OK, I finally found some time to debug this. I debugged it with an
Ubuntu VM that used shim 15.7, but I suspect it is the same issue with
Fedora 38 and AlmaLinux 9.2.
shim 15.6 introduced the following commit:
commit 226fee25ffcbd29988399ba080c7706eb1d52251
Author: Peter Jones <REDACTED>
Date: Thu Dec 2 18:29:50 2021 -0500
PE Loader: support and require NX
This adds support in our PE loader for NX support utilizing the
EFI_MEMORY_ATTRIBUTE protocol. Specifically, it changes the loader such
that:
- binaries without the EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag set
in the Optional Header are rejected as EFI_UNSUPPORTED
- binaries with non-discardable sections that have both the
EFI_SCN_MEM_WRITE and EFI_SCN_MEM_EXECUTE flags set are rejected as
EFI_UNSUPPORTED
- if the EFI_MEMORY_ATTRIBUTE protocol is installed, then:
- sections without the EFI_SCN_MEM_READ flag set will be marked with
EFI_MEMORY_RP
- sections without the EFI_SCN_MEM_WRITE flag set will be marked with
EFI_MEMORY_RO
- sections without the EFI_SCN_MEM_EXECUTE flag set will be marked
with EFI_MEMORY_XP
Signed-off-by: Peter Jones <pjo...@redhat.com>
EDK2 didn't expose the EFI_MEMORY_ATTRIBUTE protocol for ARM until
2023.05-1, so at that point this shim code was activated. Unfortunately,
this shim code had a bug that causes this problem. Luckily it has
since been fixed in upstream git:
From c7b305152802c8db688605654f75e1195def9fd6 Mon Sep 17 00:00:00 2001
From: Nicholas Bishop <REDACTED>
Date: Mon, 19 Dec 2022 18:56:13 -0500
Subject: [PATCH] pe: Align section size up to page size for mem attrs
Setting memory attributes is generally done at page granularity, and
this is enforced by checks in `get_mem_attrs` and
`update_mem_attrs`. But unlike the section address, the section size
isn't necessarily aligned to 4KiB. Round up the section size to fix
this.
Signed-off-by: Nicholas Bishop <nicholasbis...@google.com>
I've asked Ubuntu to pick this up (LP: #2036604). Please ask your
favorite guest OS distributions to pick it up as well.
