Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Pedro Venda <pjvenda@×××××××.org>
To: gentoo-hardened@l.g.o
Cc: pageexec@××××××××.hu
Subject: Re: [gentoo-hardened] PaX and the availability of the NX bit on a CPU
Date: Sat, 10 Jun 2006 00:00:57
Message-Id: 200606100057.49491.pjvenda@pjvenda.org
In Reply to: Re: [gentoo-hardened] PaX and the availability of the NX bit on a CPU by pageexec@freemail.hu
1 On Friday 09 June 2006 19:51, pageexec@××××××××.hu wrote:
2 > On 9 Jun 2006 at 17:56, Pedro Venda wrote:
3 > > I'm installing a new server with the hardened profile, a PaX enabled
4 > > kernel (PAGEEXEC) and a little of grsecurity. The cpu is a recent intel
5 > > celeron with NX bit and 64bit extensions (whatever that means).
6 > >
7 > > I was wondering if the PAGEEXEC feature of PaX is able to detect and
8 > > transparently use the NX bit or if it's enabled for some particular
9 > > architectures only...
10 >
11 > if you use a 64 bit kernel (ARCH=x86_64) then PaX will make use of the
12 > hardware NX bit as vanilla itself already uses it (with some cleanup i
13 > added in PaX). note that this holds for both 64 bit and 32 bit userland.
14 >
15 > if you want a 32 bit kernel then as of now PaX would NOT use the NX bit,
16 > you're stuck with PAGEEXEC (the supervisor bit based method) or SEGMEXEC.
17 > the reason for this is that when NX was introduced, it was part of amd64
18 > therefore i didn't see much point in adding support for a 32 bit kernel,
19 > people buy a 64 bit CPU to run 64 bit kernels on it. unfortunately, intel
20 > in its infinite wisdom began to add NX support to their CPUs without the
21 > 64 bit extensions, so ever since supporting them has been on my todo list,
22 > just no time/motivation to get it done.
23
24 ok, seems reasonable.
25
26 >
27 > > I've compiled the kernel for pentium3 and built the system
28 > > with -march=pentium3.
29 >
30 > that doesn't affect NX use, only the generated code, and you should check
31 > your cpu family before deciding which CPU arch to use.
32
33 About the architecture, I didn't think about it much because I assumed it was
34 like a centrino (don't know why) but then again, I'm not sure the celeron is
35 netburst. I'll check it out
36
37 Thanks for the information.
38
39 Best regards,
40 --
41
42 Pedro João Lopes Venda
43 email: pjvenda at pjvenda org
44 http://www.pjvenda.org
Report Message
Find on MARC Find on Google Groups