[Bug 2037137] Re: Enable NX support for ARM VMs

dann frazier 2037137 at bugs.launchpad.net
Mon Sep 25 17:53:56 UTC 2023 

** Description changed:

- shim 15.7-0ubuntu1
+ EDK2 2023.05-1 introduced the EFI Memory Attribute Protocol, which shim
+ 15.7-0ubuntu1 detects and consumes to implement NX support.
+ Unfortunately, due to bugs in shim's usage of this feature, this caused
+ shim to sometimes crash when handing off execution to the next stage
+ bootloader. We worked around this for mantic by disabling the EFI Memory
+ Attribute Protocol. This bug is to track the tasks required to re-enable
+ it.
  
- qemu-efi-aarch64 now implements EFI Memory Attribute Protocol. When shim
- detects this, it uses it to set memory attributes appropriately for the
- sections of the bootloader image it loads before passing control to it.
- After this change, fresh Ubuntu VMs began crashing on startup (bug
- 2036604):
- 
-   --------------------------------------
-   BdsDxe: loading Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x3)/Pci(0x0,0x0)
-   BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x3)/Pci(0x0,0x0)
- 
-   Synchronous Exception at 0x00000000BC300000
- 
-   Synchronous Exception at 0x00000000BC300000
- 
-   --------------------------------------
- 
-  I narrowed this down to only happening when shim executes fbaa64.efi
- (thus the fresh VM). I found upstream shim is unaffected, so I used
- bisection to identify the relevant change:
+ shim needs to adopt this patch from upstream (not yet in a release):
  
    From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
    From: Nicholas Bishop <REDACTED>
    Date: Mon, 19 Dec 2022 18:56:13 -0500
    Subject: [PATCH] pe: Align section size up to page size for mem attrs
  
    Setting memory attributes is generally done at page granularity, and
    this is enforced by checks in `get_mem_attrs` and
    `update_mem_attrs`. But unlike the section address, the section size
    isn't necessarily aligned to 4KiB. Round up the section size to fix
    this.
  
-   Signed-off-by: Nicholas Bishop <nicholasbishop at google.com>
+   Signed-off-by: Nicholas Bishop <REDACTED>
  
- Please add this patch to shim.
+ shim should also handle the 64KiB attribute requirements described in
+ Comment #1  which is not yet addressed upstream (see the shim upstream
+ task on this bug).
+ 
+ qemu-efi-{aarch64,arm} should also document this change in NEWS.Debian,
+ as it will break VMs that have not yet updated to the latest version of
+ shim. And we should also cover this in the Ubuntu release notes.

** No longer affects: edk2

** Also affects: shim via
   https://github.com/rhboot/shim/issues/614
   Importance: Unknown
       Status: Unknown

** Changed in: edk2 (Ubuntu)
     Assignee: (unassigned) => dann frazier (dannf)

** Changed in: edk2 (Ubuntu)
       Status: New => Triaged

** Also affects: ubuntu-release-notes
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/2037137

Title:
  Enable NX support for ARM VMs

Status in shim:
  Unknown
Status in Release Notes for Ubuntu:
  New
Status in edk2 package in Ubuntu:
  Triaged
Status in shim package in Ubuntu:
  New

Bug description:
  EDK2 2023.05-1 introduced the EFI Memory Attribute Protocol, which
  shim 15.7-0ubuntu1 detects and consumes to implement NX support.
  Unfortunately, due to bugs in shim's usage of this feature, this
  caused shim to sometimes crash when handing off execution to the next
  stage bootloader. We worked around this for mantic by disabling the
  EFI Memory Attribute Protocol. This bug is to track the tasks required
  to re-enable it.

  shim needs to adopt this patch from upstream (not yet in a release):

    From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
    From: Nicholas Bishop <REDACTED>
    Date: Mon, 19 Dec 2022 18:56:13 -0500
    Subject: [PATCH] pe: Align section size up to page size for mem attrs

    Setting memory attributes is generally done at page granularity, and
    this is enforced by checks in `get_mem_attrs` and
    `update_mem_attrs`. But unlike the section address, the section size
    isn't necessarily aligned to 4KiB. Round up the section size to fix
    this.

    Signed-off-by: Nicholas Bishop <REDACTED>

  shim should also handle the 64KiB attribute requirements described in
  Comment #1  which is not yet addressed upstream (see the shim upstream
  task on this bug).

  qemu-efi-{aarch64,arm} should also document this change in
  NEWS.Debian, as it will break VMs that have not yet updated to the
  latest version of shim. And we should also cover this in the Ubuntu
  release notes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/shim/+bug/2037137/+subscriptions

More information about the foundations-bugs mailing list