Dropping i386 non-PAE as a supported kernel flavour in Precise Pangolin
Tim Gardner
tim.gardner at canonical.com
Mon Nov 28 21:48:21 UTC 2011
On 11/28/2011 11:44 AM, Kees Cook wrote:
> On Mon, Nov 28, 2011 at 09:40:53AM -0700, Tim Gardner wrote:
>> non-pae has a ginormous and ugly NX emulation patch
>
> This is about dropping non-PAE support, not dropping non-NX support. The NX
> emulation patch must remain in the kernel since a large number of systems
> have PAE but not NX.
>
> You can see this in the table here:
> https://wiki.ubuntu.com/Security/Features#nx
> Dropping non-PAE just eliminates the top line in that table. NX-emu will
> still be needed.
>
I guess you are correct. I naively assumed that execute-disable was
introduced with PAE in the Pentium Pro series. However, it did not
appear in Intel CPUs until Pentium 4 (approx Q1 2005). AMD had it from
the beginning in the Athlon series.
>> that has consumed substantial maintenance resources in the past,
>
> I'm also curious about this claim, as you've expressed to me in the past
> that carrying it has been surprisingly trivial. In fact, since I'm the one
> maintaining it these days, it's actually going to require 0 resources from
> Canonical. ;)
>
> http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;a=shortlog;h=refs/heads/nx-emu
>
I did say "in the past". I remember encountering several issues with the
early implementation, as well as maintenance hassles while 32 and 64 bit
arch support was converging. I would characterize the NX emulation patch
as deeply intrusive, arguably one of the more complex patches against
the core of Linux that we carry.
Its a moot point given the model gap between PAE and NX introduction.
>> The kernel team has limited resources. Obviously I want to apply
>> what resources we have to the problems that affect the most
>> important platforms. Furthermore, I anticipate new ARM flavours in
>> the coming months which will take up any slack afforded by the loss
>> of non-PAE.
>
> I'm curious why pushing non-PAE to universe and leaving it in the main
> linux source package is a burden? Then people using non-PAE get automatic
> security updates without any hassle on anyone's part. This is what the
> Ubuntu Security Team manager wants:
> https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034457.html
> as well as the Ubuntu Platform Team manager wants:
> https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034463.html
>
> I'm not convinced there's enough evidence to say that dropping it from the
> main linux source package will actually save any time at all.
>
Dropping this flavour saves 5 minutes per build on a 4-way 80 thread
server, which for some of the team can add up to quite a bit of time
over the course of a day. Its one less variant that needs to be tested
in Q/A, and its one less flavour we have to mess with in our meta and
LBM packages.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the ubuntu-devel
mailing list