[Bug 2084104] Re: UEFI GRUB2 enforces NX even with a non-NX shim

Ryan Hurley 2084104 at bugs.launchpad.net
Tue Oct 15 22:07:33 UTC 2024 

Hey folks,

I installed the same sets of packages as Tobias, and the bug also
appears to be fixed for me. Test plan steps 1-8 ran as expected and
passed.


Package details:

Package: grub-efi-amd64
Architecture: amd64
Version: 2.12-5ubuntu5.1

Package: grub-efi-amd64-bin
Architecture: amd64
Version: 2.12-5ubuntu5.1

Package: grub-efi-amd64-signed
Architecture: amd64
Version: 1.209+2.12-5ubuntu5.1

Package: grub-efi-amd64-unsigned
Architecture: amd64
Version: 2.12-5ubuntu5.1

Used for testing: Lenovo Thinkpad X1C (6th Gen)

OS Type: Windows 10 UEFI Mode
Secure Boot Mode: Enabled

Thanks!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2084104

Title:
  UEFI GRUB2 enforces NX even with a non-NX shim

Status in grub2 package in Ubuntu:
  Fix Committed
Status in grub2-signed package in Ubuntu:
  Fix Committed
Status in grub2-unsigned package in Ubuntu:
  Fix Committed
Status in grub2 source package in Oracular:
  Fix Committed
Status in grub2-signed source package in Oracular:
  Fix Committed
Status in grub2-unsigned source package in Oracular:
  Fix Committed

Bug description:
  [ Impact ]

  UEFI GRUB2 in Oracular Oriole enforces NX_COMPAT even when used with a
  non-NX shim.

  Kernels in Oracular Oriole support NX_COMPAT.

  The impact is limited to failing to chainload other non-NX compatible
  operating systems from GRUB2.

  The most common such operating system is Windows 10, most
  installations of which do not have a NX compatible bootloader
  according to Microsoft.

  [ Test Plan ]

  1. Set up (or take an existing) machine with Ubuntu Oracular Oriole
  and Windows 10 in a dual boot configuration.

  2. Verify that `objdump -x /boot/efi/efi/microsoft/boot/bootmgfw.efi`
  does not show NX_COMPAT under DllCharacteristics.

  3. Verify that Windows 10 fails to boot via the os-prober created GRUB
  menu entry.

  4. Update grub-efi-amd64-signed to the version from oracular-proposed.

  5. Verify that Windows 10 successfully boots via the os-prober created
  GRUB menu entry.

  6. Switch to the NX shim using `update-alternatives --set
  shimx64.efi.signed /usr/lib/shim/shimx64.nx.efi.signed.latest && dpkg-
  reconfigure shim-signed`

  7. Verify that Windows 10 fails to boot via the os-prober created GRUB
  menu entry again.

  (8. If intending to use this machine, switch back to the non-NX shim
  using: update-alternatives --auto shimx64.efi.signed && dpkg-
  reconfigure shim-signed)

  [ Where problems could occur ]

  The patch for this only removes checks, deferring to policy enforced
  by shim protocol verification that is already in place, thus it should
  only make more things bootable not less.

  When used without shim, existing and this new GRUB2 will only function
  with Secure Boot disabled, thus no new security problems can arise.

  When used with the non-NX shim, the policy will let both non-NX and NX
  executables through as expected.

  When used with the NX shim, the policy will only let NX executables
  through as expected. Only possible problem here is that if we have
  ever signed a pre-LF2 kernel with NX_COMPAT set in DllCharacteristics,
  such kernel would be let through, then use the non-NX compatible
  legacy loader, which will lead to an inevitable page fault.

  The existence of such a kernel is exceedingly unlikely due to the
  upstream timeline of LF2 and NX supports, but it is a theoretical
  possibility and hence worth mentioning.

  [ Other Info ]

  n/a

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2084104/+subscriptions

More information about the foundations-bugs mailing list