lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 7 May 2017 23:45:48 +0200
From:   Daniel Gruss <daniel.gruss@...k.tugraz.at>
To:     Richard Weinberger <richard.weinberger@...il.com>
CC:     Christoph Hellwig <hch@...radead.org>,
        kernel list <linux-kernel@...r.kernel.org>,
        "kernel-hardening@...ts.openwall.com" 
        <kernel-hardening@...ts.openwall.com>,
        "clementine.maurice@...k.tugraz.at" 
        <clementine.maurice@...k.tugraz.at>,
        "moritz.lipp@...k.tugraz.at" <moritz.lipp@...k.tugraz.at>,
        Michael Schwarz <michael.schwarz@...k.tugraz.at>,
        Richard Fellner <richard.fellner@...dent.tugraz.at>,
        "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
        Ingo Molnar <mingo@...nel.org>,
        "anders.fogh@...ta-adan.de" <anders.fogh@...ta-adan.de>
Subject: Re: [kernel-hardening] Re: [RFC, PATCH] x86_64: KAISER - do not map
 kernel in user mode

> Just did a quick test on my main KVM host, a 8 core Intel(R) Xeon(R)
> CPU E3-1240 V2.
> KVM guests are 4.10 w/o CONFIG_KAISER and kvmconfig without CONFIG_PARAVIRT.
> Building a defconfig kernel within that guests is about 10% slower
> when CONFIG_KAISER
> is enabled.

Thank you for testing it! :)

> Is this expected?

It sounds plausible. First, I would expect any form of virtualization to 
increase the overhead. Second, for the processor (Ivy Bridge), I would 
have expected even higher performance overheads. KAISER utilizes very 
recent performance improvements in Intel processors...

> If it helps I can redo the same test also on bare metal.

I'm not sure how we proceed here and if this would help, because I don't 
know what everyone expects.
KAISER definitely introduces an overhead, no doubt about that. How much 
overhead it is depends on the specific hardware and may be very little 
on recent architectures and more on older machines.
We are not proposing to enable KAISER by default, but to provide the 
config option to allow easy integration into hardened kernels where 
performance overheads may be acceptable (which depends on the specific 
use case and the specific hardware).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