Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
On Monday 27 March 2006 07:57, Richard Fish wrote: On 3/26/06, Walter Dnes [EMAIL PROTECTED] wrote: The subject says it all. I've done some spelunking through /usr/src/linux/.config, and I don't see anything relavant. It's enabled by default. If you don't want it, you need to boot with the noexec=off kernel option. on AMD64, but x86 doesn't have the NX bit, so a hardened kernel might be the best solution. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
On 3/27/06, Hemmann, Volker Armin [EMAIL PROTECTED] wrote: On Monday 27 March 2006 07:57, Richard Fish wrote: On 3/26/06, Walter Dnes [EMAIL PROTECTED] wrote: The subject says it all. I've done some spelunking through /usr/src/linux/.config, and I don't see anything relavant. It's enabled by default. If you don't want it, you need to boot with the noexec=off kernel option. on AMD64, but x86 doesn't have the NX bit, so a hardened kernel might be the best solution. No, current intel processors support the NX bit also: flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx pni monitor vmx est tm2 xtpr And if you look at the noexec_setup function in arch/i386/mm/init.c, you will see that it does not require AMD64. But I agree that PAE is the necessary option if your processor is too old and does not support the NX bit. Sorry I did not mention that. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
Richard Fish [EMAIL PROTECTED] writes: But I agree that PAE is the necessary option if your processor is too old and does not support the NX bit. Sorry I did not mention that. Even if the processor supports the NX bit, in arch/i386/mm/init.c it looks as though NX is only enabled if PAE is configured (which requires setting 64G highmem) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
On 3/27/06, Graham Murray [EMAIL PROTECTED] wrote: Richard Fish [EMAIL PROTECTED] writes: But I agree that PAE is the necessary option if your processor is too old and does not support the NX bit. Sorry I did not mention that. Even if the processor supports the NX bit, in arch/i386/mm/init.c it looks as though NX is only enabled if PAE is configured (which requires setting 64G highmem) Hmm, yep, I didn't read enough source. Actually the best indicator that CONFIG_X86_PAE is necessary is from include/asm-i386/pgtable.h, which defines _PAGE_NX as: #ifdef CONFIG_X86_PAE #define _PAGE_NX(1ULL_PAGE_BIT_NX) #else #define _PAGE_NX0 #endif Crow eaten with apologies to all. -Richard -- gentoo-user@gentoo.org mailing list -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
On Mon, Mar 27, 2006 at 06:00:25PM +0100, Graham Murray wrote Even if the processor supports the NX bit, in arch/i386/mm/init.c it looks as though NX is only enabled if PAE is configured (which requires setting 64G highmem) Let me get this straight. In make menuconfig... Processor type and features --- High Memory Support (4GB) --- (X) 64GB ...will automatically enable DEP (aka NX)? Is that correct? Sheesh; talk about indirection. This is probably why I couldn't find any direct reference to it in /usr/src/linux/.config. -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list
[gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
The subject says it all. I've done some spelunking through /usr/src/linux/.config, and I don't see anything relavant. -- Walter Dnes [EMAIL PROTECTED] In linux /sbin/init is Job #1 My musings on technology and security at http://tech_sec.blog.ca -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
Am Montag 27 März 2006 06:29 schrieb Walter Dnes: The subject says it all. I've done some spelunking through /usr/src/linux/.config, and I don't see anything relavant. It's a kernel patch called PAX, and Gentoo offers hardened-sources which incorporate this kernel patch. Google for Gentoo PAX, and you'll find a Howto which explains how to set it up. --- Heiko. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
On 3/26/06, Walter Dnes [EMAIL PROTECTED] wrote: The subject says it all. I've done some spelunking through /usr/src/linux/.config, and I don't see anything relavant. It's enabled by default. If you don't want it, you need to boot with the noexec=off kernel option. -Richard -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
On Mon, 2006-03-27 at 07:50 +0200, Heiko Wundram wrote: Am Montag 27 März 2006 06:29 schrieb Walter Dnes: The subject says it all. I've done some spelunking through /usr/src/linux/.config, and I don't see anything relavant. It's a kernel patch called PAX, and Gentoo offers hardened-sources which incorporate this kernel patch. Google for Gentoo PAX, and you'll find a Howto which explains how to set it up. --- Heiko. Hi, Confirm all of the above, just to add a comment. My current kernel (gentoo-sources-2.6.16) works with a PaX patch w/o any issues. Had to apply it manually though (resolving a reject by some of the gentoo's additional patches). Apply cleanly on vanilla-2.6.16. PS:note however that is just a part of all hardening so if in need choose one of hardened-sources projects. HTH.Rumen smime.p7s Description: S/MIME cryptographic signature
