[gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
@ 2006-03-27  4:29 Walter Dnes
  2006-03-27  5:50 ` Heiko Wundram
  2006-03-27  5:57 ` Richard Fish
  0 siblings, 2 replies; 9+ messages in thread
From: Walter Dnes @ 2006-03-27  4:29 UTC (permalink / raw
  To: Gentoo Users List

  The subject says it all.  I've done some spelunking through
/usr/src/linux/.config, and I don't see anything relavant.

-- 
Walter Dnes <waltdnes@waltdnes.org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27  4:29 [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo? Walter Dnes
@ 2006-03-27  5:50 ` Heiko Wundram
  2006-03-27  6:08   ` Rumen Yotov
  2006-03-27  5:57 ` Richard Fish
  1 sibling, 1 reply; 9+ messages in thread
From: Heiko Wundram @ 2006-03-27  5:50 UTC (permalink / raw
  To: gentoo-user

Am Montag 27 März 2006 06:29 schrieb Walter Dnes:
>   The subject says it all.  I've done some spelunking through
> /usr/src/linux/.config, and I don't see anything relavant.

It's a kernel patch called PAX, and Gentoo offers hardened-sources which 
incorporate this kernel patch. Google for Gentoo PAX, and you'll find a Howto 
which explains how to set it up.

--- Heiko.

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27  4:29 [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo? Walter Dnes
  2006-03-27  5:50 ` Heiko Wundram
@ 2006-03-27  5:57 ` Richard Fish
  2006-03-27 12:12   ` Hemmann, Volker Armin
  1 sibling, 1 reply; 9+ messages in thread
From: Richard Fish @ 2006-03-27  5:57 UTC (permalink / raw
  To: gentoo-user

On 3/26/06, Walter Dnes <waltdnes@waltdnes.org> wrote:
>   The subject says it all.  I've done some spelunking through
> /usr/src/linux/.config, and I don't see anything relavant.

It's enabled by default.  If you don't want it, you need to boot with
the "noexec=off" kernel option.

-Richard

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27  5:50 ` Heiko Wundram
@ 2006-03-27  6:08   ` Rumen Yotov
  0 siblings, 0 replies; 9+ messages in thread
From: Rumen Yotov @ 2006-03-27  6:08 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: text/plain, Size: 853 bytes --]

On Mon, 2006-03-27 at 07:50 +0200, Heiko Wundram wrote:
> Am Montag 27 März 2006 06:29 schrieb Walter Dnes:
> >   The subject says it all.  I've done some spelunking through
> > /usr/src/linux/.config, and I don't see anything relavant.
> 
> It's a kernel patch called PAX, and Gentoo offers hardened-sources which 
> incorporate this kernel patch. Google for Gentoo PAX, and you'll find a Howto 
> which explains how to set it up.
> 
> --- Heiko.
> 
Hi,
Confirm all of the above, just to add a comment.
My current kernel (gentoo-sources-2.6.16) works with a PaX patch w/o any
issues. Had to apply it manually though (resolving a reject by some of
the gentoo's additional patches). Apply cleanly on vanilla-2.6.16.
PS:note however that is just a part of all hardening so if in need
choose one of hardened-sources projects.
HTH.Rumen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3409 bytes --]

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27  5:57 ` Richard Fish
@ 2006-03-27 12:12   ` Hemmann, Volker Armin
  2006-03-27 15:30     ` Richard Fish
  0 siblings, 1 reply; 9+ messages in thread
From: Hemmann, Volker Armin @ 2006-03-27 12:12 UTC (permalink / raw
  To: gentoo-user

On Monday 27 March 2006 07:57, Richard Fish wrote:
> On 3/26/06, Walter Dnes <waltdnes@waltdnes.org> wrote:
> >   The subject says it all.  I've done some spelunking through
> > /usr/src/linux/.config, and I don't see anything relavant.
>
> It's enabled by default.  If you don't want it, you need to boot with
> the "noexec=off" kernel option.
>

on AMD64, but x86 doesn't have the NX bit, so  a hardened kernel might be the 
best solution.
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27 12:12   ` Hemmann, Volker Armin
@ 2006-03-27 15:30     ` Richard Fish
  2006-03-27 17:00       ` Graham Murray
  0 siblings, 1 reply; 9+ messages in thread
From: Richard Fish @ 2006-03-27 15:30 UTC (permalink / raw
  To: gentoo-user

On 3/27/06, Hemmann, Volker Armin <volker.armin.hemmann@tu-clausthal.de> wrote:
> On Monday 27 March 2006 07:57, Richard Fish wrote:
> > On 3/26/06, Walter Dnes <waltdnes@waltdnes.org> wrote:
> > >   The subject says it all.  I've done some spelunking through
> > > /usr/src/linux/.config, and I don't see anything relavant.
> >
> > It's enabled by default.  If you don't want it, you need to boot with
> > the "noexec=off" kernel option.
> >
>
> on AMD64, but x86 doesn't have the NX bit, so  a hardened kernel might be the
> best solution.

