On Thu, Jun 09, 2005 at 06:22:05PM -0700, Jeffrey Buell wrote:
In arch/i386/kernel/cpu/common.c:
/* hack: disable SEP for non-NX cpus; SEP breaks Execshield. */
#ifdef CONFIG_HIGHMEM64G
if (!test_bit(X86_FEATURE_NX, c->x86_capability))
#endif
clear_bit(X86_FEATURE_SEP, c->x86_capability);
So, in order to enable Execshield, the SEP cpu bit (sysenter/sysexit) has to
be turned off. But this costs a lot of performance: as much as 2.5X in
syscall-heavy benchmarks (e.g., process tests in lmbench).
How permanent is this hack? Will Execshield be fixed (or removed) by FC5?
It was going to be reeanbled for FC4, but due to a last minute glitch,
(which we think we fixed), we disabled for it for the release with
the intention of reenabling it in the first kernel update that goes
out for FC4.
Dave