| 1 |
On 19 Nov 2012 at 11:37, Maxim Kammerer wrote: |
| 2 |
|
| 3 |
> On Mon, Nov 19, 2012 at 2:25 AM, Matthew Thode |
| 4 |
> <prometheanfire@g.o> wrote: |
| 5 |
> > Originally virtualization was slow on grsec/pax with either uderef or |
| 6 |
> > kernexec enabled. |
| 7 |
> |
| 8 |
> My impression was that UDEREF/KERNEXEC were slow in guest. Is it |
| 9 |
> wrong, or did these settings affect host as well? |
| 10 |
|
| 11 |
there was a bug in the per-cpu pgd feature (that those two features rely on |
| 12 |
on amd64) that, when enabled on the host, would cause a big guest slowdown |
| 13 |
(regardless of what the guest was). |
| 14 |
|
| 15 |
that these two features have a performance impact on their own is a separate |
| 16 |
issue and something i can't help without proper hw support (think SMEP/SMAP). |
| 17 |
|
| 18 |
> > Pipacs overcame this limitation in 3.5.4-r1 and |
| 19 |
> > overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame |
| 20 |
> > it using nested page tables on newer CPUs, which means older CPUs will |
| 21 |
> > likely still be slow. |
| 22 |
> |
| 23 |
> So one needs at least 3.5.4-r2 in both hardened guest and host, and |
| 24 |
> nested page tables support in CPU? |
| 25 |
|
| 26 |
for this bug only the host matters and use more like 3.6 please since we no |
| 27 |
longer support 3.5 (and in a few weeks that'll become 3.7 ;) or our 2.6.32/3.2 |
| 28 |
stable series. |
| 29 |
|
| 30 |
nested page tables help with the inherent performance impact of per-cpu pgd |
| 31 |
(that is, if you enable it in your guest kernels as well), independently of |
| 32 |
the performance bug i fixed some months ago. |
Archives