The Debian package makefile (debian/rules) currently contains the following lines since time immemorial:
DO_MACHINE_CODE=no ifeq ($(DEB_BUILD_ARCH),i386) DO_MACHINE_CODE=yes endif ifeq ($(DEB_BUILD_ARCH),powerpc) DO_MACHINE_CODE=yes endif ifeq ($(DEB_BUILD_ARCH),sparc) DO_MACHINE_CODE=no endif
ifeq ($(DO_MACHINE_CODE),yes) MACHINE_OPTS=--with-machine-code else MACHINE_OPTS=--without-machine-code endif
As you can see, --with-machine-code is only enabled on i386 (x86) and powerpc, for some reason. Marek Habersack had the following to say in the changelog for 7.5.17:
* Disabled using the machine code in the pike bytecode. It poses a security risk and breaks under kernels with exec-shield or PAX.
Apart from that, no explanations. Is the above reason, or any other, still valid?
I don't know what security risks he thinking of. Except of course for the obvious one: Runtimegenerated data is marked as executable...
Does execute protection work differently on PPC than on other platforms?
Does execute protection work differently on PPC than on other platforms?
Not in the CPU core, no. It's a bit in the page table entry just like on every other architecture. (Bit 61 "N" in the PTE is the "No execute" bit.)
Of course, a multi-archtecture kernel (such as Linux) could apply different software policies and mechanisms to different architectures, since the code differs at least at some level.
pike-devel@lists.lysator.liu.se
-
Magnus Holmgren, Millnet/Lysator/Debian/Mensa @ Pike developers forum -
Marcus Comstedt (ACROSS) (Hail Ilpalazzo!) @ Pike (-) developers forum
-
Peter Bortas @ Pike developers forum