From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] kernel: enable page poisoning on x86_64 Date: Tue, 14 Apr 2020 17:04:54 +0200 Message-ID: <582637a0-0fba-9b6a-bee1-7933dd7922d2@ipfire.org> In-Reply-To: <8305EFA8-F4F4-4194-8D74-88E3EFD377CD@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3930136827023527845==" List-Id: --===============3930136827023527845== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, > Hey, >=20 >> On 14 Apr 2020, at 15:36, Peter M=C3=BCller w= rote: >> >> Hello Michael, >> >> possibly, but I consider this as being too important in order to drop it d= ue >> to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some perf= ormance >> overhead of page poisoning, but since this is currently not enabled on i58= 6, >> I did not use in on x86_64, either. >=20 > Hmm, I am really not happy with such inconsistent configurations across mul= tiple architectures. >=20 > This is either a feature that we want or not, but we do not want it on one = platform and not on the other. Yes, I am currently trying to clean this mess up as we have quite a bunch of = those. Since we probably need to have a look at each in detail, I guess opening bugs= makes more sense here... >=20 > Although I would consider the performance overhead on x86_64 much smaller t= han i586. PAE might have the same advantage than x86_64. Yes, I think so too. >=20 >> As mentioned, this is active on i586 already and I have not heard of IPFire >> being unusable on that architecture. :-) >=20 > Well, let=E2=80=99s say it is not running that well any more. I would be surprised to hear that page poisoning is the sole reason for this.= :-) Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 >> >> Thanks, and best regards, >> Peter M=C3=BCller >> >>> Hi, >>> >>> Can you perform any performance benchmarks to see how much this impacts I= Psec and IPS throughput? >>> >>> -Michael >>> >>>> On 14 Apr 2020, at 15:32, Peter M=C3=BCller = wrote: >>>> >>>> This is already active on i586 and prevents information leaks from freed >>>> data. >>>> >>>> Cc: Arne Fitzenreiter >>>> Signed-off-by: Peter M=C3=BCller >>>> --- >>>> config/kernel/kernel.config.x86_64-ipfire | 4 +++- >>>> 1 file changed, 3 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/k= ernel.config.x86_64-ipfire >>>> index b16d13504..f6819859d 100644 >>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=3Dy >>>> # >>>> # CONFIG_PAGE_EXTENSION is not set >>>> # CONFIG_DEBUG_PAGEALLOC is not set >>>> -# CONFIG_PAGE_POISONING is not set >>>> +CONFIG_PAGE_POISONING=3Dy >>>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set >>>> +CONFIG_PAGE_POISONING_ZERO=3Dy >>>> # CONFIG_DEBUG_PAGE_REF is not set >>>> # CONFIG_DEBUG_RODATA_TEST is not set >>>> # CONFIG_DEBUG_OBJECTS is not set >>>> --=20 >>>> 2.16.4 >>> >=20 --===============3930136827023527845==--