[File] [PATCH] Detect ZBOOT wrapped linux kernel's
Jeremy Linton
jeremy.linton at arm.com
Fri Jul 11 17:29:57 UTC 2025
The linux kernel has an optional decompressor in its EFI stub. This
decompressor basically wraps the normal PE images but is currently being
detected as a generic PE image rather than as a linux kernel.
Detect these files and identify them as linux boot images.
Signed-off-by: Jeremy Linton <jeremy.linton at arm.com>
---
magic/Magdir/linux | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/magic/Magdir/linux b/magic/Magdir/linux
index 6bdc784d..84e15cb0 100644
--- a/magic/Magdir/linux
+++ b/magic/Magdir/linux
@@ -529,6 +529,17 @@
>0x18 lelong &4 \b, 16K pages
>0x18 lelong &6 \b, 32K pages
+############################################################################
+# Linux kernel (arm64/riscv/loongarch) EFI executable (zstd/gzip) compressed zboot Image
+# from: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/firmware/efi/libstub/zboot-header.S
++0 string MZ\0\0zimg
+>0x40 string PE\0\0 Linux kernel
+>>&0 leshort 0xAA64 ARM64 EFI executable
+>>&0 leshort 0x5032 RISC-V32 EFI executable
+>>&0 leshort 0x5064 RISC-V64 EFI executable
+>>&0 leshort 0x6264 LoongArch64 EFI executable
+>>0x18 string >0 %s compressed zboot Image
+
############################################################################
# Linux RISC-V kernel image
0x38 string RSC\05 Linux kernel RISC-V boot executable Image
--
2.50.1
More information about the File
mailing list