EXTRA_SIGN does not work when sbupdate is called by hook

[bumblebeers]

When the sbupdate hook is called during an update, it does not sign systemd-boot images. Here is the console output:

(10/13) Updating UEFI kernel images...
Generating and signing linux-signed.efi
warning: data remaining[24715264 vs 24724876]: gaps between PE/COFF sections?
warning: data remaining[24715264 vs 24724880]: gaps between PE/COFF sections?
Signing Unsigned original image
warning: data remaining[80384 vs 91584]: gaps between PE/COFF sections?
No signature table present
warning: failed to verify /efi/EFI/BOOT/BOOTX64.EFI
warning: data remaining[80384 vs 91584]: gaps between PE/COFF sections?
No signature table present
warning: failed to verify /efi/EFI/systemd/systemd-bootx64.efi

However when run with # sbupdate from a console after an update it works fine with the output:

Generating and signing linux-signed.efi
warning: data remaining[24715264 vs 24724876]: gaps between PE/COFF sections?
warning: data remaining[24715264 vs 24724880]: gaps between PE/COFF sections?
Signing Unsigned original image
Generating and signing linux-hardened-signed.efi
warning: data remaining[25086464 vs 25096076]: gaps between PE/COFF sections?
warning: data remaining[25086464 vs 25096080]: gaps between PE/COFF sections?
Signing Unsigned original image
warning: data remaining[80384 vs 91584]: gaps between PE/COFF sections?
No signature table present
Signing /efi/EFI/BOOT/BOOTX64.EFI
warning: data remaining[80384 vs 91584]: gaps between PE/COFF sections?
Signing Unsigned original image
warning: data remaining[80384 vs 91584]: gaps between PE/COFF sections?
No signature table present
Signing /efi/EFI/systemd/systemd-bootx64.efi
warning: data remaining[80384 vs 91584]: gaps between PE/COFF sections?
Signing Unsigned original image

[bumblebeers]

Nevermind, I just saw:

elif (( HOOK )); then # Signing extra files from the hook is prohibited for security reasons echo "warning: failed to verify $1" >&2

[julianfairfax]

Nevermind, I just saw:

elif (( HOOK )); then # Signing extra files from the hook is prohibited for security reasons echo "warning: failed to verify $1" >&2

Why is this the case? Does it present any issues? Should I always manually call it then?

[andreyv]

See the README and #36. If the tool automatically signed files on the EFI partition, then an attacker could replace one of them offline and get it signed on the next run.

You should only call sbupdate manually immediately after updating the extra files on the EFI partition. Note that there is automatic signing support for fwupd and systemd-boot.

[julianfairfax]

See the README and #36. If the tool automatically signed files on the EFI partition, then an attacker could replace one of them offline and get it signed on the next run.

You should only call sbupdate manually immediately after updating the extra files on the EFI partition. Note that there is automatic signing support for fwupd and systemd-boot.

In what scenario would a user such as myself actually update those files? I have never intentionally done it, so should I then never have to manually run sbupdate? I'm not sure fwupd works on my computer but that's good to know!

[andreyv]

You only need to run sbupdate manually when you use a bootloader other than systemd-boot or additional EFI programs, see the README about bootloaders. You don't need to do anything manually if you use direct booting or systemd-boot.

[julianfairfax]

Can I and should I somehow unsign the BOOTX86.efi and systemd-bootx64.efi files then?