* [PATCH] kernel: enable page poisoning on x86_64 @ 2020-04-14 14:32 Peter Müller 2020-04-14 14:33 ` Michael Tremer 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2020-04-14 14:32 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 931 bytes --] This is already active on i586 and prevents information leaks from freed data. Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/kernel/kernel.config.x86_64-ipfire | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b16d13504..f6819859d 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y # # CONFIG_PAGE_EXTENSION is not set # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_PAGE_POISONING is not set +CONFIG_PAGE_POISONING=y +# CONFIG_PAGE_POISONING_NO_SANITY is not set +CONFIG_PAGE_POISONING_ZERO=y # CONFIG_DEBUG_PAGE_REF is not set # CONFIG_DEBUG_RODATA_TEST is not set # CONFIG_DEBUG_OBJECTS is not set -- 2.16.4 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kernel: enable page poisoning on x86_64 2020-04-14 14:32 [PATCH] kernel: enable page poisoning on x86_64 Peter Müller @ 2020-04-14 14:33 ` Michael Tremer 2020-04-14 14:36 ` Peter Müller 0 siblings, 1 reply; 5+ messages in thread From: Michael Tremer @ 2020-04-14 14:33 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1180 bytes --] Hi, Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput? -Michael > On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > This is already active on i586 and prevents information leaks from freed > data. > > Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> > Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> > --- > config/kernel/kernel.config.x86_64-ipfire | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire > index b16d13504..f6819859d 100644 > --- a/config/kernel/kernel.config.x86_64-ipfire > +++ b/config/kernel/kernel.config.x86_64-ipfire > @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y > # > # CONFIG_PAGE_EXTENSION is not set > # CONFIG_DEBUG_PAGEALLOC is not set > -# CONFIG_PAGE_POISONING is not set > +CONFIG_PAGE_POISONING=y > +# CONFIG_PAGE_POISONING_NO_SANITY is not set > +CONFIG_PAGE_POISONING_ZERO=y > # CONFIG_DEBUG_PAGE_REF is not set > # CONFIG_DEBUG_RODATA_TEST is not set > # CONFIG_DEBUG_OBJECTS is not set > -- > 2.16.4 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kernel: enable page poisoning on x86_64 2020-04-14 14:33 ` Michael Tremer @ 2020-04-14 14:36 ` Peter Müller 2020-04-14 14:54 ` Michael Tremer 0 siblings, 1 reply; 5+ messages in thread From: Peter Müller @ 2020-04-14 14:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1680 bytes --] Hello Michael, possibly, but I consider this as being too important in order to drop it due to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance overhead of page poisoning, but since this is currently not enabled on i586, I did not use in on x86_64, either. As mentioned, this is active on i586 already and I have not heard of IPFire being unusable on that architecture. :-) Thanks, and best regards, Peter Müller > Hi, > > Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput? > > -Michael > >> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> This is already active on i586 and prevents information leaks from freed >> data. >> >> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >> --- >> config/kernel/kernel.config.x86_64-ipfire | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >> index b16d13504..f6819859d 100644 >> --- a/config/kernel/kernel.config.x86_64-ipfire >> +++ b/config/kernel/kernel.config.x86_64-ipfire >> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y >> # >> # CONFIG_PAGE_EXTENSION is not set >> # CONFIG_DEBUG_PAGEALLOC is not set >> -# CONFIG_PAGE_POISONING is not set >> +CONFIG_PAGE_POISONING=y >> +# CONFIG_PAGE_POISONING_NO_SANITY is not set >> +CONFIG_PAGE_POISONING_ZERO=y >> # CONFIG_DEBUG_PAGE_REF is not set >> # CONFIG_DEBUG_RODATA_TEST is not set >> # CONFIG_DEBUG_OBJECTS is not set >> -- >> 2.16.4 > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kernel: enable page poisoning on x86_64 2020-04-14 14:36 ` Peter Müller @ 2020-04-14 14:54 ` Michael Tremer 2020-04-14 15:04 ` Peter Müller 0 siblings, 1 reply; 5+ messages in thread From: Michael Tremer @ 2020-04-14 14:54 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2251 bytes --] Hey, > On 14 Apr 2020, at 15:36, Peter Müller <peter.mueller(a)ipfire.org> wrote: > > Hello Michael, > > possibly, but I consider this as being too important in order to drop it due > to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance > overhead of page poisoning, but since this is currently not enabled on i586, > I did not use in on