Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-49868

aarch64 grubaa64.efi UEFI permission fault when starting kernel with UEFI NX FW

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-9.5
    • rhel-9.5
    • grub2
    • grub2-2.06-92.el9
    • None
    • Moderate
    • sst_desktop_firmware_bootloaders
    • ssg_desktop
    • 3
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • aarch64
    • None

      What were you trying to do that didn't work?

      A UEFI permission fault occurs when the aarch64 grub attempts to execute the first instruction in the kernel when the system has UEFI NX enforcing FW.

      This problem was originally noted by  rhn-engineering-ghoffman when testing RHEL-25537 and was originally suspected to be a kernel problem by RHEL-39186.

      Please provide the package NVR for which bug is seen:

      grub2-efi-aa64-2.06-82.el9.aarch64

      How reproducible:

      100%

      Steps to reproduce

      1. Install an UEFI NX enforcing OVMF by installing the Fedora 40 edk2-experimental-20240524-4.fc40.noarch rpm on a RHEL 9.5 aarch64 system.
      2. Create a VM using that installed UEFI NX enforcing OVMF, e.g.

       

      virt-install  --name arm64-nx-guest \
                    --vcpus=4 --memory 8192 \
                    --boot loader=/usr/share/edk2/experimental/QEMU_EFI-strictnx-pflash.raw,loader.readonly=yes,loader.type=pflash,nvram.template=/usr/share/edk2/aarch64/vars-template-pflash.raw \
                    --boot bootmenu.enable=on \
                    --graphics none \
                    --disk /home/virtimages/arm64-guest.img,size=100,sparse=yes \
                    --os-variant=rhel9.4 \
                    --location /home/downloads/RHEL-9.5.0-20240708.2-aarch64-dvd1.iso \
                    --autoconsole text \
                    --install kernel_args="console=ttyS0" \
                    --extra-args "console=ttyS0"
      

      Actual results

      Example results, with grub debug=linux

       

