Hi All,
Sorry I'm just now following up on this. Not enough hours in the day. The point has come up that by dropping PAE support we are also dropping NX support, and therefore introducing a pretty big security regression. Are we okay with this? Do we want to continue to support PAE?
jeff
On Sat, Oct 14, 2017 at 6:45 PM, Jeff Backus jeff.backus@gmail.com wrote:
Sorry I'm just now following up on this. Not enough hours in the day. The point has come up that by dropping PAE support we are also dropping NX support, and therefore introducing a pretty big security regression. Are we okay with this? Do we want to continue to support PAE?
Of course it would be Nice To Have™, but does anyone have any 32-bit system with more than 4GB RAM to test stuff? If not, we can not support it.
On Sat, Oct 14, 2017 at 12:32 PM, Alexander Ploumistos alex.ploumistos@gmail.com wrote:
On Sat, Oct 14, 2017 at 6:45 PM, Jeff Backus jeff.backus@gmail.com wrote:
Sorry I'm just now following up on this. Not enough hours in the day. The point has come up that by dropping PAE support we are also dropping NX support, and therefore introducing a pretty big security regression. Are we okay with this? Do we want to continue to support PAE?
Of course it would be Nice To Have™, but does anyone have any 32-bit system with more than 4GB RAM to test stuff? If not, we can not support it.
Again, deepest apologies for my laggard reply.
Yes, we would need a +4GB RAM machine to test the PAE end of it, but any machine should be able to leverage the NX part of it. Agreed with the Nice To Have assessment. I'm willing to accept the security risk if it eases support requirements.
jeff
On Thu, Oct 26, 2017 at 11:28 PM, Jeff Backus jeff.backus@gmail.com wrote:
Yes, we would need a +4GB RAM machine to test the PAE end of it, but any machine should be able to leverage the NX part of it.
The first NX-capable CPUs on the AMD side were Athlon 64 and P4 for Intel, right? Does that mean that we need to support 32-bit installations on 64-bit systems in general, or just the P4s?
On Thu, Oct 26, 2017 at 5:09 PM, Alexander Ploumistos alex.ploumistos@gmail.com wrote:
On Thu, Oct 26, 2017 at 11:28 PM, Jeff Backus jeff.backus@gmail.com wrote:
Yes, we would need a +4GB RAM machine to test the PAE end of it, but any machine should be able to leverage the NX part of it.
The first NX-capable CPUs on the AMD side were Athlon 64 and P4 for Intel, right? Does that mean that we need to support 32-bit installations on 64-bit systems in general, or just the P4s?
I think we just target 32bit systems. If someone is using a 32bit install on a 64bit system, it should still 'just work', but they won't have access to the extra RAM or be able to leverage the NX bit.
jeff
On 10/26/2017 11:09 PM, Alexander Ploumistos wrote:
On Thu, Oct 26, 2017 at 11:28 PM, Jeff Backus jeff.backus@gmail.com wrote:
Yes, we would need a +4GB RAM machine to test the PAE end of it, but any machine should be able to leverage the NX part of it.
The first NX-capable CPUs on the AMD side were Athlon 64 and P4 for Intel, right? Does that mean that we need to support 32-bit installations on 64-bit systems in general, or just the P4s?
I don't quite understand this discussion. Why does this even matter? You just test on the hardware you've got, and that's it. If it supports NX/XD, fine, but if it does not, that's okay as well. It's just another dimension in the test matrix, along with any other minor architecture revision which was introduced over the years.
It's not that the 32-bit PAE/NX code paths are something revolutionary new at this point. To me, it seems completely reasonable to assume that upstream isn't doing anything completely broken. I'm pretty sure that not disabling PAE/NX support will bring the Fedora x86 kernel more in line with what else is out there, too.
(FWIW, x86-64 support implies PAE support, but there are some obscure corner cases where NX/XD support is missing.)
Thanks, Florian
On Fri, Oct 27, 2017 at 8:38 AM, Florian Weimer fweimer@redhat.com wrote:
On 10/26/2017 11:09 PM, Alexander Ploumistos wrote:
On Thu, Oct 26, 2017 at 11:28 PM, Jeff Backus jeff.backus@gmail.com wrote:
Yes, we would need a +4GB RAM machine to test the PAE end of it, but any machine should be able to leverage the NX part of it.
The first NX-capable CPUs on the AMD side were Athlon 64 and P4 for Intel, right? Does that mean that we need to support 32-bit installations on 64-bit systems in general, or just the P4s?
I don't quite understand this discussion. Why does this even matter? You just test on the hardware you've got, and that's it. If it supports NX/XD, fine, but if it does not, that's okay as well. It's just another dimension in the test matrix, along with any other minor architecture revision which was introduced over the years.
It's not that the 32-bit PAE/NX code paths are something revolutionary new at this point. To me, it seems completely reasonable to assume that upstream isn't doing anything completely broken. I'm pretty sure that not disabling PAE/NX support will bring the Fedora x86 kernel more in line with what else is out there, too.
No, not new and revolutionary, but a gross hack, a code path that is much
less tested, and where errors are much more likely to (and do) show up. If there were a ton of hardware with NX support and 32bit only, this might be worth a discussion, but most NX capable hardware is also x86_64. PAE should have died a long time ago.
-
Alexander Ploumistos -
Florian Weimer -
Jeff Backus -
Justin Forbes