check-bios-nx

Kees Cook kees at ubuntu.com
Tue May 11 08:42:49 UTC 2010


Hi,

On Mon, May 10, 2010 at 10:57:04PM -0400, Jim Tarvid wrote:
> Fascinating in a perverse way. The NX (no execute bit) is a tacit concession
> that Von Neumann architecture is a mistake. Not sure how much performance is
> lost by using it and even less sure if anybody actually uses it. It may be

True NX hardware incurs no performance loss because the NX bit is just part
of the normal memory page management of the hardware.  (But yes, mixing
code and data is an unfortunate result of virtual memory architectures.)

> On Mon, May 10, 2010 at 10:13 PM, Mike.lifeguard
> <mike.lifeguard at gmail.com>wrote:
> >
> > On 10-05-10 10:49 PM, Jim Tarvid wrote:
> > > Why not post /proc/cpuinfo and hwinfo --cpu here? You may have talked me
> > > into investing a little in this box.
> >
> > Sure thing:
> >
> > mikelifeguard at binnie:~$ cat /proc/cpuinfo
> > processor       : 0
> > vendor_id       : GenuineIntel
> > cpu family      : 15
> > model           : 4
> > model name      : Intel(R) Pentium(R) 4 CPU 3.00GHz
> > stepping        : 1

So, this is likely a bug a check-bios-nx.  That script attempts to make a
guess at whether or not NX _should_ exist for a CPU, since the BIOS will
totally find it (there's no way to query "should you have NX?").

Based on
http://processorfinder.intel.com/List.aspx?ParentRadio=All&ProcFam=483&SearchKey=
with 3Ghz, 1MB cache, there are 9 CPUs, 5 of which have NX, 4 don't:
http://processorfinder.intel.com/details.aspx?sSpec=SL7L4
http://processorfinder.intel.com/details.aspx?sSpec=SL7J6
http://processorfinder.intel.com/details.aspx?sSpec=SL7KK
http://processorfinder.intel.com/details.aspx?sSpec=SL8JZ

I haven't found a way to determine the sSpec, so I'm not sure how to
improve check-bios-nx in these cases.

To disable the motd warning, just delete /etc/update-motd.d/20-cpu-checker

I hope this helps!

-Kees

-- 
Kees Cook
Ubuntu Security Team




More information about the ubuntu-server mailing list