[gentoo-hardened] Grsecurity slows down a web server?

[gentoo-hardened] Grsecurity slows down a web server?

[Grant]

My website seems a bit slower since I enabled grsecurity on that
system.  Is that typical?  Is it most likely due to MPROTECT, or
something else?

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[pageexec]

On 22 Jan 2009 at 20:37, Grant wrote:

> My website seems a bit slower since I enabled grsecurity on that
> system.  Is that typical?  Is it most likely due to MPROTECT, or
> something else?

can you quantify this slowdown? and what grsec/pax features did you enable?

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

>> My website seems a bit slower since I enabled grsecurity on that
>> system.  Is that typical?  Is it most likely due to MPROTECT, or
>> something else?
>
> can you quantify this slowdown? and what grsec/pax features did you enable?

I enabled the grsecurity "Gentoo (server)" profile in the hardened
kernel.  I haven't quantified it, it just seems slightly slower.  It's
definitely not a big change.  I'm not really expecting to fix it, I
just thought I'd ask if that was typical.

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[pageexec]

On 23 Jan 2009 at 6:10, Grant wrote:

> >> My website seems a bit slower since I enabled grsecurity on that
> >> system.  Is that typical?  Is it most likely due to MPROTECT, or
> >> something else?
> >
> > can you quantify this slowdown? and what grsec/pax features did you enable?
> 
> I enabled the grsecurity "Gentoo (server)" profile in the hardened
> kernel.

ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant
without NX support? that's about the only situation where you should see an
observable slowdown, otherwise i doubt you can percieve a few % without
actual measurements. so if neither is your case, it's definitely worth an
investigation.

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

>> >> My website seems a bit slower since I enabled grsecurity on that
>> >> system.  Is that typical?  Is it most likely due to MPROTECT, or
>> >> something else?
>> >
>> > can you quantify this slowdown? and what grsec/pax features did you enable?
>>
>> I enabled the grsecurity "Gentoo (server)" profile in the hardened
>> kernel.
>
> ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant
> without NX support? that's about the only situation where you should see an
> observable slowdown, otherwise i doubt you can percieve a few % without
> actual measurements. so if neither is your case, it's definitely worth an
> investigation.

Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
P4-2.8, and I'm not sure about NX support but these are the flags:

fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36
clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts
pni monitor ds_cpl cid xtpr

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[René Rhéaume]

On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@gmail.com> wrote:
> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
> P4-2.8, and I'm not sure about NX support but these are the flags:
>
> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36
> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts
> pni monitor ds_cpl cid xtpr

There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
have the hardware NX bit (or XD bit in Intel wording)

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Ermanno Baschiera]

Maybe it can be activated in bios configuration?

-ermanno

2009/1/23 René Rhéaume <rene.rheaume@gmail.com>:
> On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@gmail.com> wrote:
>> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
>> P4-2.8, and I'm not sure about NX support but these are the flags:
>>
>> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36
>> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts
>> pni monitor ds_cpl cid xtpr
>
> There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
> have the hardware NX bit (or XD bit in Intel wording)
>
>

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

>> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
>> P4-2.8, and I'm not sure about NX support but these are the flags:
>>
>> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36
>> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts
>> pni monitor ds_cpl cid xtpr
>
> There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
> have the hardware NX bit (or XD bit in Intel wording)

I do have SEGMEXEC enabled though.  Should it still be noticeably (but
slightly) slower?  If so, I suppose the best thing to do would be to
upgrade the CPU?

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Ned Ludd]

On Fri, 2009-01-23 at 08:45 -0800, Grant wrote:
> >> >> My website seems a bit slower since I enabled grsecurity on that
> >> >> system.  Is that typical?  Is it most likely due to MPROTECT, or
> >> >> something else?
> >> >
> >> > can you quantify this slowdown? and what grsec/pax features did you enable?
> >>
> >> I enabled the grsecurity "Gentoo (server)" profile in the hardened
> >> kernel.
> >
> > ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant
> > without NX support? that's about the only situation where you should see an
> > observable slowdown, otherwise i doubt you can percieve a few % without
> > actual measurements. so if neither is your case, it's definitely worth an
> > investigation.
> 
> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
> P4-2.8, and I'm not sure about NX support but these are the flags:


Disable PAGEEXEC and switch to SEGMEXEC on the P4. That slowdown will go
away. No idea why on earth the (server) options would enable such a
thing on the x86 platform.

