From: Kees Cook Subject: Re: Re: x86: PIE support and option to extend KASLR randomization Date: Wed, 19 Jul 2017 12:21:05 -0700 Message-ID: References: <20170718223333.110371-1-thgarnie@google.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Cc: Thomas Garnier , Herbert Xu , "David S . Miller" , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , Peter Zijlstra , Josh Poimboeuf , Arnd Bergmann , Matthias Kaehlcke , Boris Ostrovsky , Juergen Gross , Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Joerg Roedel , Andy Lutomirski , Borislav Petkov , "Kirill A . Shutemov" , Brian Gerst , Borislav Petkov , Christian Borntraeger , "Rafael J . Wysocki" , Len Brown Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Sender: keescook@google.com In-Reply-To: List-Id: linux-crypto.vger.kernel.org On Wed, Jul 19, 2017 at 7:08 AM, Christopher Lameter wrote: > On Tue, 18 Jul 2017, Thomas Garnier wrote: > >> Performance/Size impact: >> Hackbench (50% and 1600% loads): >> - PIE enabled: 7% to 8% on half load, 10% on heavy load. >> slab_test (average of 10 runs): >> - PIE enabled: 3% to 4% >> Kernbench (average of 10 Half and Optimal runs): >> - PIE enabled: 5% to 6% >> >> Size of vmlinux (Ubuntu configuration): >> File size: >> - PIE disabled: 472928672 bytes (-0.000169% from baseline) >> - PIE enabled: 216878461 bytes (-54.14% from baseline) > > Maybe we need something like CONFIG_PARANOIA so that we can determine at > build time how much performance we want to sacrifice for performance? > > Its going to be difficult to understand what all these hardening config > options do. This kind of thing got discussed recently, and like CONFIG_EXPERIMENTAL, a global config doesn't really work. The best thing to do is to document each config as well as possible and system builders can decide. -Kees -- Kees Cook Pixel Security