module support under KERNEXEC
the latest PaX test patch for 2.6 adds preliminary module support
under KERNEXEC, that is, you can now have non-executable pages and
keep using modules. of course as it is now, it's a complete circumvention
of the very idea of KERNEXEC (disabling runtime code generation in
the kernel itself), but we'll get to that later.
for now i'd like to ask adventurous souls to enable KERNEXEC and
module support and see what blows up. it works here (TM), but that's
a small sample, hence my request. if your life depends on your machine
then better wait (it doesn't go into grsec either for some time).
if something does blow up, then be prepared to have a serial console
attached (or maybe netconsole) and logging enabled, else your kernel
will most likely be dead (or just reboot), and taking a screenshot
by hand is not much fun ;P.
some things to be aware of:
- KERNEXEC is not compatible with EFI, HOTPLUG_PCI_COMPAQ_NVRAM
and PCI_BIOS support. the latter is easy to fix as you just have
to set the PCI access method to direct. the former two depend
on your hardware, probably most of you are not affected.
- linux in a vmware guest works fine, so you can test there (although
i tried that myself, so it's not really a new data point). linux
(with KERNEXEC enabled) as a vmware host will most likely not work,
but i didn't try that myself. if it does, then it's still bad news
as it means that it probably circumvents KERNEXEC .
- due to the way non-executable pages can be implemented on i386,
the non-writable (that is, executable code and read-only data)
region reserved for modules is limited and has to be a compile