      
        *Red Hat Enterprise Linux (5.14.0-481.rhel39186.lss001.el9.aarch64) 9.5 (Pl> 
      
      loader/arm64/linux.c:62: UEFI stub kernel: 
      loader/arm64/linux.c:63: PE/COFF header @ 00000040 
      loader/arm64/linux.c:338: num_sections     : 2 
      loader/arm64/linux.c:341: raw_size   : 12644352 
      loader/arm64/linux.c:343: virt_size  : 12644352 
      loader/arm64/linux.c:341: raw_size   : 512 
      loader/arm64/linux.c:343: virt_size  : 263168 
      loader/arm64/linux.c:394: kernel mem size     : 12911616 
      loader/arm64/linux.c:395: kernel entry offset : 11432 
      loader/arm64/linux.c:396: kernel alignment    : 0x1000 
      loader/arm64/linux.c:397: kernel size         : 0xc10200 
      loader/arm64/linux.c:407: kernel numpages: 3154 
      loader/arm64/linux.c:415: kernel @ 0x2394bc000 
      loader/arm64/linux.c:289: Loading initrd 
      loader/arm64/linux.c:251: max_addr: 0x0000000040000000, 
      INITRD_MAX_ADDRESS_OFFSET: 0x0000000800000000 
      loader/arm64/linux.c:255: calling grub_efi_allocate_pages_real 
      (0x000000083fffffff, 0x00003071, EFI_ALLOCATE_MAX_ADDRESS, EFI_LOADER_DATA) 
      loader/arm64/linux.c:260: got 0x000000023644b000 
      GetMemoryAttributes: BaseAddress == 0x23C117000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x23C117000, RegionLength == 0x14000, RegionAttributes == 0x78C 
      GetMemoryAttributes: Union == 78C, Intersection == 78C 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x3000, RegionAttributes == 0x6000000000070C 
      GetMemoryAttributes: Union == 6000000000070C, Intersection == 6000000000070C 
      UpdateRegionMappingRecursive(0): 23634B000 - 23644B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(1): 23634B000 - 23644B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(2): 23634B000 - 23644B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(3): 236200000 - 236400000 set 6000000000070C clr 0 
      UpdateRegionMappingRecursive(3): 23634B000 - 236400000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(3): 236400000 - 236600000 set 6000000000070C clr 0 
      UpdateRegionMappingRecursive(3): 236400000 - 23644B000 set 400 clr FF9F000000000B3F 
      GetMemoryAttributes: BaseAddress == 0x23C117000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x23C117000, RegionLength == 0x14000, RegionAttributes == 0x78C 
      GetMemoryAttributes: Union == 78C, Intersection == 78C 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x3000, RegionAttributes == 0x6000000000070C 
      GetMemoryAttributes: Union == 6000000000070C, Intersection == 6000000000070C 
      UpdateRegionMappingRecursive(0): 23624B000 - 23634B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(1): 23624B000 - 23634B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(2): 23624B000 - 23634B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(3): 23624B000 - 23634B000 set 400 clr FF9F000000000B3F 
      GetMemoryAttributes: BaseAddress == 0x23C117000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x23C117000, RegionLength == 0x14000, RegionAttributes == 0x78C 
      GetMemoryAttributes: Union == 78C, Intersection == 78C 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x3000, RegionAttributes == 0x6000000000070C 
      GetMemoryAttributes: Union == 6000000000070C, Intersection == 6000000000070C 
      UpdateRegionMappingRecursive(0): 23614B000 - 23624B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(1): 23614B000 - 23624B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(2): 23614B000 - 23624B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(3): 236000000 - 236200000 set 6000000000070C clr 0 
      UpdateRegionMappingRecursive(3): 23614B000 - 236200000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(3): 236200000 - 23624B000 set 400 clr FF9F000000000B3F 
      GetMemoryAttributes: BaseAddress == 0x23C117000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x23C117000, RegionLength == 0x14000, RegionAttributes == 0x78C 
      GetMemoryAttributes: Union == 78C, Intersection == 78C 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x3000, RegionAttributes == 0x6000000000070C 
      GetMemoryAttributes: Union == 6000000000070C, Intersection == 6000000000070C 
      UpdateRegionMappingRecursive(0): 23604B000 - 23614B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(1): 23604B000 - 23614B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(2): 23604B000 - 23614B000 set 400 clr FF9F000000000B3F 
      UpdateRegionMappingRecursive(3): 23604B000 - 23614B000 set 400 clr FF9F000000000B3F 
      loader/arm64/linux.c:305: [addr=0x23644b000, size=0x3070553] 
      loader/efi/fdt.c:65: allocating 1155 bytes for fdt 
      loader/arm64/linux.c:96: Initrd @ 0x23644b000-0x2394bb553 
      loader/arm64/linux.c:123: Installed/updated FDT configuration table @ 
      0x23c730000 
      loader/arm64/linux.c:181: linux command line: 
      'BOOT_IMAGE=(hd0,gpt2)/vmlinuz-5.14.0-481.rhel39186.lss001.el9.aarch64 
      root=UUID=fc792a58-5195-432e-ad0f-370bb5fb7ce9 ro 
      crashkernel=1G-4G:256M,4G-64G:320M,64G-:576M console=ttyS0' 
      loader/efi/linux.c:167: kernel_addr: 0x2394bc000 handover_offset: 0x2ca8 
      params: 0x2394bc000 
      GetMemoryAttributes: BaseAddress == 0x2394BC000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x239400000, RegionLength == 0xC00000, RegionAttributes == 0x6000000000070C 
      GetMemoryAttributes: Union == 6000000000070C, Intersection == 6000000000070C 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x3000, RegionAttributes == 0x6000000000070C 
      GetMemoryAttributes: Union == 6000000000070C, Intersection == 6000000000070C 
      ClearMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000, Attributes == 0x26000 
      UpdateRegionMappingRecursive(0): 47674000 - 47675000 set 400 clr FF9F000000000F3F 
      UpdateRegionMappingRecursive(1): 47674000 - 47675000 set 400 clr FF9F000000000F3F 
      UpdateRegionMappingRecursive(2): 47674000 - 47675000 set 400 clr FF9F000000000F3F 
      UpdateRegionMappingRecursive(3): 47674000 - 47675000 set 400 clr FF9F000000000F3F 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x1000, RegionAttributes == 0x70C 
      GetMemoryAttributes: Union == 70C, Intersection == 70C 
      GetMemoryAttributes: BaseAddress == 0x47674000, Length == 0x1000 
      GetMemoryAttributes: RegionAddress == 0x47674000, RegionLength == 0x1000, RegionAttributes == 0x70C 
      GetMemoryAttributes: Union == 70C, Intersection == 70C 
      
