Bug 2149020

Summary: grub2 memory allocation is *still* broken
Product: [Fedora] Fedora Reporter: Gerd Hoffmann <kraxel>
Component: grub2Assignee: Javier Martinez Canillas <fmartine>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: fmartine, jeremy.linton, jonarnett90, lkundrak, pgnet.dev, pjones, rharwood
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: grub2-2.06-100.fc38 grub2-2.06-100.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-18 18:07:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gerd Hoffmann 2022-11-28 15:29:34 UTC 
Description of problem:

edk2-stable202211 is more strict when it comes to memory
allocations.

edk2 commit is:

commit 2997ae38739756ecba9b0de19e86032ebc689ef9
Author: Ard Biesheuvel <ardb>
Date:   Tue Aug 2 11:48:04 2022 +0200

    ArmVirtPkg: make EFI_LOADER_DATA non-executable
    
    When the memory protections were implemented and enabled on ArmVirtQemu
    5+ years ago, we had to work around the fact that GRUB at the time
    expected EFI_LOADER_DATA to be executable, as that is the memory type it
    allocates when loading its modules.
    
    This has been fixed in GRUB in August 2017, so by now, we should be able
    to tighten this, and remove execute permissions from EFI_LOADER_DATA
    allocations.
    
    Signed-off-by: Ard Biesheuvel <ardb>

referenced upstream grub commit seems to be:

commit f826330683675f0deb55b58fd229afd7d65fb053
Author: Leif Lindholm <leif.lindholm>
Date:   Thu Aug 3 11:04:32 2017 +0100

    efi: change heap allocation type to GRUB_EFI_LOADER_CODE
    
    With upcoming changes to EDK2, allocations of type EFI_LOADER_DATA may
    not return regions with execute ability. Since modules are loaded onto
    the heap, change the heap allocation type to GRUB_EFI_LOADER_CODE in
    order to permit execution on systems with this feature enabled.
    
    Closes: 50420
    
    Signed-off-by: Leif Lindholm <leif.lindholm>

Fedora 37 grub version apparently *still* has that bug which has been fixed upstream more than 5(!) years ago.
Comment 1 Gerd Hoffmann 2022-11-28 15:33:03 UTC 
Reproduce:
Install edk2-20221117gitfff6d81270b5-1.fc38 on host, try boof fedora guest.
(must be that specific version, the newer -2 build has the edk2 change reverted as workaround).
Comment 2 Gerd Hoffmann 2022-11-28 15:34:09 UTC 
> edk2-20221117gitfff6d81270b5-1.fc38

https://koji.fedoraproject.org/koji/buildinfo?buildID=2092827
Comment 3 Ben Cotton 2023-02-07 15:00:02 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.
Comment 4 Jonathan Arnett 2023-08-03 18:45:02 UTC 
This bug is the suspected cause of an issue preventing Fedora from booting on Surface devices after a recent firmware update: https://github.com/linux-surface/linux-surface/issues/1162.
Comment 5 Jeremy Linton 2023-08-15 15:19:33 UTC 
This is also the cause of boot failures with the x13s, and there is a PR here: https://github.com/rhboot/grub2/pull/101 which fixes it.
Comment 6 Jeremy Linton 2023-08-16 00:40:20 UTC 
I opened a PR against fedora directly merging the above fix here: https://src.fedoraproject.org/rpms/grub2/pull-request/27
Comment 7 Fedora Update System 2023-09-15 15:04:20 UTC 
FEDORA-2023-8b959d8040 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-8b959d8040
Comment 8 Fedora Update System 2023-09-16 01:48:24 UTC 
FEDORA-2023-75934fce38 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-75934fce38`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-75934fce38

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2023-09-16 03:17:49 UTC 
FEDORA-2023-8b959d8040 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-8b959d8040`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-8b959d8040

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2023-09-18 18:07:25 UTC 
FEDORA-2023-8b959d8040 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Fedora Update System 2023-09-25 01:42:27 UTC 
FEDORA-2023-75934fce38 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.