grsecurity forums

[hanno]

In a few days I have to set up a brand new rootserver.

We've been using grsecurity in the past, now we switch to an amd64-machine. Any things regarding grsecurity I should know? Is it considered stable on amd64?

Any options I should avoid?

[PaX Team]

In a few days I have to set up a brand new rootserver.

We've been using grsecurity in the past, now we switch to an amd64-machine. Any things regarding grsecurity I should know? Is it considered stable on amd64?

Any options I should avoid?

i assume that by amd64 you also mean to run a 64-bit (amd64) kernel, not 32 bit (i386). in that case the answer is that 'it works' but... there're some unsolved security related problems. first, there's the vsyscall page handling, on amd64 (meaning both 64 bit and 32 bit userland) it exists at a fixed address and i didn't get around to remove it yet (and from what i recall, it's not trivial for the 64 bit userland case, randomizing it might be easier). second, there's no kernel self-protection (KERNEXEC/RANDKSTACK). third, there're some 64 bit CPUs that lack the NX bit support, in that case you will lack PAGEEXEC (and unfortunately it can't be determined at compile time, so you will only realize it later at runtime, check /proc/cpuinfo for 'nx').