On Mon, Dec 11, 2023 at 10:06 AM Gerd Hoffmann <kra...@redhat.com> wrote: > > On Thu, Dec 07, 2023 at 11:06:03AM +0100, Ard Biesheuvel wrote: > > From: Ard Biesheuvel <a...@kernel.org> > > > > Shim's PE loader uses the EFI memory attributes protocol in a way that > > results in an immediate crash when invoking the loaded image, unless the > > base and size of its executable segment are both aligned to 4k. > > > > If this is not the case, it will strip the memory allocation of its > > executable permissions, but fail to add them back for the executable > > region, resulting in non-executable code. Unfortunately, the PE loader > > does not even bother invoking the protocol in this case (as it notices > > the misalignment), making it very hard for system firmware to work > > around this by attempting to infer the intent of the caller. > > > > So let's introduce a QEMU command line option to indicate that the > > protocol should not be exposed at all on the first boot, which is when > > the issue is triggered. (fbaa64.efi is broken but grubaa64.efi boots > > fine) > > > > -fw_cfg opt/org.tianocore/UninstallMemAttrProtocolOnFirstBoot,string=y > > > > Also introduce a fixed boolean PCD that sets the default. > > Did some more testing meanwhile with latest shim. Noticed things can > explode in other ways as well in case the memory attribute protocol is > present. > > Specifically rhel-9.3 grub on aa64 crashes with latest shim. Which I > suspect is that grub version not being NX-clean, and shim setting page > permissions via memory attribute protocol triggers that bug. Didn't > analyze it yet though. > > So, while I'd love to see some automatic way here I suspect trying to be > too clever does more harm than good. >
OK, so not worth the trouble of trying to detect the first boot, I guess. For my info, is rhel-9.3 an old GRUB? -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#112277): https://edk2.groups.io/g/devel/message/112277 Mute This Topic: https://groups.io/mt/103031504/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-