Use PAE kernel when hardware supports it
Default 32bit Ubuntu installs lack support for the "nx" bit, which leaves the bulk of installs vulnerable to code execution attacks in writable memory (stack, heap). 64bit kernels have PAE mode enabled, which allows for the "nx" bit to work. The -server flavor of the 32bit kernel provides PAE mode for hardware that supports it. As such, the goal of this blueprint is to have Ubuntu determine the CPU capabilities, and choose the most protective kernel.
- rename -server and/or -generic so that people wanting >4G physical memory will install it on desktops without confusion.
- modify DVD/alternate installer to detect CPU capabilities and choose the correct kernel
- modify jockey to detect CPU capabilities and recommend installing the correct kernel
- have jockey scream loudly when nx is disabled on 64bit or 32bit+PAE
- modify system-cleaner to suggest removal of -generic when -server is installed and running
Blueprint information
- Status:
- Complete
- Approver:
- Kees Cook
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Pete Graner
- Completed by
- Pete Graner
Whiteboard
Implemented with the PAE kernel in karmic --pgraner