> In arch/i386/kernel/cpu/common.c: > > /* hack: disable SEP for non-NX cpus; SEP breaks Execshield. */ > #ifdef CONFIG_HIGHMEM64G > if (!test_bit(X86_FEATURE_NX, c->x86_capability)) > #endif > clear_bit(X86_FEATURE_SEP, c->x86_capability); > > So, in order to enable Execshield, the SEP cpu bit (sysenter/sysexit) has to > be turned off. But this costs a lot of performance: as much as 2.5X in > syscall-heavy benchmarks (e.g., process tests in lmbench). That is unavoidable on CPUs that do not have NX support. Using sysexit resets to flat 4GB segments, so you lose the protection of a limited code segment preventing all readable pages from being executable. When the CPU supports the NX page table bit, we don't use segments for execute permission and so it is safe to enable sysenter/sysexit. CPUs being sold this year have NX support, so you don't have this limitation. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
