Hi
Here is the meeting log.
/Magnus
Here is the meeting log.
/Magnus
Attached Files:
-
meeting-2012-11-14_20:00UTC.log (26.1 KB)
Mailing List Archive
Meeting log 2012-11-14 20:00UTC
Re: Meeting log 2012-11-14 20:00UTC
[ In reply to ]
Hi,
What does the following remark mean:
[21:45:45] <prometheanfire> confirmed that virt is fast now if using
nested pages and kernels greater then version hardened-3.5.4-r1 (r2 is
prefered)
Thanks!
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
What does the following remark mean:
[21:45:45] <prometheanfire> confirmed that virt is fast now if using
nested pages and kernels greater then version hardened-3.5.4-r1 (r2 is
prefered)
Thanks!
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
Re: Meeting log 2012-11-14 20:00UTC
[ In reply to ]
On 11/18/2012 05:30 PM, Maxim Kammerer wrote:
> Hi,
>
> What does the following remark mean:
>
> [21:45:45] <prometheanfire> confirmed that virt is fast now if using
> nested pages and kernels greater then version hardened-3.5.4-r1 (r2 is
> prefered)
>
> Thanks!
>
Originally virtualization was slow on grsec/pax with either uderef or
kernexec enabled. Pipacs overcame this limitation in 3.5.4-r1 and
overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
it using nested page tables on newer CPUs, which means older CPUs will
likely still be slow.
--
-- Matthew Thode (prometheanfire)
> Hi,
>
> What does the following remark mean:
>
> [21:45:45] <prometheanfire> confirmed that virt is fast now if using
> nested pages and kernels greater then version hardened-3.5.4-r1 (r2 is
> prefered)
>
> Thanks!
>
Originally virtualization was slow on grsec/pax with either uderef or
kernexec enabled. Pipacs overcame this limitation in 3.5.4-r1 and
overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
it using nested page tables on newer CPUs, which means older CPUs will
likely still be slow.
--
-- Matthew Thode (prometheanfire)
Attached Files:
-
signature.asc (0.82 KB)
Re: Meeting log 2012-11-14 20:00UTC
[ In reply to ]
On 19 Nov 2012 at 11:37, Maxim Kammerer wrote:
> On Mon, Nov 19, 2012 at 2:25 AM, Matthew Thode
> <prometheanfire@gentoo.org> wrote:
> > Originally virtualization was slow on grsec/pax with either uderef or
> > kernexec enabled.
>
> My impression was that UDEREF/KERNEXEC were slow in guest. Is it
> wrong, or did these settings affect host as well?
there was a bug in the per-cpu pgd feature (that those two features rely on
on amd64) that, when enabled on the host, would cause a big guest slowdown
(regardless of what the guest was).
that these two features have a performance impact on their own is a separate
issue and something i can't help without proper hw support (think SMEP/SMAP).
> > Pipacs overcame this limitation in 3.5.4-r1 and
> > overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
> > it using nested page tables on newer CPUs, which means older CPUs will
> > likely still be slow.
>
> So one needs at least 3.5.4-r2 in both hardened guest and host, and
> nested page tables support in CPU?
for this bug only the host matters and use more like 3.6 please since we no
longer support 3.5 (and in a few weeks that'll become 3.7 ;) or our 2.6.32/3.2
stable series.
nested page tables help with the inherent performance impact of per-cpu pgd
(that is, if you enable it in your guest kernels as well), independently of
the performance bug i fixed some months ago.
> On Mon, Nov 19, 2012 at 2:25 AM, Matthew Thode
> <prometheanfire@gentoo.org> wrote:
> > Originally virtualization was slow on grsec/pax with either uderef or
> > kernexec enabled.
>
> My impression was that UDEREF/KERNEXEC were slow in guest. Is it
> wrong, or did these settings affect host as well?
there was a bug in the per-cpu pgd feature (that those two features rely on
on amd64) that, when enabled on the host, would cause a big guest slowdown
(regardless of what the guest was).
that these two features have a performance impact on their own is a separate
issue and something i can't help without proper hw support (think SMEP/SMAP).
> > Pipacs overcame this limitation in 3.5.4-r1 and
> > overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
> > it using nested page tables on newer CPUs, which means older CPUs will
> > likely still be slow.
>
> So one needs at least 3.5.4-r2 in both hardened guest and host, and
> nested page tables support in CPU?
for this bug only the host matters and use more like 3.6 please since we no
longer support 3.5 (and in a few weeks that'll become 3.7 ;) or our 2.6.32/3.2
stable series.
nested page tables help with the inherent performance impact of per-cpu pgd
(that is, if you enable it in your guest kernels as well), independently of
the performance bug i fixed some months ago.
Re: Meeting log 2012-11-14 20:00UTC
[ In reply to ]
On Mon, Nov 19, 2012 at 2:25 AM, Matthew Thode
<prometheanfire@gentoo.org> wrote:
> Originally virtualization was slow on grsec/pax with either uderef or
> kernexec enabled.
My impression was that UDEREF/KERNEXEC were slow in guest. Is it
wrong, or did these settings affect host as well?
> Pipacs overcame this limitation in 3.5.4-r1 and
> overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
> it using nested page tables on newer CPUs, which means older CPUs will
> likely still be slow.
So one needs at least 3.5.4-r2 in both hardened guest and host, and
nested page tables support in CPU?
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
<prometheanfire@gentoo.org> wrote:
> Originally virtualization was slow on grsec/pax with either uderef or
> kernexec enabled.
My impression was that UDEREF/KERNEXEC were slow in guest. Is it
wrong, or did these settings affect host as well?
> Pipacs overcame this limitation in 3.5.4-r1 and
> overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
> it using nested page tables on newer CPUs, which means older CPUs will
> likely still be slow.
So one needs at least 3.5.4-r2 in both hardened guest and host, and
nested page tables support in CPU?
--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte