[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SEP bit disabled in FC



> In arch/i386/kernel/cpu/common.c:
> 
>         /* hack: disable SEP for non-NX cpus; SEP breaks Execshield. */
>         #ifdef CONFIG_HIGHMEM64G
>         if (!test_bit(X86_FEATURE_NX, c->x86_capability))
>         #endif
>                 clear_bit(X86_FEATURE_SEP, c->x86_capability);
> 
> So, in order to enable Execshield, the SEP cpu bit (sysenter/sysexit) has to
> be turned off.  But this costs a lot of performance: as much as 2.5X in
> syscall-heavy benchmarks (e.g., process tests in lmbench).

That is unavoidable on CPUs that do not have NX support.  Using sysexit
resets to flat 4GB segments, so you lose the protection of a limited code
segment preventing all readable pages from being executable.  When the CPU
supports the NX page table bit, we don't use segments for execute
permission and so it is safe to enable sysenter/sysexit.  CPUs being sold
this year have NX support, so you don't have this limitation.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]