it when we iterate through the section table. When writing the image, use data_size rather than size, so we don't unnecessarily add the (now unused) signature data. Signed-off-by: Jeremy Kerr --- image.c | 9 ++++++--- image.h | 3 +++ tests/Makefile.am | 3 ++- tests/detach-remove.sh | 15 +++++++++++++++ 4 files changed, 26 insertions(+), 4 deletions(-) create mode 100755 tests/detach-remove.sh diff --git a/image.c b/image.c index 298d37e..99d7962 100644 --- a/image.c +++ b/image.c @@ -251,7 +251,7 @@ static void set_region_from_range(struct region *region, void *start, void *end) static int image_find_regions(struct image *image) { - struct region *regions; + struct region *regions, *r; void *buf = image->buf; int i, gap_warn; size_t bytes; @@ -360,9 +360,12 @@ static int image_find_regions(struct image *image) fprintf(stderr, "warning: data remaining[%zd vs %zd]: gaps " "between PE/COFF sections?\n", bytes + image->cert_table_size, image->size); - } + /* record the size of non-signature data */ + r = &image->checksum_regions[image->n_checksum_regions - 1]; + image->data_size = (r->data - (void *)image->buf) + r->size; + return 0; } @@ -482,7 +485,7 @@ int image_write(struct image *image, const char *filename) return -1; } - rc = write_all(fd, image->buf, image->size); + rc = write_all(fd, image->buf, image->data_size); if (!rc) goto out; if (!is_signed) diff --git a/image.h b/image.h index 3efc96a..a355f53 100644 --- a/image.h +++ b/image.h @@ -50,6 +50,9 @@ struct image { uint8_t *buf; size_t size; + /* size of the image, without signature */ + size_t data_size; + /* Pointers to interesting parts of the image */ uint32_t *checksum; struct external_PEI_DOS_hdr *doshdr; diff --git a/tests/Makefile.am b/tests/Makefile.am index 9a1c8a1..8085d5c 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -54,7 +54,8 @@ TESTS = sign-verify.sh \ sign-invalidattach-verify.sh \ cert-table-header.sh \ resign-warning.sh \ - reattach-warning.sh + reattach-warning.sh \ + detach-remove.sh TEST_EXTENSIONS = .sh SH_LOG_COMPILER = TEST_ARCHES="$(test_arches)" $(srcdir)/test-wrapper.sh diff --git a/tests/detach-remove.sh b/tests/detach-remove.sh new file mode 100755 index 0000000..858944d --- /dev/null +++ b/tests/detach-remove.sh @@ -0,0 +1,15 @@ +#!/bin/bash -ex + +signed="test.signed" +unsigned="test.unsigned" + +"$sbsign" --cert "$cert" --key "$key" --output "$signed" "$image" +cp "$signed" "$unsigned" +"$sbattach" --remove "$unsigned" + +# ensure that there is no security directory +objdump -p $unsigned | grep -q '0\+ 0\+ Security Directory' + +# ensure that the unsigned file is the same size as our original binary +[ $(stat --format=%s "$image") -eq $(stat --format=%s "$unsigned") ] +