      
      Synchronous Exception at 0x00000002394BECA8 
      PC 0x0002394BECA8 
      PC 0x00023BF02604 
      PC 0x00023BF00B38 
      PC 0x00023BF00BC4 
      PC 0x00023C0E2058 
      PC 0x00023C0E2674 
      PC 0x00023C0E2738 
      PC 0x00023C0556E4 
      PC 0x00023C056350 
      PC 0x00023C0574F0 
      PC 0x00023C05754C 
      PC 0x00023C04F9A0 
      PC 0x00023C028148 
      PC 0x00023C069A74 
      PC 0x00023C0692C0 
      PC 0x00023C069C18 
      PC 0x00023C0692C0 
      PC 0x00023C06A12C 
      PC 0x00023C06613C 
      PC 0x00023C04F594 
      PC 0x00023C04F8FC 
      PC 0x00023C04FA6C 
      PC 0x00023C04FCC0 
      PC 0x00023C04FE48 
      PC 0x00023C04FE90 
      PC 0x00023C12424C 
      PC 0x00023C124D7C 
      PC 0x00023C124F80 
      PC 0x00023C658570 
      PC 0x00023C658620 
      PC 0x00023C659890 
      PC 0x00023C656030 
      PC 0x00004767DC28 (0x000047676000+0x00007C28) [ 1] DxeCore.dll 
      PC 0x00023FCC2BD0 (0x00023FCBC000+0x00006BD0) [ 2] BdsDxe.dll 
      PC 0x00023FCC49D4 (0x00023FCBC000+0x000089D4) [ 2] BdsDxe.dll 
      PC 0x00004768001C (0x000047676000+0x0000A01C) [ 3] DxeCore.dll 
      [ 1] /builddir/build/BUILD/edk2-3e722403cd16/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll 
      [ 2] /builddir/build/BUILD/edk2-3e722403cd16/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/MdeModulePkg/Universal/BdsDxe/BdsDxe/DEBUG/BdsDxe.dll 
      [ 3] /builddir/build/BUILD/edk2-3e722403cd16/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/MdeModulePkg/Core/Dxe/DxeMain/DEBUG/DxeCore.dll 
      
        X0 0x000000023F00DB18   X1 0x000000023FFD0018   X2 0x00000002394BC000   X3 0x00000002394BECA8 
        X4 0x000000023F00DB18   X5 0x000000023BF046B8   X6 0x000000023BF046C8   X7 0x000000023BF046D0 
        X8 0x0000000000000002   X9 0x0000000000000001  X10 0x0000000000000002  X11 0x00000000000000FF 
       X12 0x0000000000000002  X13 0x0000000000000000  X14 0x0000000000000000  X15 0x0000000000000000 
       X16 0x000000023FD2D290  X17 0x0000000050E1937B  X18 0x0000000000000011  X19 0x000000023C6DA000 
       X20 0x0000000000000000  X21 0x000000023F00DB18  X22 0x000000023C6EE288  X23 0x000000023F00DB18 
       X24 0x0000000047675A40  X25 0x000000023C6EE288  X26 0x000000023C6EE350  X27 0x000000023C6EE358 
       X28 0x000000023C6EE360   FP 0x0000000047675280   LR 0x000000023BF02604 
      
