Bug#1042438: root caused to shim

Sat, 23 Sep 2023 03:18:13 -0700 

Thanks for looking into this!
I was hoping we could revert the offending edk2 commit in debian rather than getting every guest os vendor to update their shim - which would mean only fresh installs would work. 

Red Hat seem to have merged the fix this year:

https://github.com/rhboot/shim/commit/c7b305152802c8db688605654f75e1195def9fd6

But there's not be a new rhel/fedora rpm in well over a year, still 15.6



On 23/09/2023 00:35, dann frazier wrote:

OK, I finally found some time to debug this. I debugged it with an
Ubuntu VM that used shim 15.7, but I suspect it is the same issue with
Fedora 38 and AlmaLinux 9.2.

shim 15.6 introduced the following commit:

commit 226fee25ffcbd29988399ba080c7706eb1d52251
Author: Peter Jones <REDACTED>
Date:   Thu Dec 2 18:29:50 2021 -0500

     PE Loader: support and require NX

     
     This adds support in our PE loader for NX support utilizing the

     EFI_MEMORY_ATTRIBUTE protocol.  Specifically, it changes the loader such
     that:

     
     - binaries without the EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag set

       in the Optional Header are rejected as EFI_UNSUPPORTED
     - binaries with non-discardable sections that have both the
       EFI_SCN_MEM_WRITE and EFI_SCN_MEM_EXECUTE flags set are rejected as
       EFI_UNSUPPORTED
     - if the EFI_MEMORY_ATTRIBUTE protocol is installed, then:
       - sections without the EFI_SCN_MEM_READ flag set will be marked with
         EFI_MEMORY_RP
       - sections without the EFI_SCN_MEM_WRITE flag set will be marked with
         EFI_MEMORY_RO
       - sections without the EFI_SCN_MEM_EXECUTE flag set will be marked
         with EFI_MEMORY_XP

     
     Signed-off-by: Peter Jones <pjo...@redhat.com>



EDK2 didn't expose the EFI_MEMORY_ATTRIBUTE protocol for ARM until
2023.05-1, so at that point this shim code was activated. Unfortunately,
this shim code had a bug that causes this problem. Luckily it has
since been fixed in upstream git:

   From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
   From: Nicholas Bishop <REDACTED>
   Date: Mon, 19 Dec 2022 18:56:13 -0500
   Subject: [PATCH] pe: Align section size up to page size for mem attrs

   Setting memory attributes is generally done at page granularity, and
   this is enforced by checks in `get_mem_attrs` and
   `update_mem_attrs`. But unlike the section address, the section size
   isn't necessarily aligned to 4KiB. Round up the section size to fix
   this.

   Signed-off-by: Nicholas Bishop <nicholasbis...@google.com>


I've asked Ubuntu to pick this up (LP: #2036604). Please ask your
favorite guest OS distributions to pick it up as well.



--
Simon John























					Reply via email to