[grsec] Re: [gentoo-hardened] PaX: pageexec or segmexec performance
numbers?
pageexec at freemail.hu
pageexec at freemail.hu
Mon May 9 11:21:39 EDT 2005
> > i remember only the kernel compiles on P3, for SEGMEXEC the slowdown
> > was around 1-2%, for PAGEEXEC on 2.2/2.4 it was around 30-40% and
> > on 2.6 it was 2-3%.
>
> why is there such a difference between using PAGEEXEC on 2.4 and using it on
> 2.6?
because 2.6 is an experimental branch so i did my own experiment ;-).
more seriously, i added a tweak to PAGEEXEC that makes the code
segment limit variable and everything above that limit can then be
mapped with normal user mode page table entries -> less extra page
faults, less impact. now this works as long as 'most' non-exec
mappings can be pushed above the code segment limit, to that effect
i made the mmap allocator push executable mappings in the lower part
of the address space, rest goes above as usual (2.6 allocates from
top to down itself). as you can see from the performance numbers,
this heuristics works quite well on a kernel compilation, on other
workloads 'it depends', mostly on how shared libs are mapped (as
they have code hence mapping them 'too high' will necessarily push
the code segment limit upwards and makes all non-exec mappings below
use the supervisor mode PTEs -> more impact).
More information about the grsecurity
mailing list