kernel: enable page poisoning on x86_64

  This is already active on i586 and prevents information leaks from freed
data.

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/kernel/kernel.config.x86_64-ipfire | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
  

Hi,

Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput?

-Michael

> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> This is already active on i586 and prevents information leaks from freed
> data.
> 
> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> config/kernel/kernel.config.x86_64-ipfire | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
> index b16d13504..f6819859d 100644
> --- a/config/kernel/kernel.config.x86_64-ipfire
> +++ b/config/kernel/kernel.config.x86_64-ipfire
> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y
> #
> # CONFIG_PAGE_EXTENSION is not set
> # CONFIG_DEBUG_PAGEALLOC is not set
> -# CONFIG_PAGE_POISONING is not set
> +CONFIG_PAGE_POISONING=y
> +# CONFIG_PAGE_POISONING_NO_SANITY is not set
> +CONFIG_PAGE_POISONING_ZERO=y
> # CONFIG_DEBUG_PAGE_REF is not set
> # CONFIG_DEBUG_RODATA_TEST is not set
> # CONFIG_DEBUG_OBJECTS is not set
> -- 
> 2.16.4
  

Hello Michael,

possibly, but I consider this as being too important in order to drop it due
to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance
overhead of page poisoning, but since this is currently not enabled on i586,
I did not use in on x86_64, either.

As mentioned, this is active on i586 already and I have not heard of IPFire
being unusable on that architecture. :-)

Thanks, and best regards,
Peter Müller

> Hi,
> 
> Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput?
> 
> -Michael
> 
>> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> This is already active on i586 and prevents information leaks from freed
>> data.
>>
>> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>> ---
>> config/kernel/kernel.config.x86_64-ipfire | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>> index b16d13504..f6819859d 100644
>> --- a/config/kernel/kernel.config.x86_64-ipfire
>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y
>> #
>> # CONFIG_PAGE_EXTENSION is not set
>> # CONFIG_DEBUG_PAGEALLOC is not set
>> -# CONFIG_PAGE_POISONING is not set
>> +CONFIG_PAGE_POISONING=y
>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set
>> +CONFIG_PAGE_POISONING_ZERO=y
>> # CONFIG_DEBUG_PAGE_REF is not set
>> # CONFIG_DEBUG_RODATA_TEST is not set
>> # CONFIG_DEBUG_OBJECTS is not set
>> -- 
>> 2.16.4
>
  

Hey,

> On 14 Apr 2020, at 15:36, Peter Müller <peter.mueller@ipfire.org> wrote:
> 
> Hello Michael,
> 
> possibly, but I consider this as being too important in order to drop it due
> to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance
> overhead of page poisoning, but since this is currently not enabled on i586,
> I did not use in on x86_64, either.

Hmm, I am really not happy with such inconsistent configurations across multiple architectures.

This is either a feature that we want or not, but we do not want it on one platform and not on the other.

Although I would consider the performance overhead on x86_64 much smaller than i586. PAE might have the same advantage than x86_64.

> As mentioned, this is active on i586 already and I have not heard of IPFire
> being unusable on that architecture. :-)

Well, let’s say it is not running that well any more.

-Michael

> 
> Thanks, and best regards,
> Peter Müller
> 
>> Hi,
>> 
>> Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput?
>> 
>> -Michael
>> 
>>> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller@ipfire.org> wrote:
>>> 
>>> This is already active on i586 and prevents information leaks from freed
>>> data.
>>> 
>>> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>> ---
>>> config/kernel/kernel.config.x86_64-ipfire | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>> 
>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>> index b16d13504..f6819859d 100644
>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y
>>> #
>>> # CONFIG_PAGE_EXTENSION is not set
>>> # CONFIG_DEBUG_PAGEALLOC is not set
>>> -# CONFIG_PAGE_POISONING is not set
>>> +CONFIG_PAGE_POISONING=y
>>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set
>>> +CONFIG_PAGE_POISONING_ZERO=y
>>> # CONFIG_DEBUG_PAGE_REF is not set
>>> # CONFIG_DEBUG_RODATA_TEST is not set
>>> # CONFIG_DEBUG_OBJECTS is not set
>>> -- 
>>> 2.16.4
>>
  

Hello Michael,

> Hey,
> 
>> On 14 Apr 2020, at 15:36, Peter Müller <peter.mueller@ipfire.org> wrote:
>>
>> Hello Michael,
>>
>> possibly, but I consider this as being too important in order to drop it due
>> to performance concerns. CONFIG_PAGE_POISONING_NO_SANITY reduces some performance
>> overhead of page poisoning, but since this is currently not enabled on i586,
>> I did not use in on x86_64, either.
> 
> Hmm, I am really not happy with such inconsistent configurations across multiple architectures.
> 
> This is either a feature that we want or not, but we do not want it on one platform and not on the other.

Yes, I am currently trying to clean this mess up as we have quite a bunch of those.
Since we probably need to have a look at each in detail, I guess opening bugs makes
more sense here...

> 
> Although I would consider the performance overhead on x86_64 much smaller than i586. PAE might have the same advantage than x86_64.

Yes, I think so too.

> 
>> As mentioned, this is active on i586 already and I have not heard of IPFire
>> being unusable on that architecture. :-)
> 
> Well, let’s say it is not running that well any more.

I would be surprised to hear that page poisoning is the sole reason for this. :-)

Thanks, and best regards,
Peter Müller

> 
> -Michael
> 
>>
>> Thanks, and best regards,
>> Peter Müller
>>
>>> Hi,
>>>
>>> Can you perform any performance benchmarks to see how much this impacts IPsec and IPS throughput?
>>>
>>> -Michael
>>>
>>>> On 14 Apr 2020, at 15:32, Peter Müller <peter.mueller@ipfire.org> wrote:
>>>>
>>>> This is already active on i586 and prevents information leaks from freed
>>>> data.
>>>>
>>>> Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
>>>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
>>>> ---
>>>> config/kernel/kernel.config.x86_64-ipfire | 4 +++-
>>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
>>>> index b16d13504..f6819859d 100644
>>>> --- a/config/kernel/kernel.config.x86_64-ipfire
>>>> +++ b/config/kernel/kernel.config.x86_64-ipfire
>>>> @@ -6387,7 +6387,9 @@ CONFIG_DEBUG_KERNEL=y
>>>> #
>>>> # CONFIG_PAGE_EXTENSION is not set
>>>> # CONFIG_DEBUG_PAGEALLOC is not set
>>>> -# CONFIG_PAGE_POISONING is not set
>>>> +CONFIG_PAGE_POISONING=y
>>>> +# CONFIG_PAGE_POISONING_NO_SANITY is not set
>>>> +CONFIG_PAGE_POISONING_ZERO=y
>>>> # CONFIG_DEBUG_PAGE_REF is not set
>>>> # CONFIG_DEBUG_RODATA_TEST is not set
>>>> # CONFIG_DEBUG_OBJECTS is not set
>>>> -- 
>>>> 2.16.4
>>>
>