Public bug reported:
[Impact]
After a BIOS update, the newer UEFI (edk2) firmware version enables strict NX
(W^X) memory protection by default: PcdDxeNxMemoryProtectionPolicy is now 0x7FD5
(previously the legacy bug-compatible value 0x7FD1), enforcing NX on all EFI
memory types. Under this policy, GRUB 2.06 fails to boot with a page fault.
GRUB 2.12 boots successfully.
[Environment]
- Firmware: UEFI/edk2 with PcdDxeNxMemoryProtectionPolicy = 0x7FD5 (strict W^X)
- Affected: Ubuntu 22.04 LTS (grub 2.06)
- Working: GRUB 2.12 (e.g. the installed system on 24.04)
- Boot mode: UEFI x86_64, Secure Boot (shim + grub)
[Steps to reproduce]
1. Update the BIOS so the firmware uses the newer UEFI (edk2) version that
defaults PcdDxeNxMemoryProtectionPolicy to 0x7FD5.
2. Boot Ubuntu 22.04 LTS (grub 2.06) in UEFI mode.
[Expected result]
GRUB loads and boots the kernel normally under the strict NX policy.
[Actual result]
GRUB 2.06 triggers a page fault and does not boot. GRUB allocates code memory
typed as GRUB_EFI_LOADER_CODE; under the strict NX policy this memory type is
not executable, and the fault occurs when GRUB executes / jumps into that
memory. We have not pinned down the exact instant from serial logs yet -- it
may happen during GRUB's own execution, or at the final jump after loading
completes (grub_relocator path). The deterministic cause is the same: executing
code that resides in non-executable (NX) memory.
[Image-level patches are NOT sufficient on 2.06]
We verified that the commonly cited GRUB image-level fixes do NOT resolve this:
- PE section 4K alignment fix (grub-mkimage VirtualSize/SizeOfRawData)
- NX_COMPAT flag (PE DllCharacteristics = 0x0100)
Even with both applied, GRUB 2.06 still page-faults under 0x7FD5.
[Why 2.12 works]
GRUB 2.12 moved to the EFI Boot Services LoadImage()/StartImage() path, letting
the firmware manage memory attributes instead of allocating and jumping into
self-owned executable memory. This avoids the fault.
[Additional Ubuntu-specific concern: 24.04 install media]
The installed system on 24.04 uses grub 2.12, but the 24.04 install ISO still
bundles grub 2.06. As a result, the installer media itself page-faults under
strict NX, so a fresh 24.04 installation cannot even start on these machines.
[Requests]
1. Is strict NX (PcdDxeNxMemoryProtectionPolicy = 0x7FD5) a supported firmware
configuration for current Ubuntu releases?
2. For 22.04 LTS (in standard support), is an SRU backport that makes grub boot
under strict NX feasible, or is moving to 2.12 the only fix?
3. Will the 24.04(.x) install ISO be re-spun with grub 2.12?
4. If a fix is planned, what is the target release / timeline?
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156578
Title:
GRUB 2.06 fails to boot with a page fault under strict UEFI NX
(PcdDxeNxMemoryProtectionPolicy=0x7FD5)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2156578/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