x86_64, either. Hmm, I am really not happy with such inconsistent configurations across multiple architectures. This is either a feature that we want or not, but we do not want it on one platform and not on the other. Although I would consider the performance overhead on x86_64 much smaller than i586. PAE might have the same advantage than x86_64. > As mentioned, this is active on i586 already and I have not heard of IPFire > being unusable on that architecture. :-) Well, let’s say it is not running that well any more. -Michael > > Thanks, and best regards, > Peter Müller > >> Hi, >> >> Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput? >> >> -Michael >> >>> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>> >>> This is already active on i586 and prevents information leaks from freed >>> data. >>> >>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>> --- >>> config/kernel/kernel.config.x86_64-ipfire | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>> index b16d13504..f6819859d 100644 >>> --- a/config/kernel/kernel.config.x86_64-ipfire >>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y >>> # >>> # CONFIG_PAGE_EXTENSION is not set >>> # CONFIG_DEBUG_PAGEALLOC is not set >>> -# CONFIG_PAGE_POISONING is not set >>> +CONFIG_PAGE_POISONING=y >>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set >>> +CONFIG_PAGE_POISONING_ZERO=y >>> # CONFIG_DEBUG_PAGE_REF is not set >>> # CONFIG_DEBUG_RODATA_TEST is not set >>> # CONFIG_DEBUG_OBJECTS is not set >>> -- >>> 2.16.4 >> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] kernel: enable page poisoning on x86_64 2020-04-14 14:54 ` Michael Tremer @ 2020-04-14 15:04 ` Peter Müller 0 siblings, 0 replies; 5+ messages in thread From: Peter Müller @ 2020-04-14 15:04 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2688 bytes --] Hello Michael, > Hey, > >> On 14 Apr 2020, at 15:36, Peter Müller <peter.mueller(a)ipfire.org> wrote: >> >> Hello Michael, >> >> possibly, but I consider this as being too important in order to drop it due >> to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance >> overhead of page poisoning, but since this is currently not enabled on i586, >> I did not use in on x86_64, either. > > Hmm, I am really not happy with such inconsistent configurations across multiple architectures. > > This is either a feature that we want or not, but we do not want it on one platform and not on the other. Yes, I am currently trying to clean this mess up as we have quite a bunch of those. Since we probably need to have a look at each in detail, I guess opening bugs makes more sense here... > > Although I would consider the performance overhead on x86_64 much smaller than i586. PAE might have the same advantage than x86_64. Yes, I think so too. > >> As mentioned, this is active on i586 already and I have not heard of IPFire >> being unusable on that architecture. :-) > > Well, let’s say it is not running that well any more. I would be surprised to hear that page poisoning is the sole reason for this. :-) Thanks, and best regards, Peter Müller > > -Michael > >> >> Thanks, and best regards, >> Peter Müller >> >>> Hi, >>> >>> Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput? >>> >>> -Michael >>> >>>> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller(a)ipfire.org> wrote: >>>> >>>> This is already active on i586 and prevents information leaks from freed >>>> data. >>>> >>>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org> >>>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> >>>> --- >>>> config/kernel/kernel.config.x86_64-ipfire | 4 +++- >>>> 1 file changed, 3 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire >>>> index b16d13504..f6819859d 100644 >>>> --- a/config/kernel/kernel.config.x86_64-ipfire >>>> +++ b/config/kernel/kernel.config.x86_64-ipfire >>>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y >>>> # >>>> # CONFIG_PAGE_EXTENSION is not set >>>> # CONFIG_DEBUG_PAGEALLOC is not set >>>> -# CONFIG_PAGE_POISONING is not set >>>> +CONFIG_PAGE_POISONING=y >>>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set >>>> +CONFIG_PAGE_POISONING_ZERO=y >>>> # CONFIG_DEBUG_PAGE_REF is not set >>>> # CONFIG_DEBUG_RODATA_TEST is not set >>>> # CONFIG_DEBUG_OBJECTS is not set >>>> -- >>>> 2.16.4 >>> > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-04-14 15:04 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-04-14 14:32 [PATCH] kernel: enable page poisoning on x86_64 Peter Müller 2020-04-14 14:33 ` Michael Tremer 2020-04-14 14:36 ` Peter Müller 2020-04-14 14:54 ` Michael Tremer 2020-04-14 15:04 ` Peter Müller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox