Hello Michael,

possibly, but I consider this as being too important in order to drop it due
to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance
overhead of page poisoning, but since this is currently not enabled on i586,
I did not use in on x86_64, either.

As mentioned, this is active on i586 already and I have not heard of IPFire
being unusable on that architecture. :-)

Thanks, and best regards,
Peter Müller

> Hi,
> 
> Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput?
> 
> -Michael
> 
>> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>>
>> This is already active on i586 and prevents information leaks from freed
>> data.
>>
>> Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
>> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
>> ---
>> config/kernel/kernel.config.x86_64-ipfire | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index b16d13504..f6819859d 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y
>> #
>> # CONFIG_PAGE_EXTENSION is not set
>> # CONFIG_DEBUG_PAGEALLOC is not set
>> -# CONFIG_PAGE_POISONING is not set
>> +CONFIG_PAGE_POISONING=y
>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set
>> +CONFIG_PAGE_POISONING_ZERO=y
>> # CONFIG_DEBUG_PAGE_REF is not set
>> # CONFIG_DEBUG_RODATA_TEST is not set
>> # CONFIG_DEBUG_OBJECTS is not set
>> -- 
>> 2.16.4
>