Certain AMI firmwares have problems with PE binaries with too many sections, like the ones multi-profile UKIs might result in

[cvlc12]

Hi,

I'm trying to reuse my existing enrolled SB keys to sign the generated particleos image, but that does not seem to work;

My current arch setup:

[UKI]
SecureBootSigningTool=systemd-sbsign
SignKernel=true
SecureBootPrivateKey=/etc/kernel/secure-boot-private-key.pem
SecureBootCertificate=/etc/kernel/secure-boot-certificate.pem
Splash=/usr/share/systemd/bootctl/splash-arch.bmp

[PCRSignature:initrd]
#Phases=enter-initrd
PCRPrivateKey=/etc/systemd/tpm2-pcr-private-key.pem
PCRPublicKey=/etc/systemd/tpm2-pcr-public-key.pem

I temporarily copied over the secureboot keys to my mkosi folder and made them world readable to be able to build the image without root (need to find a better long term solution for the keys).

$ cat mkosi.local.conf 
[Distribution]
Distribution=arch

[Config]
Profiles=desktop,gnome,obs

[Validation]
SecureBootKey=secure-boot-private-key.pem
SecureBootCertificate=secure-boot-certificate.pem
SignExpectedPcrKey=secure-boot-private-key.pem
SignExpectedPcrCertificate=secure-boot-certificate.pem
VerityKey=secure-boot-private-key.pem
VerityCertificate=secure-boot-certificate.pem

The signature looks ok:

$ run0 sbverify --cert /etc/kernel/secure-boot-certificate.pem mkosi.output/ParticleOS_20250611135303_x86-64.efi 
Signature verification OK

But I'm getting

...boot.c:2617@call_image_start: Error loading EFI binary \EFI\Linux\ParticleOS_20250611135303_x86-64.efi : Access denied

Anything obviously stupid I'm doing? Thanks!!

[cvlc12]

Might be worth noting that I do get to the UKI profile selection screen. Only when selecting the installer profile do I get the security violation.

Booting with Secure Boot disabled works.

[daandemeyer]

Please figure out your uefi firmware model and version. Pretty sure you're running into a PE section limit.

[bluca]

Might be worth noting that I do get to the UKI profile selection screen. Only when selecting the installer profile do I get the security violation.

What happens if you select another profile from the same UKI?

[cvlc12]

Please figure out your uefi firmware model and version. Pretty sure you're running into a PE section

Latest available firmware version from MSI (MSI Modern 15)

├─System Firmware:
│ │   Device ID:          de6e201ff21332f882c2555fb0cf48bda78b12b2
│ │   Summary:            UEFI System Resource Table device (Updated via capsule-on-disk)
│ │   Current version:    289
│ │   Minimum Version:    289
│ │   Vendor:             Micro-Star International Co., Ltd. (DMI:American Megatrends International, LLC.)
│ │   Update State:       Success
│ │   GUID:               cba506ad-f26a-46a8-8ed1-4a6bd036d1c4
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │   Device Requests:    • Message
├─UEFI Device Firmware:
│     Device ID:          cc997b76c83152570335880a682ff0b6d34b837e
│     Summary:            UEFI System Resource Table device (Updated via capsule-on-disk)
│     Current version:    2633
│     Vendor:             DMI:American Megatrends International, LLC.
│     Update State:       Success
│     GUID:               0eab05c1-766a-4805-a039-3081de0210c7
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
└─UEFI Device Firmware:
      Device ID:          dcc7b15da2e0e467afd0e37b4754d54cde65a2e6
      Summary:            UEFI System Resource Table device (Updated via capsule-on-disk)
      Current version:    1
      Vendor:             DMI:American Megatrends International, LLC.
      Update State:       Success
      GUID:               eed54281-1c11-4358-bf5a-f64995fbf11b
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Needs a reboot after installation
                          • Device is usable for the duration of the update
      Device Requests:    • Message

What happens if you select another profile from the same UKI?

I only also tried the first one (Arch Linux) which failed as well. I'll try another one and report back

[bluca]

What's the exact laptop model?

[cvlc12]

What happens if you select another profile from the same UKI?

Same same

What's the exact laptop model?

MSI Modern 15 A1M
Firmware version E1552IMS.121

[bluca]

MSI Modern 15 A1M

can't find this on google, is it A10M by any chance?

[cvlc12]

can't find this on google, is it A10M by any chance?

https://www.msi.com/Business-Productivity/Modern-15-A11X/support?sub_product=Modern-15-A11M#bios

[cvlc12]

Pretty sure you're running into a PE section limit.

Rightly so ! I've tried #44 however but it's not enough, it still fails.

So I deleted everything except for 'live' 'factory-reset' and 'debug' and that boots.

[daandemeyer]

Pretty sure you're running into a PE section limit.

Rightly so ! I've tried #44 however but it's not enough, it still fails.

So I deleted everything except for 'live' 'factory-reset' and 'debug' and that boots.

Yeah so its buggy AMI firmware, only thing I can suggest is removing UKI profiles that you won't need until it boots.

[cvlc12]

Sure thanks. It could be a good idea to limit the number of uki profiles by default because there probably are a lot of faulty implementations out there.

[poettering]

Do we have any idea where precisely the cut-off point is? i.e. at what precise number of PE sections the limit on those AMI firmwares is reached?

My current thinking is that maybe we should add an ".nested" or so PE section type, that contains another PE object which will be read just like the outer one, as an extension of it. Benefit would be that we can mostly reuse the same parsers, and put things together with objcopy still. No new format would be added, but we could avoid the PE section limit.

[bluca]

Do we have any idea where precisely the cut-off point is? i.e. at what precise number of PE sections the limit on those AMI firmwares is reached?

28

My current thinking is that maybe we should add an ".nested"

Ugh no, let's not make everything worse for everyone, because of a specific firmware bug in a single specific vendor fork of EDK2.

The bug is fixed upstream by the vendor now, so future versions of AMI firmwares will work fine. We can just add a "reduced" profile or so recipe here, that can be used for older machines, until they go EOL/ewaste.