codeblog code is freedom — patching my itch

2/18/2010

data mining for NX bit

Filed under: Blogging,Debian,Security,Ubuntu,Ubuntu-Server — kees @ 11:15 am

9% of Ubuntu systems that were used to report bugs that included their /proc/cpuinfo file need to fix their BIOS settings to gain the NX bit.

Check for yourself. (Run it with --verbose for useful details.)

Out of 7511 Ubuntu bugs Brian Murray collected for me that included /proc/cpuinfo files, there were 7270 unique contents (which surprised me — I was expecting this to be much lower).

  • 5 (0.07%) were non-x86.
  • 1 (0.02%) had corrupted contents (likely due to a search/replace in apport gone awry).
  • 5670 (77.99%) had NX (this also surprised me — I was not expecting it to be so high).
  • 337 (4.64%) lacked PAE, and so cannot have NX (I didn’t expect this to be so low; Ubuntu bug reporters must have relatively recent hardware overall).
  • 595 (8.18%) had PAE and correctly lacked NX (I didn’t expect this to be so high — PAE without NX is a bit more common than I’d hoped; hopefully these systems are running 32bit kernels to at least get the partial NX emulation).
  • 662 (9.1%) had PAE but incorrectly lacked NX.

It’s this last group of systems I’m hoping to get fixed through education.

© 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

9 Comments »

  1. Just be sure that CoreBoot has proper defaults when it gets to the point where Ubuntu can automatically offer to install it.

    Proprietary BIOSes all suck.

    Comment by ethana2 — 2/18/2010 @ 11:52 am

  2. 7270 out of 7511 seems a bit high. It would be interesting to look more closely to see which lines are causing the uniqueness. For example if you group all your 7511 into groups by cpu family and model can you identify a field that is causing enhanced uniqueness? Perhaps stepping or the MHz field are causing uniqueness inside a cpu family model group?

    -jef

    Comment by Jef Spaleta — 2/18/2010 @ 12:07 pm

  3. Looks like stepping, cache, model name, etc. All the raw data is in the “tests” sub-directory of the check-bios-nx URL in the post, if anyone wants to study it.

    Comment by kees — 2/18/2010 @ 12:20 pm

  4. > 337 (4.64%) lacked PAE – I didn’t expect this to be so low; Ubuntu bug reporters must have relatively recent hardware overall

    The first implementation of PAE was Intel’s Pention Pro, which was released in 1995. I don’t now if that’s what you call “relatively recent” but I think this one wouldn’t be able to run ubuntu anyway.

    The only system I’ve seen so far not capable of PAE was a toshiba laptop with an intel core 2 duo – which does support PAE but toshiba crippled it somehow so neither pae nor 64bit would work.

    Comment by Florian Ludwig — 2/19/2010 @ 3:14 am

  5. For kicks I ran this across our desktops – of 54 units, all had PAE, 4 have NX disabled in BIOS, 8 have nx enabled, rest aren’t nx capable. I made a note to enable it on desktop rebuilds checklist.

    Is there any case of this causing issue in linux? I understand lots of common Windows software isn’t compatible (I believe IfranView is the posterchild here)

    Comment by furicle — 2/19/2010 @ 9:08 am

  6. Thanks for the props man!

    Comment by Brian Murray — 2/20/2010 @ 7:37 am

  7. Nice stats. Why do linux distros continue to think people run this stuff on 486’s? This train of thought has held back linux for a long time.

    Comment by anonon — 2/26/2010 @ 8:54 am

  8. “hopefully these systems are running 32bit kernels to at least get the partial NX emulation”
    Which most of them are by definition anyway, as they cannot run 64-bit at all. In fact, the only 64-bit processor I can think of that falls into that category is the Xeon Nocona D0-step from 2004, Intel’s first x86-64 processor that was pretty much limited only to servers.

    Comment by Yuhong Bao — 6/10/2010 @ 5:41 pm

  9. You are totally right! It looks like all the 595 PAE-but-no-NX are 32-bit (they lack the “address sizes” line in cpuinfo). And out of the 662 missing NX, 549 of those are 32-bit.

    Comment by kees — 6/10/2010 @ 6:01 pm

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress