check-bios-nx
Kees Cook
kees at ubuntu.com
Tue May 11 08:48:55 UTC 2010
On Mon, May 10, 2010 at 05:41:28PM -1000, Paul Graydon wrote:
> If, however, it actually is a 3Ghz chip then it'll be this one:
>
> http://processorfinder.intel.com/details.aspx?sSpec=SL7PU
This should have NX, but I don't know what the mapping is between the
"stepping" as "1" vs D0, E0, G1, etc.
> Here's a gotcha of NX bit protection as I understand it: You need to be
> running a 64bit kernel of some description for it to work, or be using a
> PAE kernel, as it operates in bit number 63.
Right, needs PAE (which all 64bit uses). Without 64bit, you'll get
partial NX emulation:
https://wiki.ubuntu.com/Security/Features#Non-Exec%20Memory
> serving environment? If so it's not worth fussing about. If, on the
> other hand, it is visible to the great unwashed masses, it may well be
> worth switching to a PAE kernel or installing a 64bit version of Ubuntu
> on there. In a live environment any extra protection you can get is
> worth it, especially if it's easy to achieve!
If it doesn't have true NX, I'd generally recommend using a 32bit kernel so
you gain the partial NX emulation.
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-server
mailing list