On Tue, 24 Feb 2009 15:38:42 -0800 (PST)
Roland McGrath <roland(a)redhat.com> wrote:
> If we have NX (which anything made in the last few years will)
> it's a performance win to use the hardware NX instead of the
> segment limit hack we implemented in execshield.
It's more than performance. The segment limit hack is a hack, and does not
actually do full enforcement in all cases (though we have already bent over
backward to ensure that these cases do not come up by default).
Hardware NX is 100% reliable.
We also need to look for lm to see if we can install a 64-bit kernel.
So something like:
if (lm)
install 64-bit
else
if (!pae) || (!nx && memory < 4GB)
install i586
else
install PAE