Valter Douglas Lisbôa Jr.
douglas at trenix.com.br
Fri Aug 1 04:18:41 PDT 2008
On Friday 01 August 2008 03:56:49 Jan Dvorak wrote:
> On Thursday 31 July 2008 17:12:31 Valter Douglas Jr. wrote:
> > Aside 64 bits system has more bugs than 32, it could
> > be a good candidate to not have throubles (except when you mix it with
> > Xen, nasty thing). [talking about PaX]
> Can you go more into details?
Of course. Like PaX is a kernel patch and does not depend (entirely) by user
space recompilation, it flows its securitiy tricks very softly on the system.
Of course, there are applications (In top of my head by now, X and Java) that
rely some memory behaviour, which cause PaX to bring it down of memory. But,
paxutils can overcome this removing it from system checks.
I always heard that 64bits system has unstable issues, I not test it
personally, but I thing it's a matter of time of adjusting the new systems.
Really, all new machines have 64bits CPU, we do not use all power on it!
But like you say, the authors claims it function really well on 64bits. But
the same has been saying that 2.6.x patches can be broken because it's in
test yet. The only thing we can make is test it.
NOTE: I question myself, when will they admit that PaX is stable on 2.6.x? I
cannot use 2.4.x kernels because new drivers is only added to 2.6.x, and I
guess other peoples (include all participants of LFS projects) use 2.6
kernels. Almost all major distros has 2.6.x kernels too. :-)
> I only found some information about
> potential problems on non-hardware-emulated systems. I don't plan on
> using Xen, but the main reason I'm going for x86_64 HLFS is KVM/QEMU with
>4G memory and ability to run x86_64 guests.
The big problem is the patching, Xen patchs modify heavely some parts of the
kernel, and one of this parts is heavely modified by PaX. I try for two weeks
to merge both patches on Kernel 2.6.18 without success (I'm not a kernel
hacker, yet), I can not just make it compile. I'll try to mix it again using
a 2.6.26.x kernel like a DOMU with the PaX patches.
QEMU, Virtual Box and other user space virtualization have less chance to
generate bugs. I try to compile and run a LFS on QEMU long time ago, like the
system is a 32bits and very basic I was sucefull.
KVM is hardware depent (I know, the 2.6.26.x KVM have paravirtualization, but
it's a very new thing on it and not well tested) and I don't tested it yet.
All modern CPU has the NX bit, try to google about it and kernel. PaX has a
perform improvement on PAGE_EXEC protection if it uses NX.
Valter Douglas Lisbôa Jr.
Trenix - IT Solutions
"Nossas Idéias, suas Soluções!"
contato at trenix.com.br
Tel. +55 19 3402.2957
Cel. +55 19 9183.4244
More information about the hlfs-dev