Bug#1138699: systemd-boot-efi: does not load kernel on 64k boundary

Tue, 02 Jun 2026 06:25:16 -0700 

Package: systemd-boot-efi
Version: 261~rc2-1
Severity: normal
X-Debbugs-Cc: [email protected]
Control: tag -1 +patch

Dear Maintainer,

The systemd aarch64 stub located at /usr/lib/systemd/boot/efi/linuxaa64.efi.stub
does not load the kernel into a 64k boundary which is what the kernel
segments are aligned to in arm64:

        objdump -h /boot/vmlinuz-7.1-arm64

        /boot/vmlinuz-7.1-arm64:     file format pei-aarch64-little

        Sections:
        Idx Name          Size      VMA               LMA               File 
off  Algn
          0 .text         02480000  0000000000010000  0000000000010000  
00010000  2**2
                          CONTENTS, ALLOC, LOAD, READONLY, CODE
          1 .data         00794a00  0000000002490000  0000000002490000  
02490000  2**2
                          CONTENTS, ALLOC, LOAD, DATA

This is exposed by the following message during boot when using this
stub with ukify to create an UKI:

        FIRMWARE BUG: kernel image not aligned on 64k boundary

This check is done in linux’s drivers/firmware/efi/libstub/arm64-stub.c
which is chained from systemd-stub. It was introduced in the following
commit:

        commit c32ac11da3f83bb42b986702a9b92f0a14ed4182
        Author: Ard Biesheuvel <[email protected]>
        Date:   Mon Jul 26 16:31:44 2021 +0200

            efi/libstub: arm64: Double check image alignment at entry

            On arm64, the stub only moves the kernel image around in memory if
            needed, which is typically only for KASLR, given that relocatable
            kernels (which is the default) can run from any 64k aligned address,
            which is also the minimum alignment communicated to EFI via the 
PE/COFF
            header.

            Unfortunately, some loaders appear to ignore this header, and load 
the
            kernel at some arbitrary offset in memory. We can deal with this, 
but
            let's check for this condition anyway, so non-compliant code can be
            spotted and fixed.

            Cc: <[email protected]> # v5.10+
            Signed-off-by: Ard Biesheuvel <[email protected]>
            Tested-by: Benjamin Herrenschmidt <[email protected]>

The "some loaders" in the commit message seems to refer to systemd-stub,
because this issue is present and triggers on my T14s arm64 laptop.

I am currently running a workaround (attached as a patch) to have the
memory aligned on a 64k boundary to have the message go away. The proper
implementation would probably require to read the SectionAlignment of
the .linux section and align to it instead of hardcoding it to 64k as
demonstrated here.

Thanks,

Agathe.

Attachment: 0001-stub-load-kernel-in-64k-aligned-memory.patch
Description: application/mbox

Reply via email to