64bit kernels inappropriately reporting they are using NX emulation

Updated with even better message!

http://kernel.ubuntu.com/git?p=ubuntu/ubuntu-karmic.git;a=commit;h=8bf095f8b62c5fdfe55a8c95be775ea62be7bc10

AIUI this is cosmetic and doesn't represent an actual security problem; deferring since we're already in kernel freeze for release.

This bug was fixed in the package linux - 2.6.32-2.2

---------------
linux (2.6.32-2.2) lucid; urgency=low

  [ Andy Whitcroft ]

  * install the full changelog with the binary package
  * changelog -- explicitly note rebases and clean history
  * reinstate armel.mk with no flavours
    - LP: #449637
  * [Upstream] block: silently error unsupported empty barriers too
    - LP: #420423
  * [Config] udate configs following karmic resync
  * [Config] update ports configs following karmic resync
  * [Upstream] lirc -- follow removal of .id element

  [ Colin Watson ]

  * Use section 'admin' rather than 'base'
  * Add more e100 firmware to nic-modules
    - LP: #451872
  * Add qla1280 firmware to scsi-modules
    - LP: #381037

  [ John Johansen ]

  * SAUCE: AppArmor: Set error code after structure initialization.
    - LP: #427948
  * SAUCE: AppArmor: Fix off by 2 error in getprocattr mem allocation
    - LP: #446595
  * SAUCE: AppArmor: Fix mediation of "deleted" paths

  [ Kees Cook ]

  * SAUCE: [x86] fix report of cs-limit nx-emulation
    - LP: #454285

  [ Leann Ogasawara ]

  * SAUCE: (drop after 2.6.31) input: Add support for filtering input
    events
    - LP: #430809
  * SAUCE: (drop after 2.6.31) dell-laptop: Trigger rfkill updates on wifi
    toggle switch press
    - LP: #430809

  [ Luke Yelavich ]

  * SAUCE: Add sr_mod to the scsi-modules udeb for powerpc
  * [Config] Add sd_mod to scsi-modules udeb for powerpc

  [ Mario Limonciello ]

  * SAUCE: Update to LIRC 0.8.6
    - LP: #432678
  * SAUCE: dell-laptop: Store the HW switch status internally rather than
    requerying every time
    - LP: #430809
  * SAUCE: dell-laptop: Blacklist machines not supporting dell-laptop
    - LP: #430809

  [ Stefan Bader ]

  * [Upstream] acerhdf: Limit modalias matching to supported boards
    - LP: #435958

  [ Tim Gardner ]

  * [Upstream] i915: Fix i2c init message
    - LP: #409361
  * [Config] Add sym53c8xx.ko to virtual sub-flavour
    - LP: #439415
  * [Config] Add d101m_ucode.bin to d-i/firmware/nic-modules
    - LP: #439456
  * [Config] Set default I/O scheduler back to CFQ for desktop flavours
    - LP: #381300
  * SAUCE: Created MODULE_EXPORT/MODULE_IMPORT macros
    - LP: #430694
  * SAUCE: Use MODULE_IMPORT macro to tie intel_agp to i915
    - LP: #430694
  * [Config] CONFIG_GFS2_FS_LOCKING_DLM=y
    - LP: #416325
  * SAUCE: Fix MODULE_IMPORT/MODULE_EXPORT
    - LP: #430694
  * SAUCE: Raise the default console 'quiet' level to 2
  * [Config] CONFIG_X86_PAT=y
  * [Config] Add armel arch to linux-libc-dev arches.
    - LP: #449637
  * [Config] CONFIG_X86_MCE
  * [Upstream] (drop after 2.6.31) Input: synaptics - add another Protege
    M300 to rate blacklist
    - LP: #433801

  [ Upstream Kernel Changes ]

  * sgi-gru: Fix kernel stack buffer overrun, CVE-2009-2584
  * drm/i915: Fix FDI M/N setting according with correct color depth
    - LP: #416792

linux (2.6.32-1.1) lucid; urgency=low

  [ Andy Whitcroft ]

  * rebase to v2.6.32-rc3
  * [Config] update configs following rebase to 2.6.32-rc3
  * [Config] update ports configs following rebase to 2.6.32-rc3
  * AppArmor -- fix pstrace_may_access rename
  * staging/android -- disa...

Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I can confirm that the new kernel (linux-image-2.6.31-15-generic) fixes the log message.

dmesg now contains : "[ 0.000000] NX (Execute Disable) protection: active"

Thanks for the fix.

The change related to this bug causes a regression on suspend/resume at least on my T42p. We tracked the reason down to this line:

@@ -77,6 +77,7 @@ static void __init set_nx(void)
 #else
 static inline void set_nx(void)
 {
+ nx_enabled = ( (__supported_pte_mask & _PAGE_NX) == _PAGE_NX );
 }
 #endif

The problem is in arch/x86/include/asm/pgtable_types.h:
#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
#else
#define _PAGE_NX (_AT(pteval_t, 0))
#endif

which means on 32bit non-pae _NX_PAGE is 0 and so nx_enable gets incorrectly set to 1. This in turn causes code to be executed on resume which runs under the wrong assumptions.

To fix this, the code has either to verify that _PAGE_NX is not 0 or #ifdef the line for CONFIG_X86_64 only and leave the value of nx_enabled alone otherwise.

Adjusted to test _PAGE_NX too.

Kees, Just in case you get chided for the more that 80c line, we started a beauty contest for it and would have the following candidates ;-)

nx_enabled = ( (__supported_pte_mask & _PAGE_NX) != 0)
or
nx_enabled = !!(__supported_pte_mask & _PAGE_NX)

Currently applying your patch and will give test feedback here.

Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

I don't know if it's related to this issue but I also had suspend/resume regression with kernel 2.6.31-15.49 on a 32bit host (not PAE) and that was fixed with 2.6.31-15.50.

I just retested on another computer (Lenovo R61) with 64bit kernel version 2.6.31-15.50 and the NX is reported to be activate and I have no issue with suspend/resume.

So I can confirm that 2.6.31-15.50 fixes the issue for me. Thanks.

Now upstream, though improved:
http://git.kernel.org/tip/4b0f3b81eb33ef18283aa71440cccfede1753ae0

This bug was fixed in the package linux - 2.6.31-15.50

---------------
linux (2.6.31-15.50) karmic-proposed; urgency=low

  [ Kees Cook ]

  * SAUCE: Fix nx_enable reporting
    - LP: #454285

linux (2.6.31-15.49) karmic-proposed; urgency=low

  [ Benjamin Herrenschmidt ]

  * [Upstream] (drop after 2.6.31) usb-storage: Workaround devices with
    bogus sense size
    - LP: #446146

  [ John Johansen ]

  * SAUCE: AppArmor: AppArmor wrongly reports allow perms as denied
    - LP: #453335
  * SAUCE: AppArmor: Policy load and replacement can fail to alloc mem
    - LP: #458299
  * SAUCE: AppArmor: AppArmor fails to audit change_hat correctly
    - LP: #462824
  * SAUCE: AppArmor: AppArmor disallows truncate of deleted files.
    - LP: #451375

  [ Kees Cook ]

  * SAUCE: [x86] fix report of cs-limit nx-emulation
    - LP: #454285

  [ Scott James Remnant ]

  * Revert "SAUCE: trace: add trace_event for the open() syscall"
  * SAUCE: trace: add trace events for open(), exec() and uselib()
    - LP: #462111

  [ Stefan Bader ]

  * SAUCE: Fix sub-flavour script to not stop on missing directories
    - LP: #453073

  [ Tim Gardner ]

  * [Upstream] (drop after 2.6.31) Input: synaptics - add another Protege
    M300 to rate blacklist
    - LP: #433801

  [ Upstream Kernel Changes ]

  * PM: Make warning in suspend_test_finish() less likely to happen
    - LP: #464552
 -- Stefan Bader <email address hidden> Tue, 10 Nov 2009 14:31:52 +0100