1 |
On Saturday, January 24, 2009 00:06:25 David Sommerseth wrote: |
2 |
> René Rhéaume wrote: |
3 |
> > On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@×××××.com> wrote: |
4 |
> >> Very close. PAGEEXEC is enabled, but so is SEGMEXEC. My CPU is a |
5 |
> >> P4-2.8, and I'm not sure about NX support but these are the flags: |
6 |
> >> |
7 |
> >> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 |
8 |
> >> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts |
9 |
> >> pni monitor ds_cpl cid xtpr |
10 |
> > |
11 |
> > There is no "nx" in your cpuinfo flags. Therefore, your P4 does not |
12 |
> > have the hardware NX bit (or XD bit in Intel wording) |
13 |
> |
14 |
> Hi all! |
15 |
> |
16 |
> I've been following this discussion a little bit. I do have a Pentium D |
17 |
> processor which do have the "nx" flag available. |
18 |
> |
19 |
> I see I do have CONFIG_PAX_PAGEEXEC=y in the kernel config, but I do also |
20 |
> see that all non-kernel processes do have peMRS in the PAX flags when |
21 |
> checking with the pspax command. |
22 |
> |
23 |
> Should I strive to get the PAGEEXEC flag set on all processes, or should I |
24 |
> not? |
25 |
> |
26 |
> Another thing ... I do not quite understand why processes are listed with |
27 |
> peMRS when paxctl says something a little bit different. An example: |
28 |
> |
29 |
> pspax: |
30 |
> root 11864 peMRS w^x ET_EXEC openvpn =ep cap_setpcap-ep |
31 |
> |
32 |
> paxctl -v /usr/sbin/openvpn: |
33 |
> - PaX flags: -------x-e-- [/usr/sbin/openvpn] |
34 |
> RANDEXEC is disabled |
35 |
> EMUTRAMP is disabled |
36 |
> |
37 |
> I've scanned through the whole system with "qlist -ao|scanelf -f - -q -x" |
38 |
> and can't say I find anything here which is of concern, it only finds |
39 |
> those paxtest files in /usr/lib/paxtest ... so everything should be |
40 |
> default on the file level. |
41 |
> |
42 |
> I was of that understanding that my current setup would give PAGEEXEC as |
43 |
> default. |
44 |
> |
45 |
> |
46 |
> kind regards, |
47 |
> |
48 |
> David Sommerseth |
49 |
|
50 |
When you enable both SEGMEXEC and PAGEEXEC on IA32, modern PaX will use |
51 |
PAGEEXEC if nx bit is accessable and fall back to SEGMEXEC if it is not. |
52 |
This is why both can be enabled safely, even on old P4's without and NX bit. |
53 |
When you 'cat /proc/cpuinfo', it is showing you the processor's capability, |
54 |
but that doesn't mean the NX bit is accessible. To make the NX bit |
55 |
accessible you need to enable PAE. You can do this by choosing NOHIGHMEM+PAE |
56 |
or HIGHMEM64G (which selects PAE automatically) in your kernel config. |
57 |
|
58 |
Re: |
59 |
PaX flags: -------x-e-- [/usr/sbin/openvpn] |
60 |
|
61 |
What this means is you are leaving PaX to act on its default behavior |
62 |
according to how it is configured in the kernel, with the exception of |
63 |
RANDEXEC and EMUTRAMP which have been explicitly disabled. |
64 |
|
65 |
The peMRS shows you that PAGEEXEC and EMUTRAMP are not in effect for this |
66 |
process, but SEGMEXEC, MPROTECT and ASLR are. |
67 |
|
68 |
http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png |
69 |
(Note: The easiest way to interpret this chart is to ignore the figures for |
70 |
NoNX/NOEXEC=y and NX/NOEXEC=y - these were academic tests more than anything |
71 |
and are rather meaningless) |
72 |
|
73 |
As you can see PAGEEXEC with an NX bit does have a very minor speed advantage |
74 |
over SEGMEXEC. PAGEEXEC also has the advantage of not cutting a processes' |
75 |
address space in half. Without an NX bit available, PAGEEXEC is a fair hit |
76 |
on IA32. Pentium 4's without an NX bit take an even larger hit: |
77 |
|
78 |
http://www.pjvenda.org/linux/doc/pax-performance/ |
79 |
|
80 |
That the P4's result would be very different from other's is not surprising. |
81 |
It utilizes the very different Netburst microarchitecture and has a 20-31 (31 |
82 |
on Prescott and Cedar Mill) stage pipeline. Compare this to 10 for the P3, 14 |
83 |
for the Core2, 12 for the Athlon64, 10 for the AthlonXP, etc. you get the |
84 |
picture. |
85 |
|
86 |
So if you have an NX bit, yes, use it. If you don't, SEGMEXEC is a good |
87 |
alternative. It is safe to enable both options, PaX is smart enough to |
88 |
choose between the two. |
89 |
|
90 |
Gordon Malm (gengor) |