CPUFeatures
|
Size: 2552
Comment:
|
Size: 2960
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 12: | Line 12: |
| grep ^flags /proc/cpuinfo | head -n1 | grep ' nx '}}} | grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '}}} |
| Line 24: | Line 24: |
| If your system supports hardware virtualization (INTEL-VT or AMD-V). Check the BIOS settings for enabling this feature. For more details on using KVM with hardware virtualization, see the [[https://help.ubuntu.com/community/KVM|KVM Documentation]]. | If your system supports hardware virtualization (INTEL-VT or AMD-V), it may need to be enabled in the BIOS before this feature will be available for use by Ubuntu. To check the `/proc/cpuinfo` flags, look for `vmx` or `svm`: {{{ grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (vmx|svm) '}}} Since the virtualization features are not available across all modern CPU lines yet, it is best to check reference documentation (see below) for a given CPU to determine if the features are expected. For details on using KVM with hardware virtualization, see the [[https://help.ubuntu.com/community/KVM|KVM Documentation]]. |
CPU Features
Two CPU features on x86-based hardware are not always available by default out of the box. Many BIOS manufacturers filter the features in a conservative attempt to help legacy operating systems that may perform strangely when these features are available.
Ubuntu can fully utilize these features, and as such, this page will attempt to describe where to find these features in BIOS, and how to turn them on.
Non-Executable Memory
Most modern CPUs protect against executing non-executable memory regions (heap, stack, etc) to help block the exploitation of security vulnerabilities. This feature is called either "eXecute-Disable" (XD) or "Non-eXecute" (NX), depending on your BIOS manufacturer.
In reading the system's /proc/cpuinfo file, the first flags line will include nx if the BIOS is not filtering the CPU feature, and the CPU is actually NX-capable. Nearly all 64-bit CPUs are NX-capable. If the flags line contains pae, usually the CPU will support NX:
grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (pae|nx) '
In a Dell laptop BIOS, look under "Security" / "CPU XD Support": it should be set to "enabled". In an American Megatrends BIOS, look under "CPU Features" / "Execute Disable Bit": it should be set to "enabled".
On Ubuntu 10.04, you can check if your hardware is expected to have NX available by running the command:
/usr/lib/update-notifier/check-bios-nx --verbose
As far as making use of the CPU feature once it's not disabled in the BIOS, it will automatically be used if you’re running a 64bit kernel. If you're using 32bit, you can start using it if you install the -server or -generic-pae flavor of the 32bit kernel. As a bonus, you get to address all your physical RAM if you do this too (since the "PAE" mode is the kernel mode that allows NX to work). In Ubuntu 9.10 and later, if you run 32bit kernels without PAE, you will still have the partial NX emulation. It is recommended that you use PAE if you want true NX support.
Virtualization
If your system supports hardware virtualization (INTEL-VT or AMD-V), it may need to be enabled in the BIOS before this feature will be available for use by Ubuntu. To check the /proc/cpuinfo flags, look for vmx or svm:
grep ^flags /proc/cpuinfo | head -n1 | egrep --color=auto ' (vmx|svm) '
Since the virtualization features are not available across all modern CPU lines yet, it is best to check reference documentation (see below) for a given CPU to determine if the features are expected.
For details on using KVM with hardware virtualization, see the KVM Documentation.
Reference
The expected features for a given CPU can be looked up by manufacturer:
Security/CPUFeatures (last edited 2010-09-25 11:38:07 by 91-67-62-8-dynip)