What is NX/XD feature ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5.
  • Red Hat Enterprise Linux 6.
  • Red Hat Enterprise Linux 7.
  • Red Hat Enterprise Linux 8.

Issue

  • What is NX/XD feature ?
  • How to check whether NX/XD is enabled ?
  • How to enable or disable NX/XD?

Resolution

  • NX/XD is a hardware cpu feature which is provided in almost all the hardware. Some BIOS has advanced option of enabling or disabling it.

  • NX stands for No eXecute and XD stands for eXecute Disable. Both are same and is a technology used in processors to prevent execution of certain types of code.

Checking the status

  • If the cpu has this feature it is enabled by default , Unless it is over-ridden by noexec=off parameter.

RHEL-7/8

To check whether the feature is enabled on the system check the boot messages either from /var/log/messages or from dmesg .

  • From the /var/log/messages file:
# cat /var/log/messages | grep "Execute Disable"
Feb 20 23:20:41 localhost kernel: NX (Execute Disable) protection: active
  • From the dmesg command:
# dmesg | grep "Execute Disable"
[    0.000000] NX (Execute Disable) protection: active

It is possible for both /var/log/messages and dmesg to have enough messages that the initial boot messages have disappeared or been rotated in which case the message will not be visible. As a workaround you can also try checking /var/log/dmesg and in Red Hat Enterprise Linux 7 only, you can use journalctl -b | grep 'Execute Disable'.

RHEL5/6

The NX bit status boot messages are not present in RHEL-6/RHEL-5.

  • To check whether or not the CPU supports the nx feature, check /proc/cpuinfo for the nx flag:
# cat proc/cpuinfo | grep nx | uniq
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss ht syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 x2apic popcnt aes xsave avx hypervisor lahf_lm ida arat epb pln pts dts

Enabling/Disabling

Although we do not recommend you disable NX/XD, it is possible to explicitly enable or disable the feature using the noexec kernel option. From the kernel source documentation:

noexec      [X86]
        On X86-32 available only on PAE configured kernels.
        noexec=on: enable non-executable mappings (default)
        noexec=off: disable non-executable mappings

For instructions on how to modify kernel parameters, please check the following solution:

How to manually modify the boot parameter in grub before the system boots

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

3 Comments

Is it sufficient to have a positive result for one of the checks, or do all checks have to be positive?

On my server:

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.7 (Santiago)
# uname -iopsrv
Linux 2.6.32-573.38.1.el6.x86_64 #1 SMP Fri Dec 9 09:54:35 EST 2016 x86_64 x86_64 GNU/Linux
# uptime
 10:29:41 up 59 min,  2 users,  load average: 0.07, 0.02, 0.00
# cat /var/log/messages | grep "Execute Disable"
(no output)
# dmesg | grep "Execute Disable"
(no output)
# cat proc/cpuinfo | grep nx | uniq
cat: proc/cpuinfo: No such file or directory
(there is a typo in point 3.)
# cat /proc/cpuinfo | grep flags | uniq | grep -v nx && echo NX not supported || echo NX supported
NX supported

Looks like the processor supports NX, but is it also enabled in the kernel?

Regards Kolja

Hello Kolja,

The "nx" flag in /proc/cpuinfo only tells us if the cpu supports the nx feature, not whether it is enabled or not.

Both /var/log/messages and dmesg can be rotated. Therefore, if the system has been up for a long time and there have been a lot of messages, it is possible that the initial messages from boot will not appear either in the "dmesg" buffer or the /var/log/messages file. In the case of /var/log/messages specifically, they might be in one of the rotated files.

Here is an example from a Red Hat Enterprise Linux 7 system where I have disabled nx using the "noexec=off" kernel boot option to disable nx. Notice that nx still appears in cpuinfo but is reported as disabled in the boot messages.

[root@rhel7 ~]# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-3.10.0-514.21.1.el7.x86_64 root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/root rd.lvm.lv=rhel/swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us console=tty0 console=ttyS0 crashkernel=128M LANG=en_US.UTF-8 noexec=off

[root@rhel7 ~]# grep 'Execute' /var/log/messages
Jun 22 12:30:42 rhel7 kernel: NX (Execute Disable) protection: active
Jun 23 11:11:49 rhel7 kernel: NX (Execute Disable) protection: disabled by kernel command line option

[root@rhel7 ~]# dmesg | grep 'Execute'
[    0.000000] NX (Execute Disable) protection: disabled by kernel command line option

[root@rhel7 ~]# grep 'nx' /proc/cpuinfo | uniq
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp lm constant_tsc rep_good nopl eagerfpu pni pclmulqdq ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm arat fsgsbase bmi1 avx2 smep bmi2 erms invpcid xsaveopt

Thank you for your question! I've modified the solution to make this a bit more clear.

Hello George,

We have a Redhat 6.9 OS here, does it mean NX feature is enabled as default with following prompts? If not, how we can confirm it is enabled or disabled? Thanks.

AVEQXULTMP010 limits.d # cat /proc/cmdline
ro root=/dev/mapper/vg-root rd_NO_LUKS  KEYBOARDTYPE=pc KEYTABLE=us LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=vg/swap SYSFONT=latarcyrheb-sun16 crashkernel=129M@48M rd_LVM_LV=vg/root rd_NO_DM quiet
AVEQXULTMP010 limits.d # grep 'Execute' /var/log/messages
AVEQXULTMP010 limits.d # dmesg | grep 'Execute'
AVEQXULTMP010 limits.d # grep 'nx' /proc/cpuinfo | uniq
flags           : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts mmx fxsr sse sse2 ss syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts xtopology tsc_reliable nonstop_tsc aperfmperf unfair_spinlock pni pclmulqdq ssse3 cx16 sse4_1 sse4_2 popcnt aes xsave avx hypervisor lahf_lm ida arat epb pln pts dtherm
AVEQXULTMP010 limits.d #