CPUFeatures

CPU Features

Two CPU features on x86-based hardware are not always available by default out of the box. Many BIOS manufacturers disable the features in a conservative attempt to help legacy operating systems that may perform strangely when these features are available.

Ubuntu can fully utilize these features, and as such, this page will attempt to describe where to find these features in BIOS, and how to turn them on.

Non-Executable Memory

Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc) to help block the exploitation of security vulnerabilities. This feature is called either "eXecute-Disable" (XD) or "Non-eXecute" (NX) or EDB (Execute Disable Bit), depending on your BIOS manufacturer.

In reading the system's /proc/cpuinfo file, the first flags line will include nx if the BIOS is not disabling the CPU feature, and the CPU is actually NX-capable. Nearly all 64-bit CPUs are NX-capable. If the flags line contains pae, usually the CPU will support NX:

  • grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '

In a Dell laptop BIOS, look under "Security" / "CPU XD Support": it should be set to "enabled". In an American Megatrends BIOS, look under "CPU Features" / "Execute Disable Bit": it should be set to "enabled". Some BIOS manufacturers have released firmware updates for their BIOS to allow enabling NX (e.g. Lenovo IdeaPads) so make sure to install the latest BIOS if the NX option is missing.

In Samsung Netbooks (namely N140) enter with F2 the Bios and go to "Advanced" and set "EDB (Execute Disable Bit)" to "enabled".

On Ubuntu 10.04 and later, you can check if your hardware is expected to have NX available by running the command:

  • /usr/bin/check-bios-nx --verbose

As far as making use of the CPU feature once it's not disabled in the BIOS, it will automatically be used if you’re running a 64bit kernel. If you're using 32bit, you can start using it if you install the -server or -generic-pae flavor of the 32bit kernel. As a bonus, you get to address all your physical RAM if you do this too (since the "PAE" mode is the kernel mode that allows NX to work). In Ubuntu 9.10 and later, if you run 32bit kernels without PAE, you will still have the partial NX emulation. It is required that you use PAE if you want true NX support.

If you believe you are incorrectly getting the boot-time warning, please open a bug report against the cpu-checker package, or disable the check by removing the motd module: sudo rm /etc/update-motd.d/20-cpu-checker

Virtualization

If your system supports hardware virtualization (INTEL-VT or AMD-V), it may need to be enabled in the BIOS before this feature will be available for use by Ubuntu. If you have no interest in running virtual machines, this is safe to leave disabled.

Unlike NX above, the VT flag will always show up if your CPU supports it, but the BIOS may still be disabling its ability to function. First, check the /proc/cpuinfo flags, looking for vmx or svm:

  • grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (vmx|svm) '

If this exists, then check if the kernel mentions the BIOS after loading the kvm module:

  • dmesg | grep "kvm: disabled by bios"

On Ubuntu 9.10 and later, you can check if your hardware is expected to have VT available by running the following command from the qemu-kvm package:

  • /usr/bin/kvm-ok

For details on using KVM with hardware virtualization, see the KVM Documentation.

Reference

The expected features for a given CPU can be looked up by manufacturer:

Security/CPUFeatures (last edited 2010-09-25 11:38:07 by Anmibe)