On 11/28/2011 11:44 AM, Kees Cook wrote:
On Mon, Nov 28, 2011 at 09:40:53AM -0700, Tim Gardner wrote:
non-pae has a ginormous and ugly NX emulation patch
This is about dropping non-PAE support, not dropping non-NX support. The NX
emulation patch must remain in the kernel since a large number of systems
have PAE but not NX.
You can see this in the table here:
https://wiki.ubuntu.com/Security/Features#nx
Dropping non-PAE just eliminates the top line in that table. NX-emu will
still be needed.
I guess you are correct. I naively assumed that execute-disable was
introduced with PAE in the Pentium Pro series. However, it did not
appear in Intel CPUs until Pentium 4 (approx Q1 2005). AMD had it from
the beginning in the Athlon series.
that has consumed substantial maintenance resources in the past,
I'm also curious about this claim, as you've expressed to me in the past
that carrying it has been surprisingly trivial. In fact, since I'm the one
maintaining it these days, it's actually going to require 0 resources from
Canonical. ;)
http://git.kernel.org/?p=linux/kernel/git/kees/linux.git;a=shortlog;h=refs/heads/nx-emu
I did say "in the past". I remember encountering several issues with the
early implementation, as well as maintenance hassles while 32 and 64 bit
arch support was converging. I would characterize the NX emulation patch
as deeply intrusive, arguably one of the more complex patches against
the core of Linux that we carry.
Its a moot point given the model gap between PAE and NX introduction.
The kernel team has limited resources. Obviously I want to apply
what resources we have to the problems that affect the most
important platforms. Furthermore, I anticipate new ARM flavours in
the coming months which will take up any slack afforded by the loss
of non-PAE.
I'm curious why pushing non-PAE to universe and leaving it in the main
linux source package is a burden? Then people using non-PAE get automatic
security updates without any hassle on anyone's part. This is what the
Ubuntu Security Team manager wants:
https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034457.html
as well as the Ubuntu Platform Team manager wants:
https://lists.ubuntu.com/archives/ubuntu-devel/2011-November/034463.html
I'm not convinced there's enough evidence to say that dropping it from the
main linux source package will actually save any time at all.
Dropping this flavour saves 5 minutes per build on a 4-way 80 thread
server, which for some of the team can add up to quite a bit of time
over the course of a day. Its one less variant that needs to be tested
in Q/A, and its one less flavour we have to mess with in our meta and
LBM packages.
rtg
--
Tim Gardner [email protected]
--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
