grsecurity forums

Skip to content

found kernel trace when using java

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

Re: found kernel trace when using java

Postby wippie » Wed Jun 04, 2008 2:30 am

True, all of Via's C7 cpus are supporting the NX bit and it will probably be the same with their new Isaiah/Nano cpu.
The reason i did use the SEGMEXEC is because there used to be kernel problems when trying to use the NX bit with a non-64 bit system and, what i heard, the SEGMEXEC had a lower performance hit than an emulated nx bit in PAGEEXEC? But i guess that NX problem is fixed by now soo..
let's see if i remember how to enable the pageexec/nx.
* PAGEEXEC instead of SEGMEXEC under 'PAX features --> Non-executable pages -->'
* 'PAE Support' and '64 bit Memory and IO resources' under 'Processor type and features -->'
* passing 'noexec=on noexec32=on' as kernel parameters.
or am i missing something now?

This thread is a bit off topic now but..well.. :wink:
wippie
 
Posts: 7
Joined: Sun May 25, 2008 11:05 am
Top

Re: found kernel trace when using java

Postby PaX Team » Wed Jun 04, 2008 6:36 am

wippie wrote:The reason i did use the SEGMEXEC is because there used to be kernel problems when trying to use the NX bit with a non-64 bit system
what problems (besides the obvious performance impact)?
and, what i heard, the SEGMEXEC had a lower performance hit than an emulated nx bit in PAGEEXEC?
that's still true, but i'm talking about the hw NX bit for which i added support on i386 last year, the kernel config help was updated as well, check it out ;).
let's see if i remember how to enable the pageexec/nx.
* PAGEEXEC instead of SEGMEXEC under 'PAX features --> Non-executable pages -->'
yes, although enabling both will still work because at runtime PaX will select the better one on a given CPU (this matters if you're building a distro kernel where you can't predict on what CPUs the kernel will run on).
* 'PAE Support' and '64 bit Memory and IO resources' under 'Processor type and features -->'
the latter is automatically selected by PAE, so you only need PAE. you can get PAE with or without HIGHMEM64G support.
* passing 'noexec=on noexec32=on' as kernel parameters.
noexec32 is a 64 bit kernel feature, so it doesn't exist on i386, and under PaX/PAE noexec is removed for good as well, effectively it's always on if the CPU supports the NX bit.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Re: found kernel trace when using java

Postby wippie » Fri Jun 06, 2008 4:43 am

.. for which i added support on i386 last year.

Well that was the problem. :wink:
Now they will run pageexec/pae/nx.
# dmesg
..
NX (Execute Disable) protection: active
..

-- happy --
wippie
 
Posts: 7
Joined: Sun May 25, 2008 11:05 am
Top
Previous
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group