**Matthias** @_xhr_ · 2018-06-12T18:00:48Z

Matthias @_xhr_

Now that's nice. dillon@ just committed a fix that enables the NX bit for read mappings by default. And the suggestion comes from Theo.

Seems that #Spectre also has some good aspects.

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/d92e38903042e325890d90f72881cc9ed0718db7

#DragonFlyBSD #OpenBSD

Jun 12, 2018, 18:00 · Web · 4 · 6

**Shawn Webb** @lattera@bsd.network · Jun 12, 2018, 18:53

**Shawn Webb** @lattera@bsd.network · Jun 12, 2018, 18:53

@_xhr_ How does NX relate to Spectre?

Also seems like PaX NOEXEC is a more complete solution. PaX NOEXEC has two parts:

1. PaX PAGEEXEC: Disallow mmap(RWX)
2. PaX MPROTECT: Disallow mprotect(W -> X) and mprotect(X -> W)

DFBSD's implementation is rather... meh

**Shawn Webb** @lattera@bsd.network · Jun 12, 2018, 18:57

**Shawn Webb** @lattera@bsd.network · Jun 12, 2018, 18:57

@_xhr_ Seems like I might've misinterpreted the commit. This is just the hardware side, flipping bits to support NX. Is that correct?

**Matthias** @_xhr_ · Jun 12, 2018, 19:59

**Matthias** @_xhr_ · Jun 12, 2018, 19:59

@lattera Yep, correct.

I didn't want to say that this commit is related to Spectre. I wanted to say that the actions initiated by Spectre/Meltdown brought the BSDs more closer together. I cannot remember any commit by dillion@ where he referenced Theo.

**Shawn Webb** @lattera@bsd.network · Jun 12, 2018, 20:01

**Shawn Webb** @lattera@bsd.network · Jun 12, 2018, 20:01

@_xhr_ Gotcha.

I hope DFBSD adopts PaX NOEXEC. They will need a way to toggle PaX PAGEEXEC and PaX MPROTECT on a per-application basis if so.

We already have both PaX PAGEEXEC and the toggles in #HardenedBSD. Feel free to reach out if you have any questions and I'd be glad to give non-xkcd pointers. ;)