From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] kernel: enable page poisoning on x86_64 Date: Tue, 14 Apr 2020 15:54:08 +0100 Message-ID: <8305EFA8-F4F4-4194-8D74-88E3EFD377CD@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6394850169072085604==" List-Id: --===============6394850169072085604== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, > On 14 Apr 2020, at 15:36, Peter M=C3=BCller wr= ote: >=20 > Hello Michael, >=20 > possibly, but I consider this as being too important in order to drop it due > to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some perfo= rmance > overhead of page poisoning, but since this is currently not enabled on i586, > I did not use in on x86_64, either. Hmm, I am really not happy with such inconsistent configurations across multi= ple architectures. This is either a feature that we want or not, but we do not want it on one pl= atform and not on the other. Although I would consider the performance overhead on x86_64 much smaller tha= n i586. PAE might have the same advantage than x86_64. > As mentioned, this is active on i586 already and I have not heard of IPFire > being unusable on that architecture. :-) Well, let=E2=80=99s say it is not running that well any more. -Michael >=20 > Thanks, and best regards, > Peter M=C3=BCller >=20 >> Hi, >>=20 >> Can you perform any performance benchmarks to see how much this impacts IP= sec and IPS throughput? >>=20 >> -Michael >>=20 >>> On 14 Apr 2020, at 15:32, Peter M=C3=BCller = wrote: >>>=20 >>> This is already active on i586 and prevents information leaks from freed >>> data. >>>=20 >>> Cc: Arne Fitzenreiter >>> Signed-off-by: Peter M=C3=BCller >>> --- >>> config/kernel/kernel.config.x86_64-ipfire | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>>=20 >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/ke= rnel.config.x86_64-ipfire >>> index b16d13504..f6819859d 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=3Dy >>> # >>> # CONFIG_PAGE_EXTENSION is not set >>> # CONFIG_DEBUG_PAGEALLOC is not set >>> -# CONFIG_PAGE_POISONING is not set >>> +CONFIG_PAGE_POISONING=3Dy >>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set >>> +CONFIG_PAGE_POISONING_ZERO=3Dy >>> # CONFIG_DEBUG_PAGE_REF is not set >>> # CONFIG_DEBUG_RODATA_TEST is not set >>> # CONFIG_DEBUG_OBJECTS is not set >>> --=20 >>> 2.16.4 >>=20 --===============6394850169072085604==--