nx
Firmware Test Suite - nx test
Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc). This is known either as Non-eXecute (NX) or eXecute-Disable (XD). This protection reduces the areas an attacker can use to perform arbitrary code execution. See https://wiki.ubuntu.com/Security/Features for more details.
Some BIOS manufacturers needlessly disable it by default. The nx test checks to see if the CPU is NX capable and if it has been disabled in the BIOS.
Typical output from this test is as follows:
Test if CPU NX is disabled by the BIOS. -------------------------------------------------------------------------------- Test 1 of 3: Check CPU NX capability. PASSED: Test 1, CPU has NX flags, BIOS is not disabling it. Test 2 of 3: Check all CPUs have same BIOS set NX flag. This test verifies that all CPUs have the same NX flag setting. Although rare, BIOS may set the NX flag differently per CPU. PASSED: Test 2, All 4 CPUs have the same NX flag set. Test 3 of 3: Check all CPUs have same msr setting in MSR 0x1a0. This test verifies that all CPUs have the same NX flag setting by examining the per CPU MSR register 0x1a0. PASSED: Test 3, All 4 CPUs have the NX flag in MSR 0x1a0 set. ================================================================================ 3 passed, 0 failed, 0 warnings, 0 aborted, 0 skipped, 0 info only. ================================================================================
Examples:
sudo fwts nx -
..runs the nx test on your machine and dumps the output to stdout.
sudo fwts nx
..runs the nx test on your machine and appends the output to the default logfile results.log
Explanation of test results
Certain test results may require a little more explanation. This section will try and give some context to specific test failures.
Error ID |
Explanation |
NXCapableNotEnabled |
The CPU has NX capability but this has been disabled by the firmware. The NX setting is derived from the nx flags field in /proc/cpuinfo. |
NXCPUFlagsInconsistent |
Test2: The CPU NX capability bits are not consistently enabled across all CPUs. All CPUs should be either enabled *or* disabled, a mix means that the firmware is not configuring the NX bit consistently. The NX setting is derived from the nx flags field of all CPUs in /proc/cpuinfo. |
NXCPUFlagsInconsistent |
Test3: The CPU NX capability bits are not consistently enabled across all CPUs. The NX flag setting across all CPUs via MSR 0x1a0 is sanity checked in test3. |
FirmwareTestSuite/Reference/nx (last edited 2016-01-11 07:25:10 by anthonywong)