        V0 0x0000000000000001 0002000000000030   V1 0x0000000000000000 0000000000000043 
        V2 0x7363732F332C3140 6567646972622D69   V3 0x0000000000000000 0000000000000000 
        V4 0x0000000000100000 0000000000000000   V5 0x4010040140100401 4010040140100401 
        V6 0x0010000000000000 0010000000000000   V7 0x0000000000000000 0000000000000000 
        V8 0x0000000000000000 0000000000000000   V9 0x0000000000000000 0000000000000000 
       V10 0x0000000000000000 0000000000000000  V11 0x0000000000000000 0000000000000000 
       V12 0x0000000000000000 0000000000000000  V13 0x0000000000000000 0000000000000000 
       V14 0x0000000000000000 0000000000000000  V15 0x0000000000000000 0000000000000000 
       V16 0x0000000000000000 0000000000000000  V17 0x0000000000000000 0000000000000000 
       V18 0x0000000000000000 0000000000000000  V19 0x0000000000000000 0000000000000000 
       V20 0x0000000000000000 0000000000000000  V21 0x0000000000000000 0000000000000000 
       V22 0x0000000000000000 0000000000000000  V23 0x0000000000000000 0000000000000000 
       V24 0x0000000000000000 0000000000000000  V25 0x0000000000000000 0000000000000000 
       V26 0x0000000000000000 0000000000000000  V27 0x0000000000000000 0000000000000000 
       V28 0x0000000000000000 0000000000000000  V29 0x000000023FABA5A0 000000023FAB8124 
       V30 0x0000000047675830 0000000047675830  V31 0xFFFFFF80FFFFFFD0 0000000047675800 
      
        SP 0x0000000047675280  ELR 0x00000002394BECA8  SPSR 0x60000205  FPSR 0x00000000 
       ESR 0x8600000E          FAR 0x00000002394BECA8 
      
       ESR : EC 0x21  IL 0x1  ISS 0x0000000E 
      
      Instruction abort: Permission fault, second level 
      
      Stack dump: 
        0000047675180: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
        00000476751A0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
        00000476751C0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
        00000476751E0: 000000023FAB8124 000000023FABA5A0 0000000047675830 0000000047675830 
        0000047675200: 0000000047675800 FFFFFF80FFFFFFD0 000000023C10F764 0000000080000205 
        0000047675220: 0000000000000000 00000000DBADC0DE 1DE7EC7EDBADC0DE 4010040140100401 
        0000047675240: 0000000047675280 000000023BF025B8 0000000000C50400 00000002394BC000 
        0000047675260: 0000000047674000 000000023A10C400 00000002394BC000 0000000000000040
      
      0000047675280: 0000000047675300 000000023BF00B38 0000000000000000 0000000000000000
        00000476752A0: 00000002394BC000 0000000000002CA8 0000000000C50400 00000002394BC000 
        00000476752C0: 0000000000000007 00000002394BECA8 0000000000000000 000000023F00D7C0 
        00000476752E0: 0000000000000000 0000000000000007 0000000000000000 0000000000000007 
        0000047675300: 0000000047675340 000000023BF00BC4 0000000047675340 000000023BC96A80 
        0000047675320: 0000000000C50400 00000002394BC000 0000000047675370 000000003C06958C 
        0000047675340: 0000000047675350 000000023C0E2058 0000000047675380 000000023C0E2674 
        0000047675360: 0000000047675380 000000023C0E5020 000000023C0728C4 000000023C0E5020 
      
      
      Synchronous Exception at 0x00000002394BECA8 
      ASSERT [ArmCpuDxe] /builddir/build/BUILD/edk2-3e722403cd16/ArmPkg/Library/DefaultExceptionHandlerLib/AArch64/DefaultExceptionHandler.c(343): ((BOOLEAN)(0==1))
      

       

      grub_cmd_linux() in grub-core/loader/arm64/linux.c uses grub_efi_allocate_any_pages() to allocate memory for the kernel image. That will be EfiLoaderData memory. With NX enforcing FW, that will be NX protected. It doesn't appear that grub clears this NX protection before attempting to transfer control to the kernel at its entry point.

      Note that the Fedora 40 grub2-efi-aa64-2.06-119.fc40.aarch64 does not encounter this problem, i.e. it can boot the RHEL 9.5 kernel in this VM.

       

            bootloader-eng-team bootloader -eng-team
            lszubowi1@redhat.com Lenny Szubowicz
            Gabriela Fialova
            bootloader -eng-team bootloader -eng-team
            Release Test Team Release Test Team
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: