Re: [kernel-hardening] Re: [RFC, PATCH] x86_64: KAISER - do not map kernel in user mode
From: Daniel Gruss
Date: Sun May 07 2017 - 17:47:27 EST
Just did a quick test on my main KVM host, a 8 core Intel(R) Xeon(R)
CPU E3-1240 V2.
KVM guests are 4.10 w/o CONFIG_KAISER and kvmconfig without CONFIG_PARAVIRT.
Building a defconfig kernel within that guests is about 10% slower
Thank you for testing it! :)
Is this expected?
It sounds plausible. First, I would expect any form of virtualization to
increase the overhead. Second, for the processor (Ivy Bridge), I would
have expected even higher performance overheads. KAISER utilizes very
recent performance improvements in Intel processors...
If it helps I can redo the same test also on bare metal.
I'm not sure how we proceed here and if this would help, because I don't
know what everyone expects.
KAISER definitely introduces an overhead, no doubt about that. How much
overhead it is depends on the specific hardware and may be very little
on recent architectures and more on older machines.
We are not proposing to enable KAISER by default, but to provide the
config option to allow easy integration into hardened kernels where
performance overheads may be acceptable (which depends on the specific
use case and the specific hardware).