1 |
On 9 Jun 2006 at 17:56, Pedro Venda wrote: |
2 |
> I'm installing a new server with the hardened profile, a PaX enabled kernel |
3 |
> (PAGEEXEC) and a little of grsecurity. The cpu is a recent intel celeron with |
4 |
> NX bit and 64bit extensions (whatever that means). |
5 |
> |
6 |
> I was wondering if the PAGEEXEC feature of PaX is able to detect and |
7 |
> transparently use the NX bit or if it's enabled for some particular |
8 |
> architectures only... |
9 |
|
10 |
if you use a 64 bit kernel (ARCH=x86_64) then PaX will make use of the |
11 |
hardware NX bit as vanilla itself already uses it (with some cleanup i |
12 |
added in PaX). note that this holds for both 64 bit and 32 bit userland. |
13 |
|
14 |
if you want a 32 bit kernel then as of now PaX would NOT use the NX bit, |
15 |
you're stuck with PAGEEXEC (the supervisor bit based method) or SEGMEXEC. |
16 |
the reason for this is that when NX was introduced, it was part of amd64 |
17 |
therefore i didn't see much point in adding support for a 32 bit kernel, |
18 |
people buy a 64 bit CPU to run 64 bit kernels on it. unfortunately, intel |
19 |
in its infinite wisdom began to add NX support to their CPUs without the |
20 |
64 bit extensions, so ever since supporting them has been on my todo list, |
21 |
just no time/motivation to get it done. |
22 |
|
23 |
> I've compiled the kernel for pentium3 and built the system |
24 |
> with -march=pentium3. |
25 |
|
26 |
that doesn't affect NX use, only the generated code, and you should check |
27 |
your cpu family before deciding which CPU arch to use. |
28 |
|
29 |
-- |
30 |
gentoo-hardened@g.o mailing list |