edk2: disable EFI memory attributes protocol again #153
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Unfortunately, we have to disable EFI memory attributes protocol that was introduced in tianocore/edk2@1c4dfad starting from edk2-stable202305 as it leads to crash of SecureBoot shim There is a fix for shim that addresses this issue, but it will take a few month until this fix will be landed to different Linux distros and we can't make our users wait for it. Fix for shim: rhboot/shim@c7b3051 This commit was reverted as a part of ("edk2: disable NX protection feature") but it was a mistake. Somehow, I made a systematic error in my test of edk2 with ("edk2: disable EFI memory attributes protocol") reverted and found that it works. But it's not. And I found *why* I made this mistake. Just to be clear EFI_MEMORY_ATTRIBUTES protocol and "ArmVirtPkg: make EFI_LOADER_DATA non-executable" are about setting NX flags on some pages on arm64. And both of commits led to regressions but on the *different* stages of boot process. I. "ArmVirtPkg: make EFI_LOADER_DATA non-executable" makes boot process to fail with Synchronous Exception *after* efi-shim/grub2 finished their work: ================ BdsDxe: loading Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) BdsDxe: starting Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) Welcome to GRUB! Booting `openSUSE Leap 15.5' Loading Linux 5.14.21-150500.55.19-default ... Loading initial ramdisk ... Synchronous Exception at 0x000000006C217504 ================ II. EFI_MEMORY_ATTRIBUTES ("ArmPkg/CpuDxe: Implement EFI memory attributes protocol") makes shim (!) to fail with Synchronous Exception like that: ================ BdsDxe: loading Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) BdsDxe: starting Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) Synchronous Exception at 0x000000007C318000 Synchronous Exception at 0x000000007C318000 ================ Now about *how* I made this mistake during testing. $ lxc launch ubuntu:jammy jammy-secboot1 --vm -c security.secureboot=true --console Synchronous Exception $ lxc stop jammy-secboot1 --force $ ./replace_firmware.sh $ lxc start jammy-secboot1 --console Everything works! $ lxc stop jammy-secboot1 --force $ ./revert_firmware.sh $ lxc start jammy-secboot1 --console Everything is still working! The catch here is that Synchronous Exception that happens in shim happens only on a clean NVRAM! If VM was boot successfully one time, then it will boot successfuly even after upgrade to a new firmware. (only about EFI_MEMORY_ATTRIBUTE protocol thing!) Fixes canonical/lxd#12211 Signed-off-by: Alexander Mikhalitsyn <[email protected]>
tomponline
approved these changes
Sep 19, 2023
tomponline
approved these changes
Sep 19, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Unfortunately, we have to disable EFI memory attributes protocol that was introduced in
tianocore/edk2@1c4dfad starting from edk2-stable202305 as it leads to crash of SecureBoot shim
There is a fix for shim that addresses this issue, but it will take a few month until this fix will be landed to different Linux distros and we can't make our users wait for it.
Fix for shim:
rhboot/shim@c7b3051
This commit was reverted as a part of ("edk2: disable NX protection feature") but it was a mistake. Somehow, I made a systematic error in my test of edk2 with ("edk2: disable EFI memory attributes protocol") reverted and found that it works. But it's not. And I found why I made this mistake.
Just to be clear EFI_MEMORY_ATTRIBUTES protocol and "ArmVirtPkg: make EFI_LOADER_DATA non-executable" are about setting NX flags on some pages on arm64. And both of commits led to regressions but on the different stages of boot process.
I. "ArmVirtPkg: make EFI_LOADER_DATA non-executable" makes boot process to fail with Synchronous Exception after efi-shim/grub2 finished their work: ================
BdsDxe: loading Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) BdsDxe: starting Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) Welcome to GRUB!
Booting `openSUSE Leap 15.5'
Loading Linux 5.14.21-150500.55.19-default ...
Loading initial ramdisk ...
Synchronous Exception at 0x000000006C217504
II. EFI_MEMORY_ATTRIBUTES ("ArmPkg/CpuDxe: Implement EFI memory attributes protocol") makes shim (!) to fail with Synchronous Exception like that: ================
BdsDxe: loading Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1) BdsDxe: starting Boot0001 "UEFI QEMU QEMU HARDDISK " from PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/Scsi(0x0,0x1)
Synchronous Exception at 0x000000007C318000
Synchronous Exception at 0x000000007C318000
Now about how I made this mistake during testing. $ lxc launch ubuntu:jammy jammy-secboot1 --vm -c security.secureboot=true --console Synchronous Exception
$ lxc stop jammy-secboot1 --force
$ ./replace_firmware.sh
$ lxc start jammy-secboot1 --console
Everything works!
$ lxc stop jammy-secboot1 --force
$ ./revert_firmware.sh
$ lxc start jammy-secboot1 --console
Everything is still working!
The catch here is that Synchronous Exception that happens in shim happens only on a clean NVRAM! If VM was boot successfully one time, then it will boot successfuly even after upgrade to a new firmware. (only about EFI_MEMORY_ATTRIBUTE protocol thing!)
Fixes canonical/lxd#12211