On Thu, Jul 20, 2017 at 2:11 AM, Ingo Molnar <mingo@xxxxxxxxxx> wrote: > Could you please also create a tabulated quick-comparison of the three variants, > of all key properties, about behavior, feature and tradeoff differences? > > Something like: > > !ARCH_HAS_REFCOUNT ARCH_HAS_REFCOUNT=y REFCOUNT_FULL=y > > avg fast path instructions: 5 3 10 > behavior on overflow: unsafe, silent safe, verbose safe, verbose > behavior on underflow: unsafe, silent unsafe, verbose unsafe, verbose > ... > > etc. - note that this table is just a quick mockup with wild guesses. (Please add > more comparisons of other aspects as well.) > > Such a comparison would make it easier for arch, subsystem and distribution > maintainers to decide on which variant to use/enable. Sure, I can write this up. I'm not sure "safe"/"unsafe" is quite that clean. The differences between -full and -fast are pretty subtle, but I think I can describe it using the updated LKDTM tests I've written to compare the two. There are conditions that -fast doesn't catch, but those cases aren't actually useful for the overflow defense. As for "avg fast path instructions", do you mean the resulting assembly for each refcount API function? I think it's going to look something like "1 2 45", but I'll write it up. -Kees -- Kees Cook Pixel Security
