FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 05-11-2010, 03:24 AM
Neal McBurnett
 
Default check-bios-nx

On Mon, May 10, 2010 at 10:57:04PM -0400, Jim Tarvid wrote:
> Fascinating in a perverse way. The NX (no execute bit) is a tacit concession
> that Von Neumann architecture is a mistake. Not sure how much performance is
> lost by using it and even less sure if anybody actually uses it. It may be
> called something else in the BIOS (perhaps data protection or enhanced virus
> protection). http://kerneltrap.org/node/3240
<snip>
> I suspect this discussion is academic since Intel's support of the NX bit has
> not been consistent which could lead to a coding nightmare.
>
> I've put this conversation back on the ubuntu-server list, perhaps someone else
> has wisdom.
<snip>

Well, Ubuntu's Security Team lead, Kees Cook, thinks the NX protection
in Ubuntu is the most important of the many safeguards we have:

https://wiki.ubuntu.com/MeetingLogs/openweekLucid/ProactiveSecurity

(03:55:33 PM) ClassBot: nealmcb asked: do you have any way of knowing
which features matter the most in the wild?
(03:55:45 PM) kees: yes. NX is without a doubt, #1.
(03:56:17 PM) kees: there are tons of logic mistakes in webservers and
scripts, but NX will block a lot of further escalation


https://wiki.ubuntu.com/Security/Features

see this for details on the demo:

http://people.canonical.com/~kees/demo/

Cheers,

Neal McBurnett http://neal.mcburnett.org/

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 05-11-2010, 03:41 AM
Paul Graydon
 
Default check-bios-nx

From the information provided it's a bit uncertain what we're dealing
with. The dmidecode information suggests (possibly?) that the CPU is
underclocked, as it's maximum speed is 3.4Ghz. If that's the case,
given its Family 15 , model 4, stepping 1, which means we're looking for
CPUID string of 0F41 on the processorfinder site (15=0F in hex) it would
be this one:

http://processorfinder.intel.com/details.aspx?sSpec=SL7KD

If, however, it actually is a 3Ghz chip then it'll be this one:

http://processorfinder.intel.com/details.aspx?sSpec=SL7PU

If underclocked then the CPU isn't capable of NX. If it's not
underclocked it is!

Here's a gotcha of NX bit protection as I understand it: You need to be
running a 64bit kernel of some description for it to work, or be using a
PAE kernel, as it operates in bit number 63.

e.g. on my workstation, running 2.6.32-21-generic-pae:
$ sudo check-bios-nx --verbose
This CPU has nx in the flags, so the BIOS is not disabling it.

I'm going to make a slight assumption here and presume that as it's a
workstation masquerading as a server that it's not in a live internet
serving environment? If so it's not worth fussing about. If, on the
other hand, it is visible to the great unwashed masses, it may well be
worth switching to a PAE kernel or installing a 64bit version of Ubuntu
on there. In a live environment any extra protection you can get is
worth it, especially if it's easy to achieve!



