Ubuntu
shim package

Enable NX support for ARM VMs

Bug #2037137 reported by dann frazier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
New
Undecided
Unassigned
shim
New
Unknown
edk2 (Ubuntu)
Triaged
Undecided
dann frazier
shim (Ubuntu)
New
Undecided
Unassigned

Bug Description

EDK2 2023.05-1 introduced the EFI Memory Attribute Protocol, which shim 15.7-0ubuntu1 detects and consumes to implement NX support. Unfortunately, due to bugs in shim's usage of this feature, this caused shim to sometimes crash when handing off execution to the next stage bootloader. We worked around this for mantic by disabling the EFI Memory Attribute Protocol. This bug is to track the tasks required to re-enable it.

shim needs to adopt this patch from upstream (not yet in a release):

  From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
  From: Nicholas Bishop <REDACTED>
  Date: Mon, 19 Dec 2022 18:56:13 -0500
  Subject: [PATCH] pe: Align section size up to page size for mem attrs

  Setting memory attributes is generally done at page granularity, and
  this is enforced by checks in `get_mem_attrs` and
  `update_mem_attrs`. But unlike the section address, the section size
  isn't necessarily aligned to 4KiB. Round up the section size to fix
  this.

  Signed-off-by: Nicholas Bishop <REDACTED>

shim should also handle the 64KiB attribute requirements described in Comment #1 which is not yet addressed upstream (see the shim upstream task on this bug).

qemu-efi-{aarch64,arm} should also document this change in NEWS.Debian, as it will break VMs that have not yet updated to the latest version of shim. And we should also cover this in the Ubuntu release notes.

See original description
dann frazier (dannf)
description: updated
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

Hello Dann,

The UEFI specification requires that if a 64 KiB page contains either of

– EfiRuntimeServicesCode
– EfiRuntimeServicesData
– EfiReserved
– EfiACPIMemoryNVS

then all 4KiB pages in the 64KiB page must use identical attributes.

So additionally to the cited patch you must ensure that buffer allocated with AllocatePages() in handle_image() for which you set memory attributes does not contain any of the above memory types. The easiest way to fulfill the requirement is appropriate alignment and rounding of the used memory. I can't find this in upstream shim.

Best regards

Heinrich

dann frazier (dannf)
summary: - shim crashes on arm64 w/ firmware that supports EFI Memory Attribute
- Protocol
+ Enable NX support for ARM VMs
Bug Watch Updater (bug-watch-updater)
Changed in edk2:
status: Unknown → New
dann frazier (dannf)
description: updated
no longer affects: edk2
Changed in edk2 (Ubuntu):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Bug Watch Updater (bug-watch-updater)
Changed in shim:
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.