On Wed, Apr 23, 2025 at 10:01:36PM -0600, dann frazier wrote: > On Wed, Apr 23, 2025, 17:41 Mathias Gibbens <gib...@debian.org> wrote: > > > control: retitle -1 qemu-efi-aarch64: Secure Boot regression for some > > arm64 VMs > > control: reassign -1 qemu-efi-aarch64 2025.02-7 > > control: severity -1 serious > > control: affects -1 incus > > > > Release 2025.02-5 of src:edk2 dropped the patch Revert-ArmVirtPkg- > > make-EFI_LOADER_DATA-non-executabl.patch. This has caused a regression > > for (at least) Debian bookworm and Ubuntu 22.04 arm64 VMs when booting > > with Secure Boot enabled. > > > > I have verified that re-applying that patch to src:edk2 2025.02-7 > > allows these VMs to boot once again. > > > > > Please see NEWS.Debian: > https://salsa.debian.org/qemu-team/edk2/-/blob/08d4411d458eefc4df5d48acce4f995d4ae6087d/debian/qemu-efi-aarch64.NEWS
It says this: > The EFI_MEMORY_ATTRIBUTE_PROTOCOL is now enabled by default in the > AAVMF_CODE.secboot.fd image. This is a security feature that will > cause crashes for operating systems with bootloaders that do not > observe proper memory access semantics. Users that experience issues > with such bootloaders have the options to either append the following > to the qemu-system-aarch64 command line: > -fw_cfg name=opt/org.tianocore/UninstallMemAttrProtocol,string=y > or switch to the no-secboot image, which uninstalls this protocol by > default. This would mean having to change software like libvirt, incus, etc, to pass this parameter but only for debian 12 images, which might not be easy to do. Since debian 13 just works, do you happen to known what bits need to be backported to fix debian 12 images to work out of the box without having to turn off this security feature?
signature.asc
Description: PGP signature