Jim Tarvid wrote:
> Fascinating in a perverse way. The NX (no execute bit) is a tacit
> concession that Von Neumann architecture is a mistake. Not sure how
> much performance is lost by using it and even less sure if anybody
> actually uses it. It may be called something else in the BIOS (perhaps
> data protection or enhanced virus protection).
> http://kerneltrap.org/node/3240
>
> Burroughs large systems incorporated an NX like feature in its memory
> mapping scheme. http://www.groupsrv.com/computers/about487.html
>
> I suspect this discussion is academic since Intel's support of the NX
> bit has not been consistent which could lead to a coding nightmare.
>
> I've put this conversation back on the ubuntu-server list, perhaps
> someone else has wisdom.
>
> Jim
>
> On Mon, May 10, 2010 at 10:13 PM, Mike.lifeguard
> <mike.lifeguard@gmail.com <mailto:mike.lifeguard@gmail.com>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10-05-10 10:49 PM, Jim Tarvid wrote:
> > Why not post /proc/cpuinfo and hwinfo --cpu here? You may have
> talked me
> > into investing a little in this box.
>
> Sure thing:
>
> mikelifeguard@binnie:~$ cat /proc/cpuinfo
> processor : 0
> vendor_id : GenuineIntel
> cpu family : 15
> model : 4
> model name : Intel(R) Pentium(R) 4 CPU 3.00GHz
> stepping : 1
> cpu MHz : 2992.688
> cache size : 1024 KB
> physical id : 0
> siblings : 2
> core id : 0
> cpu cores : 1
> apicid : 0
> initial apicid : 0
> fdiv_bug : no
> hlt_bug : no
> f00f_bug : no
> coma_bug : no
> fpu : yes
> fpu_exception : yes
> cpuid level : 5
> wp : yes
> flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge
> mca cmov pat
> pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc
> pebs
> bts pni dtes64 monitor ds_cpl cid xtpr
> bogomips : 5985.37
> clflush size : 64
> cache_alignment : 128
> address sizes : 36 bits physical, 32 bits virtual
> power management:
>
> processor : 1
> vendor_id : GenuineIntel
> cpu family : 15
> model : 4
> model name : Intel(R) Pentium(R) 4 CPU 3.00GHz
> stepping : 1
> cpu MHz : 2992.688
> cache size : 1024 KB
> physical id : 0
> siblings : 2
> core id : 0
> cpu cores : 1
> apicid : 1
> initial apicid : 1
> fdiv_bug : no
> hlt_bug : no
> f00f_bug : no
> coma_bug : no
> fpu : yes
> fpu_exception : yes
> cpuid level : 5
> wp : yes
> flags : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge
> mca cmov pat
> pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc
> pebs
> bts pni dtes64 monitor ds_cpl cid xtpr
> bogomips : 5985.46
> clflush size : 64
> cache_alignment : 128
> address sizes : 36 bits physical, 32 bits virtual
> power management:
>
> mikelifeguard@binnie:~$ sudo hwinfo --cpu
> 01: None 00.0: 10103 CPU
> [Created at cpu.304]
> Unique ID: rdCR.j8NaKXDZtZ6
> Hardware Class: cpu
> Arch: Intel
> Vendor: "GenuineIntel"
> Model: 15.4.1 "Intel(R) Pentium(R) 4 CPU 3.00GHz"
> Features:
> fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,mtrr,pge,m ca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,ss e2,ss,ht,tm,pbe,constant_tsc,pebs,bts,pni,dtes64,m onitor,ds_cpl,cid,xtpr
> Clock: 2992 MHz
> BogoMips: 5984.79
> Cache: 1024 kb
> Units/Processor: 2
> Config Status: cfg=new, avail=yes, need=no, active=unknown
>
> 02: None 01.0: 10103 CPU
> [Created at cpu.304]
> Unique ID: wkFv.j8NaKXDZtZ6
> Hardware Class: cpu
> Arch: Intel
> Vendor: "GenuineIntel"
> Model: 15.4.1 "Intel(R) Pentium(R) 4 CPU 3.00GHz"
> Features:
> fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,mtrr,pge,m ca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,ss e2,ss,ht,tm,pbe,constant_tsc,pebs,bts,pni,dtes64,m onitor,ds_cpl,cid,xtpr
> Clock: 2992 MHz
> BogoMips: 5985.34
> Cache: 1024 kb
> Units/Processor: 2
> Config Status: cfg=new, avail=yes, need=no, active=unknown
>
> mikelifeguard@binnie:~$ sudo dmidecode -t 4
> # dmidecode 2.9
> SMBIOS 2.31 present.
>
> Handle 0x0004, DMI type 4, 35 bytes
> Processor Information
> Socket Designation: WMT478/NWD
> Type: Central Processor
> Family: Unknown
> Manufacturer: GenuineIntel
> ID: 41 0F 00 00 FF FB EB BF
> Version: Intel(R) Pentium(R) 4 CPU 3.00GHz
> Voltage: 1.8 V
> External Clock: 100 MHz
> Max Speed: 3400 MHz
> Current Speed: 3000 MHz
> Status: Populated, Enabled
> Upgrade: Socket 478
> L1 Cache Handle: 0x0005
> L2 Cache Handle: 0x0006
> L3 Cache Handle: Not Provided
> Serial Number: Not Specified
> Asset Tag: Not Specified
> Part Number: Not Specified
>
> Thanks for the help,
> - -Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAkvovVUACgkQst0AR/DaKHuC2wCgwnY+k4CB6l3g6ikqj5XrTOn7
> KZIAnAm4Um5w2FdZ56QqESOg4iiTAOWt
> =XcjA
> -----END PGP SIGNATURE-----
>
>
>
>
> --
> Rev. Jim Tarvid, PCA
> Galax, Virginia
> http://ls.net
> http://drupal.ls.net
> http://crossleft.org
>
>


