NonExecutable Bit in 32Bit

NonExecutable Bit in 32Bit

[Cestonaro, Thilo (external)]

Hey,

is it right, that the NX Bit is not used under i386-Arch but under x86_64-Arch?
When yes, is there a special argument for it not to be used?

Ciao Thilo

Re: NonExecutable Bit in 32Bit

[William Heimbigner]

On Tue, 24 Apr 2007, Cestonaro, Thilo (external) wrote:

> Hey,
>
> is it right, that the NX Bit is not used under i386-Arch but under x86_64-Arch?
> When yes, is there a special argument for it not to be used?
>
> Ciao Thilo
I don't think so - some i386 cpus definitely have support for the NX bit.

Would having this be supported in i386 help debugging (and security) 
significantly?

William Heimbigner
icxcnika@mar.tar.cc

RE: NonExecutable Bit in 32Bit

[Cestonaro, Thilo (external)]

 
> I don't think so - some i386 cpus definitely have support for the NX bit.
Ok, the cpu's do support it, but the kernel doesn't use it if it is active in the bios.

> Would having this be supported in i386 help debugging (and security) 
> significantly?
@William: I don't understand this question :(


Ciao Thilo

Re: NonExecutable Bit in 32Bit

[Tuncer Ayaz]

On 4/24/07, William Heimbigner <icxcnika@mar.tar.cc> wrote:
> On Tue, 24 Apr 2007, Cestonaro, Thilo (external) wrote:
>
> > Hey,
> >
> > is it right, that the NX Bit is not used under i386-Arch but
> > under x86_64-Arch?
> > When yes, is there a special argument for it not to be used?
> >
> > Ciao Thilo
> I don't think so - some i386 cpus definitely have support for
> the NX bit.
>

In detail:
1) if your CPU has NX support (some 32bit Xeons do)
2) it is not disabled in the BIOS
3) you see 'nx' in the 'flags' line in /proc/cpuinfo
4) and you have a kernel with the following config options
CONFIG_HIGHMEM64G=y
CONFIG_HIGHMEM=y
CONFIG_X86_PAE=y

NX should just work.

[snip]

Re: NonExecutable Bit in 32Bit

[Andi Kleen]

"Cestonaro, Thilo \(external\)"    <Thilo.Cestonaro.external@fujitsu-siemens.com> writes:


> is it right, that the NX Bit is not used under i386-Arch but under x86_64-Arch?

It is wrong.

-Andi

RE: NonExecutable Bit in 32Bit

[Cestonaro, Thilo (external)]

Hey,

> CONFIG_HIGHMEM64G=y
> CONFIG_HIGHMEM=y
> CONFIG_X86_PAE=y

Ok in highmem it's active, whats about lowmem?
x86-64 is NX active for lowmem too AFAIK.


Ciao Thilo

Re: NonExecutable Bit in 32Bit

[Tuncer Ayaz]

On 4/25/07, Cestonaro, Thilo (external)
<Thilo.Cestonaro.external@fujitsu-siemens.com> wrote:
> Hey,
>
> > CONFIG_HIGHMEM64G=y
> > CONFIG_HIGHMEM=y
> > CONFIG_X86_PAE=y
>
> Ok in highmem it's active, whats about lowmem?
> x86-64 is NX active for lowmem too AFAIK.

It's more of an issue of having PAE enabled.
Without PAE you are not able to use the the NX bit.
That's the way the CPU works, not Linux.

Hope this helps.

Re: NonExecutable Bit in 32Bit

[Tuncer Ayaz]

On 4/25/07, Tuncer Ayaz <tuncer.ayaz@gmail.com> wrote:
> On 4/25/07, Cestonaro, Thilo (external)
> <Thilo.Cestonaro.external@fujitsu-siemens.com> wrote:
> > Hey,
> >
> > > CONFIG_HIGHMEM64G=y
> > > CONFIG_HIGHMEM=y
> > > CONFIG_X86_PAE=y
> >
> > Ok in highmem it's active, whats about lowmem?
> > x86-64 is NX active for lowmem too AFAIK.
>
> It's more of an issue of having PAE enabled.
> Without PAE you are not able to use the the NX bit.
> That's the way the CPU works, not Linux.

Forgot to add:
from arch/i386/Kconfig:
config X86_PAE
	bool
	depends on HIGHMEM64G
	default y
	select RESOURCES_64BIT

> Hope this helps.
>

Re: NonExecutable Bit in 32Bit

[H. Peter Anvin]

Cestonaro, Thilo (external) wrote:
> Hey,
> 
>> CONFIG_HIGHMEM64G=y
>> CONFIG_HIGHMEM=y
>> CONFIG_X86_PAE=y
> 
> Ok in highmem it's active, whats about lowmem?

It's not highmem vs lowmem, it is that HIGHMEM64G is required for
X86_PAE, which is required for NX support.

> x86-64 is NX active for lowmem too AFAIK.

Good thing, since x86-64 doesn't have highmem (nor does it need it,
since it has enough virtual address space to map all physical address
space and still have left over, like it *should* be.)

	-hpa

RE: NonExecutable Bit in 32Bit

[Cestonaro, Thilo (external)]

> > > > CONFIG_HIGHMEM64G=y
> > > > CONFIG_HIGHMEM=y
> > > > CONFIG_X86_PAE=y
> > >
> > > Ok in highmem it's active, whats about lowmem?
> > > x86-64 is NX active for lowmem too AFAIK.
> >
> > It's more of an issue of having PAE enabled.
> > Without PAE you are not able to use the the NX bit.
> That's the way the CPU works, not Linux.
> 
> Forgot to add:
> from arch/i386/Kconfig:
> config X86_PAE
> 	bool
> 	depends on HIGHMEM64G
> 	default y
> 	select RESOURCES_64BIT
> 
> > Hope this helps.
> >

Just that I get it right, NX just works with PAE enabled, and PAE just works with HIGHMEM64G enabled.
And this prevents the lowmemory to be secured by NX?

Ciao Thilo

Re: NonExecutable Bit in 32Bit

[Marat Buharov]

On 4/25/07, Cestonaro, Thilo (external)
<Thilo.Cestonaro.external@fujitsu-siemens.com> wrote:
> And this prevents the lowmemory to be secured by NX?

What do you mean, when you say "lowmemory"?

RE: NonExecutable Bit in 32Bit

[Cestonaro, Thilo (external)]

> > And this prevents the lowmemory to be secured by NX?
> What do you mean, when you say "lowmemory"?

I mean EF-Segments. Cause we got a kernel oops as we accidentally used ioremap_nocache on a EF-Segment address.
Before that usage the EF-Segments weren't secured, afterwards they were.
We use now ioremap which does the high low mem check, but I was a bit confused that NX was not active before.
But I can't provide any further informations about the system, cause it was more or less support for a customer.

Ciao Thilo