VMWARE + KERNEXEC
Posted: Thu Aug 11, 2011 4:41 amHi,
Just wondering what the current status of running a grsecurity enabled kernel under VMWARE ESXi4.x was, with KERNEXEC enabled.
I tried, but I got some major slowdowns. I thought it was UDEREF, but disabling that didn't actually make much difference. Once I disabled KERNEXEC (as suggested by pipacs in another forum post here) I seem to get performance as good as a regular kernel. I should also note this is on a Xeon processor with only PAGEEXEC enabled, as the NX bit status is passed down to my guest. I figured this would be the best and enabling SEGMEXEC would be pointless. Am I right?
The problem I have with the documentation available here is that it doesn't mention if people are using Para-virtualisation (VMI) or not. I'm not as it seems it's going to be depreciated in the next versions and from what I've read, using NoHZ gives the same performance. But should I be? It's so hard to know and I've pretty much read all the forum posts here, at least I think I have.
Can anyone provide their hints/tips/suggestions on the best options for a fast but as PaX hardened as possible kernel? Not just PAX+Grsec but other things as well such as Paravirtualisation etc.
Thanks!
Just wondering what the current status of running a grsecurity enabled kernel under VMWARE ESXi4.x was, with KERNEXEC enabled.
I tried, but I got some major slowdowns. I thought it was UDEREF, but disabling that didn't actually make much difference. Once I disabled KERNEXEC (as suggested by pipacs in another forum post here) I seem to get performance as good as a regular kernel. I should also note this is on a Xeon processor with only PAGEEXEC enabled, as the NX bit status is passed down to my guest. I figured this would be the best and enabling SEGMEXEC would be pointless. Am I right?
The problem I have with the documentation available here is that it doesn't mention if people are using Para-virtualisation (VMI) or not. I'm not as it seems it's going to be depreciated in the next versions and from what I've read, using NoHZ gives the same performance. But should I be? It's so hard to know and I've pretty much read all the forum posts here, at least I think I have.
Can anyone provide their hints/tips/suggestions on the best options for a fast but as PaX hardened as possible kernel? Not just PAX+Grsec but other things as well such as Paravirtualisation etc.
Thanks!