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

>> >> >> My website seems a bit slower since I enabled grsecurity on that
>> >> >> system.  Is that typical?  Is it most likely due to MPROTECT, or
>> >> >> something else?
>> >> >
>> >> > can you quantify this slowdown? and what grsec/pax features did you enable?
>> >>
>> >> I enabled the grsecurity "Gentoo (server)" profile in the hardened
>> >> kernel.
>> >
>> > ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant
>> > without NX support? that's about the only situation where you should see an
>> > observable slowdown, otherwise i doubt you can percieve a few % without
>> > actual measurements. so if neither is your case, it's definitely worth an
>> > investigation.
>>
>> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
>> P4-2.8, and I'm not sure about NX support but these are the flags:
>
>
> Disable PAGEEXEC and switch to SEGMEXEC on the P4. That slowdown will go
> away. No idea why on earth the (server) options would enable such a
> thing on the x86 platform.

menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe I
should live with the slowdown?

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Ned Ludd]

On Fri, 2009-01-23 at 09:51 -0800, Grant wrote:
[snip]

> menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
> grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe I
> should live with the slowdown?
> 

No you should not.

After selecting server and saving it. You want to then select "Custom"
that will leave all the options enabled from "server". You then scroll
over to the PaX menu and de-select PAGE and select SEGM.

Easy as pie. Good luck.

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

> [snip]
>
>> menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
>> grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe I
>> should live with the slowdown?
>>
>
> No you should not.
>
> After selecting server and saving it. You want to then select "Custom"
> that will leave all the options enabled from "server". You then scroll
> over to the PaX menu and de-select PAGE and select SEGM.
>
> Easy as pie. Good luck.

Alright, thank you.  PAGEEXEC and SEGMEXEC are both selected via
Gentoo (server) so I disabled PAGEEXEC.  Should I submit a bug too?

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Gordon Malm]

Try 'pspax'.  If there is no NX bit and you enable both PAGEEXEC and SEGMEXEC 
it should not be using PAGEEXEC.

http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png

Gordon Malm (gengor)

On Friday, January 23, 2009 10:14:11 Grant wrote:
> > [snip]
> >
> >> menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
> >> grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe I
> >> should live with the slowdown?
> >
> > No you should not.
> >
> > After selecting server and saving it. You want to then select "Custom"
> > that will leave all the options enabled from "server". You then scroll
> > over to the PaX menu and de-select PAGE and select SEGM.
> >
> > Easy as pie. Good luck.
>
> Alright, thank you.  PAGEEXEC and SEGMEXEC are both selected via
> Gentoo (server) so I disabled PAGEEXEC.  Should I submit a bug too?
>
> - Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

> Try 'pspax'.  If there is no NX bit and you enable both PAGEEXEC and SEGMEXEC
> it should not be using PAGEEXEC.

What should I be looking for from pspax?  I have to admit it does seem
faster now that I've disabled PAGEEXEC.

- Grant


> http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png
>
> Gordon Malm (gengor)
>
> On Friday, January 23, 2009 10:14:11 Grant wrote:
>> > [snip]
>> >
>> >> menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
>> >> grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe I
>> >> should live with the slowdown?
>> >
>> > No you should not.
>> >
>> > After selecting server and saving it. You want to then select "Custom"
>> > that will leave all the options enabled from "server". You then scroll
>> > over to the PaX menu and de-select PAGE and select SEGM.
>> >
>> > Easy as pie. Good luck.
>>
>> Alright, thank you.  PAGEEXEC and SEGMEXEC are both selected via
>> Gentoo (server) so I disabled PAGEEXEC.  Should I submit a bug too?
>>
>> - Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Javier J. Martínez Cabezón]

PaX ignores nx bit in ia32.

