Hi,
Just wondering what the current status of running a grsecurity enabled kernel under VMWARE ESXi4.x was, with KERNEXEC enabled.
I tried, but I got some major slowdowns. I thought it was UDEREF, but disabling that didn't actually make much difference. Once I disabled KERNEXEC (as suggested by pipacs in another forum post here) I seem to get performance as good as a regular kernel. I should also note this is on a Xeon processor with only PAGEEXEC enabled, as the NX bit status is passed down to my guest. I figured this would be the best and enabling SEGMEXEC would be pointless. Am I right?
The problem I have with the documentation available here is that it doesn't mention if people are using Para-virtualisation (VMI) or not. I'm not as it seems it's going to be depreciated in the next versions and from what I've read, using NoHZ gives the same performance. But should I be? It's so hard to know and I've pretty much read all the forum posts here, at least I think I have.
Can anyone provide their hints/tips/suggestions on the best options for a fast but as PaX hardened as possible kernel? Not just PAX+Grsec but other things as well such as Paravirtualisation etc.
Thanks!
VMWARE + KERNEXEC
2 posts
• Page 1 of 1
Re: VMWARE + KERNEXEC
by tjh » Thu Sep 22, 2011 12:09 am
I gave up on VMI (it's going to be depreciated) but my slowdowns were caused by not following the sticky and manually forcing the VT-x type in vmware.
Once I've done that, I can boot a fully hardened kernel now (KERNEXEC and UDEREF) with no noticeable performance problems.
FYI
Once I've done that, I can boot a fully hardened kernel now (KERNEXEC and UDEREF) with no noticeable performance problems.
FYI
- tjh
- Posts: 102
- Joined: Sat Oct 16, 2004 8:19 pm
2 posts
• Page 1 of 1