Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
braveheartleoOffline
21 Post subject: Data Execution Prevention not available in non-PAE kernels  PostPosted: 08.04.2011, 17:56



Joined: 2011-04-08
Posts: 17

Status: Offline
For a long time Windows user, and a brief Ubuntu user, I have never considered the subtle requirements for supporting the No Execute (NX) / Execute Disable (XD) bit in modern CPUs. For the basics, it has to be supported in both BIOS and OS, and of course the CPU has to have the feature. Regarding PAE (Page Address Extension), I have had the impression that it is only relevant when enabling memory beyond 3.5GB on 32-bit CPUs.

Even though Ubuntu offers a generic and pae kernel flavors, DEP always worked in either one. When I made the switch to aptosid I was puzzled to see:
      Quote:
Notice: NX (Execute Disable) protection cannot be enabled: non-PAE kernel!

in my logs. It prompted me to research on the issue.

In a nutshell, the issue is that the page table must be 64-bits wide because the NX bit works on the 63rd bit of the address. PAE kernels have a 64-bit page table, while a non-PAE is only 32-bits wide.

I have searched around and read considerable information regarding the matter. There are relevant discussions on this, specifically for compiling the kernel with CONFIG_HIGMEM64G set, and some performance penalty in doing so. Even Linus Torvalds himself says that
      Quote:
HIGHMEM was a mistake in the first place. It's one that we can live with,
but I refuse to support it more than it needs to be supported. And 12GB is
*way* past the end of what is worth supporting.

( excerpt from http://lkml.org/lkml/2007/11/15/423 ) And some more discussion also by him here: http://article.gmane.org/gmane.linux.kernel/900604

One thing that I noticed from the preceeding discussions is that the issue was never discussed in terms of the effect on an important processor hardware feature concerning security: DEP.

So I'm wondering if the performance penalty, which Linus Torvalds himself admits that is not noticeable in userspace, outweighs the security benefits offered by compiling kernel with 64-bit page tables. Also, it seems that the discussions center mostly on 32-bit only CPUs, and not 64-bit capable CPUs executing in 32-bit mode while running on 32-bit OS.

I would like to have DEP enabled in the kernel, if a possible workaround exists without re-compiling it.

I notice in Ubuntu the presence of AppArmor security module for Linux to facilitate Mandatory Access Control. Aptosid doesn't have this so perhaps there's an equivalent module that does the same, but I know not what.
 
 View user's profile Send private message  
Reply with quote Back to top
slhOffline
Post subject: RE: Data Execution Prevention not available in non-PAE kerne  PostPosted: 08.04.2011, 19:22



Joined: 2010-08-25
Posts: 737

Status: Offline
If your CPU is capable of 64 bit instructions, then make use of them - 32 bit is for non-64 bit capable systems; a 32 bit PAE enabled kernel is not planned.
 
 View user's profile Send private message  
Reply with quote Back to top
braveheartleoOffline
Post subject: RE: Data Execution Prevention not available in non-PAE kerne  PostPosted: 09.04.2011, 00:46



Joined: 2011-04-08
Posts: 17

Status: Offline
Thank you for the suggestion. However, I have some concerns regarding this route.

I used a 32-bit iso install for my 64-bit capable cpu with 1GB mem. Going by your suggestion it would appear that I only need to replace the 686 kernel with an amd64 one. However, I'm not sure that the switch could be done as easily as this, having no prior experience with manual kernel replacements. Also, AFAIK apart from the kernel I need to install compat libs for running 32-bit apps in 64-bit OS, which further complicates the matter at least for me. This is one reason why I chose to use the 32-bit install, another is that wouldn't using 64-bit OS bring overhead on my meager 1GB mem?

Can such be done without reinstalling the whole system from scratch? Am I correct in outlining the steps as specified above, or perhaps I'm missing something more and would need hands-on configuration if I am to switch to 64- from a 32-bit install.

Infobash:
      Code:
Host/Kernel/OS  "aptosid" running Linux 2.6.38-2.slh.3-aptosid-686 i686 [ aptosid 2011-01 Γῆρας - xfce - (201102052006) ]
CPU Info        2x Intel Pentium 4 2048 KB cache flags( sse3 ht nx lm ) clocked at [ 2400.000 MHz ]
Videocard       Intel 82865G Integrated Graphics Controller  X.Org 1.9.5  [ 1280x720@59.9hz ]
Network cards   Marvell 88E8001 Gigabit
Processes 115 | Uptime 3:01 | Memory 316.0/1001.7MB | HDD ST3160815AS,ST3320620AS Size 480GB (56%used) | Client Shell | Infobash v3.35
 
 View user's profile Send private message  
Reply with quote Back to top
slamOffline
Post subject: RE: Data Execution Prevention not available in non-PAE kerne  PostPosted: 09.04.2011, 08:10
Team Member


Joined: 1970-01-01
Posts: 607
Location: w3
Status: Offline
To switch to 64bit, you have to re-install - there is no way around it. With Aptosid/Debian Sid the entire amd64 repository is native 64bit, and provides (with a hand full of rare exceptions) exactly the same packages as the i386 repository does.

The ia32-libs are needed only for running Windows applications via wine, and for certain 3rd party closed source applications which do not offer 64bit versions (yet).

There is no mentionable overhead when using Aptosid 64bit over 32bit, at least not on average desktop systems.

Greetings,
Chris

_________________
an operating system must operate
development is life
my Debian repo
 
 View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number 
Reply with quote Back to top
braveheartleoOffline
Post subject: RE: Data Execution Prevention not available in non-PAE kerne  PostPosted: 09.04.2011, 08:54



Joined: 2011-04-08
Posts: 17

Status: Offline
Would there be some 32-bit specific configs in my home profile I need to be aware of before making the switch?

NX / XD bit, when I first heard about it, never really advertised that it was best running in 64-bit, given the subtle requirement. I never thought that 32-bit kernels with HIGHMEM makes DEP work as intended, at the cost of a performance penalty as indicated from the discussions. For a Windows fanboi this might be seen as lacking in Linux when Win32 supports it fine starting Windows XP SP2, but I know better. Following this line of thought, it would appear that 32-bit Windows may be taking performance hit with page tables to support DEP operation, or maybe not.

Anyway, thank you all for the suggestions. I will be considering switching my install over to 64-bit sometime, and see how my system fares with 64-bit Linux.
 
 View user's profile Send private message  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT - 12 Hours
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Powered by Zafenio