In arch/i386/kernel/cpu/common.c:
/* hack: disable SEP for non-NX cpus; SEP breaks Execshield. */
#ifdef CONFIG_HIGHMEM64G
if (!test_bit(X86_FEATURE_NX, c->x86_capability))
#endif
clear_bit(X86_FEATURE_SEP, c->x86_capability);
So, in order to enable Execshield, the SEP cpu bit (sysenter/sysexit) has to
be turned off. But this costs a lot of performance: as much as 2.5X in
syscall-heavy benchmarks (e.g., process tests in lmbench).
That is unavoidable on CPUs that do not have NX support. Using sysexit
resets to flat 4GB segments, so you lose the protection of a limited code
segment preventing all readable pages from being executable. When the CPU
supports the NX page table bit, we don't use segments for execute
permission and so it is safe to enable sysenter/sysexit. CPUs being sold
this year have NX support, so you don't have this limitation.