| 1 |
On 9 Jun 2006 at 17:56, Pedro Venda wrote: |
| 2 |
> I'm installing a new server with the hardened profile, a PaX enabled kernel |
| 3 |
> (PAGEEXEC) and a little of grsecurity. The cpu is a recent intel celeron with |
| 4 |
> NX bit and 64bit extensions (whatever that means). |
| 5 |
> |
| 6 |
> I was wondering if the PAGEEXEC feature of PaX is able to detect and |
| 7 |
> transparently use the NX bit or if it's enabled for some particular |
| 8 |
> architectures only... |
| 9 |
|
| 10 |
if you use a 64 bit kernel (ARCH=x86_64) then PaX will make use of the |
| 11 |
hardware NX bit as vanilla itself already uses it (with some cleanup i |
| 12 |
added in PaX). note that this holds for both 64 bit and 32 bit userland. |
| 13 |
|
| 14 |
if you want a 32 bit kernel then as of now PaX would NOT use the NX bit, |
| 15 |
you're stuck with PAGEEXEC (the supervisor bit based method) or SEGMEXEC. |
| 16 |
the reason for this is that when NX was introduced, it was part of amd64 |
| 17 |
therefore i didn't see much point in adding support for a 32 bit kernel, |
| 18 |
people buy a 64 bit CPU to run 64 bit kernels on it. unfortunately, intel |
| 19 |
in its infinite wisdom began to add NX support to their CPUs without the |
| 20 |
64 bit extensions, so ever since supporting them has been on my todo list, |
| 21 |
just no time/motivation to get it done. |
| 22 |
|
| 23 |
> I've compiled the kernel for pentium3 and built the system |
| 24 |
> with -march=pentium3. |
| 25 |
|
| 26 |
that doesn't affect NX use, only the generated code, and you should check |
| 27 |
your cpu family before deciding which CPU arch to use. |
| 28 |
|
| 29 |
-- |
| 30 |
gentoo-hardened@g.o mailing list |
Archives