Re: Linux 4.4.110

From: Alan Cox
Date: Fri Jan 05 2018 - 14:58:47 EST


> It depends by whom :-) We benchmarked this machine a while ago at 93k
> connections per second on 4.9 on a single process and now I'm seeing
> about 60k for a single process. I don't want to digress too much about
> numbers now as the test conditions certainly differ a bit, I'll have
> to rerun more detailed ones later. For 99.9% of the users it will not
> be noticeable. Those having to fight DDoS will certainly notice it.
> I'm pretty sure we'll run with pti=off at least at the beginning.

Are you running pti on the vm kernels or the host kernel or both ?

> I'm currently testing a completely different approach for systems like
> these running basically a single task. The idea is to limit rdtsc to
> privileged processes only. I just discovered that my libc happily uses

The javascript attack in the paper does not use rdtsc, and the techniques
to deal with rdtsc disabling are well known and used in other existing
attacks.

> For this reason, people considering pti=off as the only solution might
> sometimes prefer this one as a small improvement (and it could also
> stop other classes of future attacks, maybe something for KSPP later).

For a large class of environments where you are only running code that you
trust (or at least if anyone evil changes you've got much bigger problems)
that is probably a rational approach anyway.

Alan