Re: [Xen-devel] x86: PIE support and option to extend KASLR randomization
On Wed, 16 Aug 2017, Ingo Molnar wrote: > And we'd do this for _EVERY_ function call in the kernel. That kind of crap is > totally unacceptable. Ahh finally a limit is in sight as to how much security hardening etc can reduce kernel performance. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] x86: PIE support and option to extend KASLR randomization
On Tue, 18 Jul 2017, Thomas Garnier wrote: > Performance/Size impact: > Hackbench (50% and 1600% loads): > - PIE enabled: 7% to 8% on half load, 10% on heavy load. > slab_test (average of 10 runs): > - PIE enabled: 3% to 4% > Kernbench (average of 10 Half and Optimal runs): > - PIE enabled: 5% to 6% > > Size of vmlinux (Ubuntu configuration): > File size: > - PIE disabled: 472928672 bytes (-0.000169% from baseline) > - PIE enabled: 216878461 bytes (-54.14% from baseline) Maybe we need something like CONFIG_PARANOIA so that we can determine at build time how much performance we want to sacrifice for performance? Its going to be difficult to understand what all these hardening config options do. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel
Re: [Xen-devel] [kernel-hardening] Re: x86: PIE support and option to extend KASLR randomization
On Thu, 17 Aug 2017, Boris Lukashev wrote: > Is the expectation then to have security functions also decrease size > and operational latency? Seems a bit unrealistic if so. > 1-2% performance hit on systems which have become at least several > hundred % faster over recent years is not a significant performance > regression compared to the baseline before. Where do you get these fantastic numbers? Where can I buy a system like that? Commonly we see regressions with single threaded integer performance on most newer processor generations. These hundreds of percent improvement can only come from floating point performance using specialized instructions. There are only a very limited number of applications that can make use of it. ___ Xen-devel mailing list Xen-devel@lists.xen.org https://lists.xen.org/xen-devel