--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 05-11-2010, 03:54 AM
"Mike.lifeguard"
 
Default check-bios-nx

On 10-05-11 12:41 AM, Paul Graydon wrote:
> From the information provided it's a bit uncertain what we're dealing
> with. The dmidecode information suggests (possibly?) that the CPU is
> underclocked, as it's maximum speed is 3.4Ghz....
> If underclocked then the CPU isn't capable of NX. If it's not
> underclocked it is!

I don't think it is underclocked, but I also haven't been able to find
the NX setting (or any of the other names it goes by) in BIOS settings.

> I'm going to make a slight assumption here and presume that as it's a
> workstation masquerading as a server that it's not in a live internet
> serving environment? If so it's not worth fussing about. If, on the
> other hand, it is visible to the great unwashed masses, it may well be
> worth switching to a PAE kernel or installing a 64bit version of Ubuntu
> on there. In a live environment any extra protection you can get is
> worth it, especially if it's easy to achieve!

It is a workstation pretending to be a server, yes. And yes, it is
visible to the unwashed masses - but it already uses a 32bit -pae
kernel, which should have emulated nx.

I guess I'll reboot again to look in BIOS settings for this & if I don't
see it I'll be satisfied with emulated nx from the -pae kernel.

Thanks for your help guys,
-Mike

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 05-11-2010, 05:32 AM
Eric
 
Default check-bios-nx

Good call Jim,
** *Yeah I would like to follow this one, keep it on the server list.
Cheers,E

I'm mobile, excuse the type-o'sSent from my phone.
On May 10, 2010, at 7:57 PM, Jim Tarvid <tarvid@ls.net> wrote:

Fascinating in a perverse way. The NX (no execute bit) is a tacit concession that Von Neumann architecture is a mistake. Not sure how much performance is lost by using it and even less sure if anybody actually uses it. It may be called something else in the BIOS (perhaps data protection or enhanced virus protection). http://kerneltrap.org/node/3240


Burroughs large systems incorporated an NX like feature in its memory mapping scheme. http://www.groupsrv.com/computers/about487.html

I suspect this discussion is academic since Intel's support of the NX bit has not been consistent which could lead to a coding nightmare.


I've put this conversation back on the ubuntu-server list, perhaps someone else has wisdom.

Jim


On Mon, May 10, 2010 at 10:13 PM, Mike.lifeguard <mike.lifeguard@gmail.com> wrote:


-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



On 10-05-10 10:49 PM, Jim Tarvid wrote:

> Why not post /proc/cpuinfo and hwinfo --cpu here? You may have talked me

> into investing a little in this box.



Sure thing:



mikelifeguard@binnie:~$ cat /proc/cpuinfo

processor * * * : 0

vendor_id * * * : GenuineIntel

cpu family * * *: 15

model * * * * * : 4

model name * * *: Intel(R) Pentium(R) 4 CPU 3.00GHz

stepping * * * *: 1

cpu MHz * * * * : 2992.688

cache size * * *: 1024 KB

physical id * * : 0

siblings * * * *: 2

core id * * * * : 0

cpu cores * * * : 1

apicid * * * * *: 0

initial apicid *: 0

fdiv_bug * * * *: no

hlt_bug * * * * : no

f00f_bug * * * *: no

coma_bug * * * *: no

fpu * * * * * * : yes

fpu_exception * : yes

cpuid level * * : 5

wp * * * * * * *: yes

flags * * * * * : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat

pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs

bts pni dtes64 monitor ds_cpl cid xtpr

bogomips * * * *: 5985.37

clflush size * *: 64

cache_alignment : 128

address sizes * : 36 bits physical, 32 bits virtual

power management:



