[ubuntu-hardened] NX bit and generic-pae kernel.

[Seth Arnold]

On Thu, Mar 28, 2013 at 08:11:50PM +0000, Maurice McCarthy wrote:
> First of all explore your BIOS settings to see if there is an option
> to enable NX. There should be and, if not, it is likely to be a lack
> of good will by the manufacturers for not providing this in the first
> place. It happens especially in cheap computers such as my Acer One
> netbook.
> 
> It means there is a fault in the BIOS set up. The manufacturers have
> or should have  written new BIOS code to correct this in an update. NX
> is not enabled until after the update has been made.

Ubuntu kernels have ignored the BIOS flag for some time:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ae84739c27b6b3725993202fe02ff35ab86468e1

As far as I know, this feature has been merged into upstream Linus
kernels several years ago, so it should be common to every distro now.

> NX is a security feature which ought to be enabled but you may well be
> able to live without  it.
> 
> You can still try installing a PAE kernel but I don't understand how
> this would help as PAE means physical address extension. PAE code
> enables 32 bit computers to use more that 4GB memory. As you have 1GB
> then I don't see that you need it.

The extra page access control flags are (in x86 and x86-64 arches) only
enabled when running with full PAE:

https://wiki.ubuntu.com/Security/Features#nx

To tell if your CPU supports NX, look for the 'nx' flag in /proc/cpuinfo.

The segment emulation is decent enough. If the hardware otherwise works
for you, I wouldn't bother buying a new CPU and motherboard just to get
NX. (Though I expect the other enhancements since then are compelling.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20130328/232b39fe/attachment.pgp>