#!/usr/bin/python
# Copyright (C) 2009 Canonical, Ltd.
# License: GPLv3
# Author: Kees Cook <kees@ubuntu.com>
#
# Attempts to determine if the running CPU has NX capapbilities (regardless
# of it being filtered by the BIOS).  If the CPU is NX-capable but the nx
# bit is missing from flags, exit 1 (i.e. "BIOS settings need changing"),
# otherwise exit 0 (i.e. "nothing wrong with BIOS")
#
# lacks NX:
#     not pae:
#         cpu family <= 5
#         cpu family > 6 && cpu family < 15
#         cpu family == 6, model <= 12
#     pae, cpu family == 6, model == 13  (excepting some sSpec?)
#             http://processorfinder.intel.com/List.aspx?ParentRadio=All&ProcFam=942&SearchKey=
# has NX:
#     http://processorfinder.intel.com/Default.aspx
#     pae, cpu family == 6, model >= 14
#     pae, cpu family == 15, model >= 3
#     pae, cpu family > 15

import sys

family = None
model = None
flags = []
for line in file('/proc/cpuinfo'):
    line = line.strip()
    if line.startswith('cpu family\t'):
        family = int(line.split().pop())
    elif line.startswith('model\t'):
        model = int(line.split().pop())
    elif line.startswith('flags\t'):
        flags = line.split(':',1)[1].strip().split()
    if model != None and family != None and len(flags) > 0:
        break

if len(flags) == 0:
    # No flags found (?!), fail open
    sys.exit(1)

# If it's in the flags, it's not being filtered by the BIOS; rejoice.
if 'nx' in flags:
    sys.exit(0)

if 'pae' in flags:
    if model == None or family == None:
        # Cannot identify CPU, fail open
        sys.exit(1)
    if (family == 6 and model >= 14) or \
       (family == 15 and model >= 3) or \
       (family > 15):
        # NX should be available in CPU, but missing from flags
        sys.exit(1)
    else:
        # NX not available in CPU
        sys.exit(0)