No, current intel processors support the NX bit also:

flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe nx pni
monitor vmx est tm2 xtpr

And if you look at the noexec_setup function in arch/i386/mm/init.c,
you will see that it does not require AMD64.

But I agree that PAE is the necessary option if your processor is too
old and does not support the NX bit.  Sorry I did not mention that.

-Richard

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27 15:30     ` Richard Fish
@ 2006-03-27 17:00       ` Graham Murray
  2006-03-27 18:24         ` Richard Fish
  2006-03-28  5:52         ` Walter Dnes
  0 siblings, 2 replies; 9+ messages in thread
From: Graham Murray @ 2006-03-27 17:00 UTC (permalink / raw
  To: gentoo-user

"Richard Fish" <bigfish@asmallpond.org> writes:

> But I agree that PAE is the necessary option if your processor is too
> old and does not support the NX bit.  Sorry I did not mention that.

Even if the processor supports the NX bit, in arch/i386/mm/init.c it
looks as though NX is only enabled if PAE is configured (which
requires setting 64G highmem)
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27 17:00       ` Graham Murray
@ 2006-03-27 18:24         ` Richard Fish
  2006-03-28  5:52         ` Walter Dnes
  1 sibling, 0 replies; 9+ messages in thread
From: Richard Fish @ 2006-03-27 18:24 UTC (permalink / raw
  To: gentoo-user

On 3/27/06, Graham Murray <graham@gmurray.org.uk> wrote:
> "Richard Fish" <bigfish@asmallpond.org> writes:
>
> > But I agree that PAE is the necessary option if your processor is too
> > old and does not support the NX bit.  Sorry I did not mention that.
>
> Even if the processor supports the NX bit, in arch/i386/mm/init.c it
> looks as though NX is only enabled if PAE is configured (which
> requires setting 64G highmem)

Hmm, yep, I didn't read enough source.  Actually the best indicator
that CONFIG_X86_PAE is necessary is from include/asm-i386/pgtable.h,
which defines _PAGE_NX as:

#ifdef CONFIG_X86_PAE
#define _PAGE_NX        (1ULL<<_PAGE_BIT_NX)
#else
#define _PAGE_NX        0
#endif

Crow eaten with apologies to all.

-Richard




> --
> gentoo-user@gentoo.org mailing list
>
>

-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo?
  2006-03-27 17:00       ` Graham Murray
  2006-03-27 18:24         ` Richard Fish
@ 2006-03-28  5:52         ` Walter Dnes
  1 sibling, 0 replies; 9+ messages in thread
From: Walter Dnes @ 2006-03-28  5:52 UTC (permalink / raw
  To: gentoo-user

On Mon, Mar 27, 2006 at 06:00:25PM +0100, Graham Murray wrote

> Even if the processor supports the NX bit, in arch/i386/mm/init.c it
> looks as though NX is only enabled if PAE is configured (which
> requires setting 64G highmem)

  Let me get this straight.  In "make menuconfig"...

Processor type and features  --->
    High Memory Support (4GB)  --->
        (X) 64GB

...will automatically enable DEP (aka NX)?  Is that correct?  Sheesh;
talk about indirection.  This is probably why I couldn't find any direct
reference to it in /usr/src/linux/.config.

-- 
Walter Dnes <waltdnes@waltdnes.org> In linux /sbin/init is Job #1
My musings on technology and security at http://tech_sec.blog.ca
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2006-03-28  5:57 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-27  4:29 [gentoo-user] Is there a DEP (Data Execution Protection) option for Gentoo? Walter Dnes
2006-03-27  5:50 ` Heiko Wundram
2006-03-27  6:08   ` Rumen Yotov
2006-03-27  5:57 ` Richard Fish
2006-03-27 12:12   ` Hemmann, Volker Armin
2006-03-27 15:30     ` Richard Fish
2006-03-27 17:00       ` Graham Murray
2006-03-27 18:24         ` Richard Fish
2006-03-28  5:52         ` Walter Dnes

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox