[Bug 2083154] Re: loader/efi/peimage.c:210:peimage: NX policy violation

Mate Kukri 2083154 at bugs.launchpad.net
Sun Sep 29 16:11:26 UTC 2024 

This stems from the fact that peimage is suddenly present on non-SB
architectures with a monolithic image in the picture, but cannot tell
whether to enforce NX without shim, so it just does for safety.

What we should is only build peimage into monolithic GRUB on amd64 and
arm64, where it has shim to tell NX policy, and on everything else there
is no SB, so firmware LoadImage itself can tell NX policy.

Fixing this post Oracular is probably fine, because if you use grub-
install with the core+modules setup this problem doesn't occur, it only
affects the newly introduced monolith images which aren't automatically
consumed yet.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2083154

Title:
  loader/efi/peimage.c:210:peimage: NX policy violation

Status in grub2 package in Ubuntu:
  New

Bug description:
  Version: 2.12-5ubuntu5

  I am using vendor U-Boot to load
  /usr/lib/grub/riscv64-efi/monolithic/grubriscv64.efi as payload.

  My kernel has the following sections:

  Section[0]: .text
    Virtual size: 0xfff000
    Virtual address: 0x1000
    Size of raw data: 0xfff000
    Pointer to raw data: 0x1000
    End of raw data: 0x1000000
    Characteristics: 0x60000020
      * The section contains executable code.
      * The section can be executed as code.
      * The section can be read.
  Section[1]: .data
    Virtual size: 0x146e000
    Virtual address: 0x1000000
    Size of raw data: 0x12df000
    Pointer to raw data: 0x1000000
    End of raw data: 0x22df000
    Characteristics: 0xc0000040
      * The section contains initialized data.
      * The section can be read.
      * The section can be written to.

  So there is no section that is both executable and writable. But GRUB
  produces this error:

  Loading Linux 6.6.21-4-premier ...
  loader/efi/linux.c:102:linux: UEFI stub kernel:
  loader/efi/linux.c:103:linux: PE/COFF header @ 00000040
  loader/efi/linux.c:132:linux: LoadFile2 initrd loading enabled
  loader/efi/linux.c:501:linux: kernel file size: 36564992
  loader/efi/linux.c:503:linux: kernel numpages: 8927
  loader/efi/linux.c:520:linux: kernel @ 0x47b865000
  Loading initial ramdisk ...
  loader/efi/linux.c:420:linux: Using LoadFile2 initrd loading protocol
  Loading device tree blob...
  loader/efi/fdt.c:209:fdt: Device-tree /boot/dtb-6.6.21-4-premier loaded
  loader/efi/fdt.c:62:linux: EFI_DT_FIXUP_PROTOCOL available
  loader/efi/fdt.c:80:linux: Device tree fixed up via EFI_DT_FIXUP_PROTOCOL
  loader/efi/fdt.c:147:fdt: Installed/updated FDT configuration table @ 0x47dbe6a40
  loader/efi/peimage.c:210:peimage: NX policy violation
  error: cannot load image.

  As of v6.11 Linux does not set the IMAGE_DLLCHARACTERISTICS_NX_COMPAT
  flag in arch/riscv/kernel/efi-header.S (DLL Characteristics =
  0x0000).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2083154/+subscriptions

More information about the foundations-bugs mailing list