Page 1 of 1
Performance related options [AMD64]
Posted:
Sun Sep 15, 2013 11:42 pm
by debwalker
I was wondering if there is a known list of grsecurity options that cause a performance hit for a desktop workload (with xorg, firefox, video applications, etc) on AMD64.
I got some from
https://en.wikibooks.org/wiki/Grsecurit ... on_OptionsNot sure if I got all the performance related options turned off (custom configuration), but it feels slightly sluggish. Not by much, just enough to notice a slight slower bootup with grsecurity enabled. Not using the boot entropy option or anything that spells 'performance issues' on it.
I'm not worried about anything negligible, just anything that would register as a performance hit.
Thanks
Re: Performance related options [AMD64]
Posted:
Mon Sep 16, 2013 8:17 am
by Arach
The total performance hit of grsec is barely greater than 5% in most cases, afaict. Ask yourself if you really want to decide whether you want or not a particular grsec feature based on its performance impact only. How much additional 5% or even 15% of prerformance cost in money? I mean hardware prices. 50$ or even less. Unless you're in some sort of atypical situation where every 1% counts, ask yourself if you really need to bother with grsec if you don't really want to pay that "much" for the security you gain with it.
Re: Performance related options [AMD64]
Posted:
Mon Sep 16, 2013 6:32 pm
by PaX Team
first, you could post your grsec config so that we know what you tried so far. second, while there're some known culprits responsible for most of the slowdown (UDEREF on amd64, SANITIZE, etc) it's best if you test out the features on your own workload yourself. third, if you have some reproducible slowdown with a particular workload, you can use perf (it's under linux/tools/perf) to get a profile and compare it to vanilla and let us know what stands out.
Re: Performance related options [AMD64]
Posted:
Tue Sep 17, 2013 2:25 am
by debwalker
Some things have randomly stopped working (where they were working perfectly before with no intervention) so I'm gonna have a look at the kernel build and see whats up. I think something is up with the build process, so I'll try rebuilding and post back the config later.
I did exclude the obvious ones and the ones that say they can cause problems or performance issues. Apart from the executable protections (minus mprotect because it was too high maintenence on this box).
I also had a look at what 'automatic' desktop/performance configuration was setting up and excluded most of the same things.
It will be a general use plus gaming setup, so performance is important mostly. I was considering that I ought to use vanilla and just try to beef up regularly security, but I was reckoning I can at least take advantage of the executable protections as I don't care for preemption at all and it's always disabled when I build my own kernel in any case.
That said I'll post back the config soon.
Re: Performance related options [AMD64]
Posted:
Tue Sep 17, 2013 8:27 am
by debwalker
The performance seems a lot better after switching to 1000Hz timer frequency and using CFQ IO Schedular.
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_EI_PAX is not set
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_XATTR_PAX_FLAGS is not set
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
# CONFIG_PAX_MPROTECT is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
# CONFIG_PAX_RANDUSTACK is not set
CONFIG_PAX_RANDMMAP=y
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
# CONFIG_PAX_USERCOPY is not set
CONFIG_PAX_CONSTIFY_PLUGIN=y
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_NO_RBAC=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
# CONFIG_GRKERNSEC_CHROOT is not set
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
CONFIG_GRKERNSEC_SOCKET=y
# CONFIG_GRKERNSEC_SOCKET_ALL is not set
# CONFIG_GRKERNSEC_SOCKET_CLIENT is not set
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=1002
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
Any improvements to be made on that?
Oddly with this configuration flash continues to crash. There is no mprotect and disabling the execution protections with paxctl seems to make no difference, other than that I think it's fine now. I think using the changes in the 'automatic' configuration has helped too.