Hey,
On 14 Apr 2020, at 15:36, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
possibly, but I consider this as being too important in order to drop it due to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance overhead of page poisoning, but since this is currently not enabled on i586, I did not use in on x86_64, either.
Hmm, I am really not happy with such inconsistent configurations across multiple architectures.
This is either a feature that we want or not, but we do not want it on one platform and not on the other.
Although I would consider the performance overhead on x86_64 much smaller than i586. PAE might have the same advantage than x86_64.
As mentioned, this is active on i586 already and I have not heard of IPFire being unusable on that architecture. :-)
Well, let’s say it is not running that well any more.
-Michael
Thanks, and best regards, Peter Müller
Hi,
Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput?
-Michael
On 14 Apr 2020, at 15:32, Peter Müller peter.mueller@ipfire.org wrote:
This is already active on i586 and prevents information leaks from freed data.
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
config/kernel/kernel.config.x86_64-ipfire | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b16d13504..f6819859d 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y # # CONFIG_PAGE_EXTENSION is not set # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_PAGE_POISONING is not set +CONFIG_PAGE_POISONING=y +# CONFIG_PAGE_POISONING_NO_SANITY is not set +CONFIG_PAGE_POISONING_ZERO=y # CONFIG_DEBUG_PAGE_REF is not set # CONFIG_DEBUG_RODATA_TEST is not set
# CONFIG_DEBUG_OBJECTS is not set
2.16.4