processor * * * : 1

vendor_id * * * : GenuineIntel

cpu family * * *: 15

model * * * * * : 4

model name * * *: Intel(R) Pentium(R) 4 CPU 3.00GHz

stepping * * * *: 1

cpu MHz * * * * : 2992.688

cache size * * *: 1024 KB

physical id * * : 0

siblings * * * *: 2

core id * * * * : 0

cpu cores * * * : 1

apicid * * * * *: 1

initial apicid *: 1

fdiv_bug * * * *: no

hlt_bug * * * * : no

f00f_bug * * * *: no

coma_bug * * * *: no

fpu * * * * * * : yes

fpu_exception * : yes

cpuid level * * : 5

wp * * * * * * *: yes

flags * * * * * : fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat

pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs

bts pni dtes64 monitor ds_cpl cid xtpr

bogomips * * * *: 5985.46

clflush size * *: 64

cache_alignment : 128

address sizes * : 36 bits physical, 32 bits virtual

power management:



mikelifeguard@binnie:~$ sudo hwinfo --cpu

01: None 00.0: 10103 CPU

*[Created at cpu.304]

*Unique ID: rdCR.j8NaKXDZtZ6

*Hardware Class: cpu

*Arch: Intel

*Vendor: "GenuineIntel"

*Model: 15.4.1 "Intel(R) Pentium(R) 4 CPU 3.00GHz"

*Features:

fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,mtrr,pge,m ca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,ss e2,ss,ht,tm,pbe,constant_tsc,pebs,bts,pni,dtes64,m onitor,ds_cpl,cid,xtpr

*Clock: 2992 MHz

*BogoMips: 5984.79

*Cache: 1024 kb

*Units/Processor: 2

*Config Status: cfg=new, avail=yes, need=no, active=unknown



02: None 01.0: 10103 CPU

*[Created at cpu.304]

*Unique ID: wkFv.j8NaKXDZtZ6

*Hardware Class: cpu

*Arch: Intel

*Vendor: "GenuineIntel"

*Model: 15.4.1 "Intel(R) Pentium(R) 4 CPU 3.00GHz"

*Features:

fpu,vme,de,pse,tsc,msr,pae,mce,cx8,apic,mtrr,pge,m ca,cmov,pat,pse36,clflush,dts,acpi,mmx,fxsr,sse,ss e2,ss,ht,tm,pbe,constant_tsc,pebs,bts,pni,dtes64,m onitor,ds_cpl,cid,xtpr

*Clock: 2992 MHz

*BogoMips: 5985.34

*Cache: 1024 kb

*Units/Processor: 2

*Config Status: cfg=new, avail=yes, need=no, active=unknown



mikelifeguard@binnie:~$ sudo dmidecode -t 4

# dmidecode 2.9

SMBIOS 2.31 present.



Handle 0x0004, DMI type 4, 35 bytes

Processor Information

* * * *Socket Designation: WMT478/NWD

* * * *Type: Central Processor

* * * *Family: Unknown

* * * *Manufacturer: GenuineIntel

* * * *ID: 41 0F 00 00 FF FB EB BF

* * * *Version: Intel(R) Pentium(R) 4 CPU 3.00GHz

* * * *Voltage: 1.8 V

* * * *External Clock: 100 MHz

* * * *Max Speed: 3400 MHz

* * * *Current Speed: 3000 MHz

* * * *Status: Populated, Enabled

* * * *Upgrade: Socket 478

* * * *L1 Cache Handle: 0x0005

* * * *L2 Cache Handle: 0x0006

* * * *L3 Cache Handle: Not Provided

* * * *Serial Number: Not Specified

* * * *Asset Tag: Not Specified

* * * *Part Number: Not Specified



Thanks for the help,

- -Mike

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.10 (GNU/Linux)



iEYEARECAAYFAkvovVUACgkQst0AR/DaKHuC2wCgwnY+k4CB6l3g6ikqj5XrTOn7

KZIAnAm4Um5w2FdZ56QqESOg4iiTAOWt

=XcjA

-----END PGP SIGNATURE-----



--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net

http://crossleft.org




--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 05-11-2010, 08:42 AM
Kees Cook
 
Default check-bios-nx

Hi,

On Mon, May 10, 2010 at 10:57:04PM -0400, Jim Tarvid wrote:
> Fascinating in a perverse way. The NX (no execute bit) is a tacit concession
> that Von Neumann architecture is a mistake. Not sure how much performance is
> lost by using it and even less sure if anybody actually uses it. It may be

True NX hardware incurs no performance loss because the NX bit is just part
of the normal memory page management of the hardware. (But yes, mixing
code and data is an unfortunate result of virtual memory architectures.)

> On Mon, May 10, 2010 at 10:13 PM, Mike.lifeguard
> <mike.lifeguard@gmail.com>wrote:
> >
> > On 10-05-10 10:49 PM, Jim Tarvid wrote:
> > > Why not post /proc/cpuinfo and hwinfo --cpu here? You may have talked me
> > > into investing a little in this box.
> >
> > Sure thing:
> >
> > mikelifeguard@binnie:~$ cat /proc/cpuinfo
> > processor : 0
> > vendor_id : GenuineIntel
> > cpu family : 15
> > model : 4
> > model name : Intel(R) Pentium(R) 4 CPU 3.00GHz
> > stepping : 1

So, this is likely a bug a check-bios-nx. That script attempts to make a
guess at whether or not NX _should_ exist for a CPU, since the BIOS will
totally find it (there's no way to query "should you have NX?").

Based on
http://processorfinder.intel.com/List.aspx?ParentRadio=All&ProcFam=483&SearchKey=
with 3Ghz, 1MB cache, there are 9 CPUs, 5 of which have NX, 4 don't:
http://processorfinder.intel.com/details.aspx?sSpec=SL7L4
http://processorfinder.intel.com/details.aspx?sSpec=SL7J6
http://processorfinder.intel.com/details.aspx?sSpec=SL7KK
http://processorfinder.intel.com/details.aspx?sSpec=SL8JZ

I haven't found a way to determine the sSpec, so I'm not sure how to
improve check-bios-nx in these cases.

To disable the motd warning, just delete /etc/update-motd.d/20-cpu-checker

I hope this helps!

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 
Old 05-11-2010, 08:48 AM
Kees Cook
 
Default check-bios-nx

On Mon, May 10, 2010 at 05:41:28PM -1000, Paul Graydon wrote:
> If, however, it actually is a 3Ghz chip then it'll be this one:
>
> http://processorfinder.intel.com/details.aspx?sSpec=SL7PU

This should have NX, but I don't know what the mapping is between the
"stepping" as "1" vs D0, E0, G1, etc.

> Here's a gotcha of NX bit protection as I understand it: You need to be
> running a 64bit kernel of some description for it to work, or be using a
> PAE kernel, as it operates in bit number 63.

Right, needs PAE (which all 64bit uses). Without 64bit, you'll get
partial NX emulation:
https://wiki.ubuntu.com/Security/Features#Non-Exec%20Memory

> serving environment? If so it's not worth fussing about. If, on the
> other hand, it is visible to the great unwashed masses, it may well be
> worth switching to a PAE kernel or installing a 64bit version of Ubuntu
> on there. In a live environment any extra protection you can get is
> worth it, especially if it's easy to achieve!

If it doesn't have true NX, I'd generally recommend using a 32bit kernel so
you gain the partial NX emulation.

-Kees

--
Kees Cook
Ubuntu Security Team

--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
 

Thread Tools




All times are GMT. The time now is 08:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org