2009/1/23 Grant <emailgrant@gmail.com>:
>> Try 'pspax'.  If there is no NX bit and you enable both PAGEEXEC and SEGMEXEC
>> it should not be using PAGEEXEC.
>
> What should I be looking for from pspax?  I have to admit it does seem
> faster now that I've disabled PAGEEXEC.
>
> - Grant
>
>
>> http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png
>>
>> Gordon Malm (gengor)
>>
>> On Friday, January 23, 2009 10:14:11 Grant wrote:
>>> > [snip]
>>> >
>>> >> menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
>>> >> grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe I
>>> >> should live with the slowdown?
>>> >
>>> > No you should not.
>>> >
>>> > After selecting server and saving it. You want to then select "Custom"
>>> > that will leave all the options enabled from "server". You then scroll
>>> > over to the PaX menu and de-select PAGE and select SEGM.
>>> >
>>> > Easy as pie. Good luck.
>>>
>>> Alright, thank you.  PAGEEXEC and SEGMEXEC are both selected via
>>> Gentoo (server) so I disabled PAGEEXEC.  Should I submit a bug too?
>>>
>>> - Grant
>
>

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Gordon Malm]

No it doesn't.

On Friday, January 23, 2009 11:18:11 Javier J. Martínez Cabezón wrote:
> PaX ignores nx bit in ia32.
>
> 2009/1/23 Grant <emailgrant@gmail.com>:
> >> Try 'pspax'.  If there is no NX bit and you enable both PAGEEXEC and
> >> SEGMEXEC it should not be using PAGEEXEC.
> >
> > What should I be looking for from pspax?  I have to admit it does seem
> > faster now that I've disabled PAGEEXEC.
> >
> > - Grant
> >
> >> http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png
> >>
> >> Gordon Malm (gengor)
> >>
> >> On Friday, January 23, 2009 10:14:11 Grant wrote:
> >>> > [snip]
> >>> >
> >>> >> menuconfig isn't letting me disable PAGEEXEC.  Maybe it's tied to
> >>> >> grsecurity "Gentoo (server)"?  I don't want to disable that.  Maybe
> >>> >> I should live with the slowdown?
> >>> >
> >>> > No you should not.
> >>> >
> >>> > After selecting server and saving it. You want to then select
> >>> > "Custom" that will leave all the options enabled from "server". You
> >>> > then scroll over to the PaX menu and de-select PAGE and select SEGM.
> >>> >
> >>> > Easy as pie. Good luck.
> >>>
> >>> Alright, thank you.  PAGEEXEC and SEGMEXEC are both selected via
> >>> Gentoo (server) so I disabled PAGEEXEC.  Should I submit a bug too?
> >>>
> >>> - Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Gordon Malm]

On Friday, January 23, 2009 11:05:00 Grant wrote:
> > Try 'pspax'.  If there is no NX bit and you enable both PAGEEXEC and
> > SEGMEXEC it should not be using PAGEEXEC.
>
> What should I be looking for from pspax?  I have to admit it does seem
> faster now that I've disabled PAGEEXEC.
>
> - Grant
>

Using PAGEEXEC:

user   18815  PeMRs  w^x  ET_DYN     ftp              =

Using SEGMEXEC:

user   18821  peMRS  w^x  ET_DYN     ftp              =

The Hardened Gentoo Server security level also enables PAX_MEMORY_SANITIZE 
which is good for another 3% or so performance drop.

Gordon Malm (gengor)

Enable PAGEEXEC as default? (WAS: Re: [gentoo-hardened] Grsecurity slows down a web server?)

[David Sommerseth]

René Rhéaume wrote:
> On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@gmail.com> wrote:
>> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
>> P4-2.8, and I'm not sure about NX support but these are the flags:
>>
>> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36
>> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts
>> pni monitor ds_cpl cid xtpr
> 
> There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
> have the hardware NX bit (or XD bit in Intel wording)

Hi all!

I've been following this discussion a little bit.  I do have a Pentium D
processor which do have the "nx" flag available.

I see I do have CONFIG_PAX_PAGEEXEC=y in the kernel config, but I do also
see that all non-kernel processes do have peMRS in the PAX flags when
checking with the pspax command.

Should I strive to get the PAGEEXEC flag set on all processes, or should I
not?

Another thing ... I do not quite understand why processes are listed with
peMRS when paxctl says something a little bit different.  An example:

pspax:
root     11864  peMRS  w^x  ET_EXEC    openvpn          =ep cap_setpcap-ep

paxctl -v /usr/sbin/openvpn:
- PaX flags: -------x-e-- [/usr/sbin/openvpn]
	RANDEXEC is disabled
	EMUTRAMP is disabled

I've scanned through the whole system with "qlist -ao|scanelf -f - -q -x"
and can't say I find anything here which is of concern, it only finds
those paxtest files in /usr/lib/paxtest ... so everything should be
default on the file level.

