| 1 |
On Saturday, January 24, 2009 00:06:25 David Sommerseth wrote: |
| 2 |
> René Rhéaume wrote: |
| 3 |
> > On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@×××××.com> wrote: |
| 4 |
> >> Very close. PAGEEXEC is enabled, but so is SEGMEXEC. My CPU is a |
| 5 |
> >> P4-2.8, and I'm not sure about NX support but these are the flags: |
| 6 |
> >> |
| 7 |
> >> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 |
| 8 |
> >> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts |
| 9 |
> >> pni monitor ds_cpl cid xtpr |
| 10 |
> > |
| 11 |
> > There is no "nx" in your cpuinfo flags. Therefore, your P4 does not |
| 12 |
> > have the hardware NX bit (or XD bit in Intel wording) |
| 13 |
> |
| 14 |
> Hi all! |
| 15 |
> |
| 16 |
> I've been following this discussion a little bit. I do have a Pentium D |
| 17 |
> processor which do have the "nx" flag available. |
| 18 |
> |
| 19 |
> I see I do have CONFIG_PAX_PAGEEXEC=y in the kernel config, but I do also |
| 20 |
> see that all non-kernel processes do have peMRS in the PAX flags when |
| 21 |
> checking with the pspax command. |
| 22 |
> |
| 23 |
> Should I strive to get the PAGEEXEC flag set on all processes, or should I |
| 24 |
> not? |
| 25 |
> |
| 26 |
> Another thing ... I do not quite understand why processes are listed with |
| 27 |
> peMRS when paxctl says something a little bit different. An example: |
| 28 |
> |
| 29 |
> pspax: |
| 30 |
> root 11864 peMRS w^x ET_EXEC openvpn =ep cap_setpcap-ep |
| 31 |
> |
| 32 |
> paxctl -v /usr/sbin/openvpn: |
| 33 |
> - PaX flags: -------x-e-- [/usr/sbin/openvpn] |
| 34 |
> RANDEXEC is disabled |
| 35 |
> EMUTRAMP is disabled |
| 36 |
> |
| 37 |
> I've scanned through the whole system with "qlist -ao|scanelf -f - -q -x" |
| 38 |
> and can't say I find anything here which is of concern, it only finds |
| 39 |
> those paxtest files in /usr/lib/paxtest ... so everything should be |
| 40 |
> default on the file level. |
| 41 |
> |
| 42 |
> I was of that understanding that my current setup would give PAGEEXEC as |
| 43 |
> default. |
| 44 |
> |
| 45 |
> |
| 46 |
> kind regards, |
| 47 |
> |
| 48 |
> David Sommerseth |
| 49 |
|
| 50 |
When you enable both SEGMEXEC and PAGEEXEC on IA32, modern PaX will use |
| 51 |
PAGEEXEC if nx bit is accessable and fall back to SEGMEXEC if it is not. |
| 52 |
This is why both can be enabled safely, even on old P4's without and NX bit. |
| 53 |
When you 'cat /proc/cpuinfo', it is showing you the processor's capability, |
| 54 |
but that doesn't mean the NX bit is accessible. To make the NX bit |
| 55 |
accessible you need to enable PAE. You can do this by choosing NOHIGHMEM+PAE |
| 56 |
or HIGHMEM64G (which selects PAE automatically) in your kernel config. |
| 57 |
|
| 58 |
Re: |
| 59 |
PaX flags: -------x-e-- [/usr/sbin/openvpn] |
| 60 |
|
| 61 |
What this means is you are leaving PaX to act on its default behavior |
| 62 |
according to how it is configured in the kernel, with the exception of |
| 63 |
RANDEXEC and EMUTRAMP which have been explicitly disabled. |
| 64 |
|
| 65 |
The peMRS shows you that PAGEEXEC and EMUTRAMP are not in effect for this |
| 66 |
process, but SEGMEXEC, MPROTECT and ASLR are. |
| 67 |
|
| 68 |
http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png |
| 69 |
(Note: The easiest way to interpret this chart is to ignore the figures for |
| 70 |
NoNX/NOEXEC=y and NX/NOEXEC=y - these were academic tests more than anything |
| 71 |
and are rather meaningless) |
| 72 |
|
| 73 |
As you can see PAGEEXEC with an NX bit does have a very minor speed advantage |
| 74 |
over SEGMEXEC. PAGEEXEC also has the advantage of not cutting a processes' |
| 75 |
address space in half. Without an NX bit available, PAGEEXEC is a fair hit |
| 76 |
on IA32. Pentium 4's without an NX bit take an even larger hit: |
| 77 |
|
| 78 |
http://www.pjvenda.org/linux/doc/pax-performance/ |
| 79 |
|
| 80 |
That the P4's result would be very different from other's is not surprising. |
| 81 |
It utilizes the very different Netburst microarchitecture and has a 20-31 (31 |
| 82 |
on Prescott and Cedar Mill) stage pipeline. Compare this to 10 for the P3, 14 |
| 83 |
for the Core2, 12 for the Athlon64, 10 for the AthlonXP, etc. you get the |
| 84 |
picture. |
| 85 |
|
| 86 |
So if you have an NX bit, yes, use it. If you don't, SEGMEXEC is a good |
| 87 |
alternative. It is safe to enable both options, PaX is smart enough to |
| 88 |
choose between the two. |
| 89 |
|
| 90 |
Gordon Malm (gengor) |
Archives
