On 19 Nov 2012 at 11:37, Maxim Kammerer wrote: > On Mon, Nov 19, 2012 at 2:25 AM, Matthew Thode > <[email protected]> wrote: > > Originally virtualization was slow on grsec/pax with either uderef or > > kernexec enabled. > > My impression was that UDEREF/KERNEXEC were slow in guest. Is it > wrong, or did these settings affect host as well?
there was a bug in the per-cpu pgd feature (that those two features rely on on amd64) that, when enabled on the host, would cause a big guest slowdown (regardless of what the guest was). that these two features have a performance impact on their own is a separate issue and something i can't help without proper hw support (think SMEP/SMAP). > > Pipacs overcame this limitation in 3.5.4-r1 and > > overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame > > it using nested page tables on newer CPUs, which means older CPUs will > > likely still be slow. > > So one needs at least 3.5.4-r2 in both hardened guest and host, and > nested page tables support in CPU? for this bug only the host matters and use more like 3.6 please since we no longer support 3.5 (and in a few weeks that'll become 3.7 ;) or our 2.6.32/3.2 stable series. nested page tables help with the inherent performance impact of per-cpu pgd (that is, if you enable it in your guest kernels as well), independently of the performance bug i fixed some months ago.
