ubuntu-hardened March 2013 archive
Main Archive Page > Month Archives  > ubuntu-hardened archives
ubuntu-hardened: Re: [ubuntu-hardened] NX bit and generic-pae ke

Re: [ubuntu-hardened] NX bit and generic-pae kernel.

From: Seth Arnold <seth.arnold_at_nospam>
Date: Thu Mar 28 2013 - 21:00:04 GMT
To: ubuntu-hardened@lists.ubuntu.com

On Thu, Mar 28, 2013 at 08:11:50PM +0000, Maurice McCarthy wrote:
> First of all explore your BIOS settings to see if there is an option
> to enable NX. There should be and, if not, it is likely to be a lack
> of good will by the manufacturers for not providing this in the first
> place. It happens especially in cheap computers such as my Acer One
> netbook.
> It means there is a fault in the BIOS set up. The manufacturers have
> or should have written new BIOS code to correct this in an update. NX
> is not enabled until after the update has been made.

Ubuntu kernels have ignored the BIOS flag for some time:

As far as I know, this feature has been merged into upstream Linus
kernels several years ago, so it should be common to every distro now.

> NX is a security feature which ought to be enabled but you may well be
> able to live without it.
> You can still try installing a PAE kernel but I don't understand how
> this would help as PAE means physical address extension. PAE code
> enables 32 bit computers to use more that 4GB memory. As you have 1GB
> then I don't see that you need it.

The extra page access control flags are (in x86 and x86-64 arches) only
enabled when running with full PAE:


To tell if your CPU supports NX, look for the 'nx' flag in /proc/cpuinfo.

The segment emulation is decent enough. If the hardware otherwise works
for you, I wouldn't bother buying a new CPU and motherboard just to get
NX. (Though I expect the other enhancements since then are compelling.)

-- ubuntu-hardened mailing list ubuntu-hardened@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened