Re: Fedora 37: Add kernel parameters that help prevent local exploits
I thought vsyscalls were obsolete, but leaving them, enabled doesn't really impact security too much. Regarding performance, `page_alloc.shuffle=1` can increase performance, and `slab_nomerge init_on_alloc=1 init_on_free=1 pti=on randomize_kstack_offset=on` do not have a very noticeable performance impact, it will almost never be noticed in real use cases unless you specifically look for it. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 37: Add kernel parameters that help prevent local exploits
Sorry, for the spam, but I realized I accidentally added `pti=on` into the list of arguments that do not impact performance. `pit=on` can significantly impact performance, by up to 30% in some cases. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 37: Add kernel parameters that help prevent local exploits
For `slab_nomerge`, it can lead to very slight increase of kernel memory. `init_on_alloc=1` has a almost no performance impact, it is under 1% and is usually within standard error, but there is bug with zfs that can make zfs slower. `init_on_free=1` can be measured and is around 7-20% under certain workloads, but in some workloads it does not impact performance. `randomize_kstack_offset=on` can sometimes increase performance by 1%, or decrease it by 1%, but Redis has been noticed to have performance reduced by 2%. `pti=on` mitigates meltdown, but has a very big performance impact. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 37: Add kernel parameters that help prevent local exploits
That will create a very big performance hit, and disabling SMT will half the amount of threads. On the new CPUs with E and P cores, this can significantly decrease performance. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Fedora 37: Add kernel parameters that help prevent local exploits
This thread was accidentally reposted, please reply to this one https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.org/thread/YJ4HKHMLBGCSXZ3S3NSTSARTJNAG7NXC/ . I think it would be useful is there was a centralized CLI and GUI intyerface for these, but it doesn't exist yet. You have to open multiple configuration files, which most users will not do. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
