SEP bit disabled in FC
Roland McGrath
roland at redhat.com
Fri Jun 10 01:35:06 UTC 2005
> In arch/i386/kernel/cpu/common.c:
>
> /* hack: disable SEP for non-NX cpus; SEP breaks Execshield. */
> #ifdef CONFIG_HIGHMEM64G
> if (!test_bit(X86_FEATURE_NX, c->x86_capability))
> #endif
> clear_bit(X86_FEATURE_SEP, c->x86_capability);
>
> So, in order to enable Execshield, the SEP cpu bit (sysenter/sysexit) has to
> be turned off. But this costs a lot of performance: as much as 2.5X in
> syscall-heavy benchmarks (e.g., process tests in lmbench).
That is unavoidable on CPUs that do not have NX support. Using sysexit
resets to flat 4GB segments, so you lose the protection of a limited code
segment preventing all readable pages from being executable. When the CPU
supports the NX page table bit, we don't use segments for execute
permission and so it is safe to enable sysenter/sysexit. CPUs being sold
this year have NX support, so you don't have this limitation.
More information about the fedora-devel-list
mailing list