I was of that understanding that my current setup would give PAGEEXEC as
default.


kind regards,

David Sommerseth

Re: Enable PAGEEXEC as default? (WAS: Re: [gentoo-hardened] Grsecurity slows down a web server?)

[Gordon Malm]

On Saturday, January 24, 2009 00:06:25 David Sommerseth wrote:
> René Rhéaume wrote:
> > On Fri, Jan 23, 2009 at 11:45 AM, Grant <emailgrant@gmail.com> wrote:
> >> Very close.  PAGEEXEC is enabled, but so is SEGMEXEC.  My CPU is a
> >> P4-2.8, and I'm not sure about NX support but these are the flags:
> >>
> >> fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36
> >> clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts
> >> pni monitor ds_cpl cid xtpr
> >
> > There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
> > have the hardware NX bit (or XD bit in Intel wording)
>
> Hi all!
>
> I've been following this discussion a little bit.  I do have a Pentium D
> processor which do have the "nx" flag available.
>
> I see I do have CONFIG_PAX_PAGEEXEC=y in the kernel config, but I do also
> see that all non-kernel processes do have peMRS in the PAX flags when
> checking with the pspax command.
>
> Should I strive to get the PAGEEXEC flag set on all processes, or should I
> not?
>
> Another thing ... I do not quite understand why processes are listed with
> peMRS when paxctl says something a little bit different.  An example:
>
> pspax:
> root     11864  peMRS  w^x  ET_EXEC    openvpn          =ep cap_setpcap-ep
>
> paxctl -v /usr/sbin/openvpn:
> - PaX flags: -------x-e-- [/usr/sbin/openvpn]
> 	RANDEXEC is disabled
> 	EMUTRAMP is disabled
>
> I've scanned through the whole system with "qlist -ao|scanelf -f - -q -x"
> and can't say I find anything here which is of concern, it only finds
> those paxtest files in /usr/lib/paxtest ... so everything should be
> default on the file level.
>
> I was of that understanding that my current setup would give PAGEEXEC as
> default.
>
>
> kind regards,
>
> David Sommerseth

When you enable both SEGMEXEC and PAGEEXEC on IA32, modern PaX will use 
PAGEEXEC if nx bit is accessable and fall back to SEGMEXEC if it is not.  
This is why both can be enabled safely, even on old P4's without and NX bit.  
When you 'cat /proc/cpuinfo', it is showing you the processor's capability, 
but that doesn't mean the NX bit is accessible.  To make the NX bit 
accessible you need to enable PAE.  You can do this by choosing NOHIGHMEM+PAE 
or HIGHMEM64G (which selects PAE automatically) in your kernel config.

Re:
PaX flags: -------x-e-- [/usr/sbin/openvpn]

What this means is you are leaving PaX to act on its default behavior 
according to how it is configured in the kernel, with the exception of 
RANDEXEC and EMUTRAMP which have been explicitly disabled.

The peMRS shows you that PAGEEXEC and EMUTRAMP are not in effect for this 
process, but SEGMEXEC, MPROTECT and ASLR are.

http://www.bumpin.org/pics/PaX/pax_performance-2.6.24.png
(Note: The easiest way to interpret this chart is to ignore the figures for 
NoNX/NOEXEC=y and NX/NOEXEC=y - these were academic tests more than anything 
and are rather meaningless)

As you can see PAGEEXEC with an NX bit does have a very minor speed advantage 
over SEGMEXEC.  PAGEEXEC also has the advantage of not cutting a processes' 
address space in half.  Without an NX bit available, PAGEEXEC is a fair hit 
on IA32.  Pentium 4's without an NX bit take an even larger hit:

http://www.pjvenda.org/linux/doc/pax-performance/

That the P4's result would be very different from other's is not surprising.  
It utilizes the very different Netburst microarchitecture and has a 20-31 (31 
on Prescott and Cedar Mill) stage pipeline. Compare this to 10 for the P3, 14 
for the Core2, 12 for the Athlon64, 10 for the AthlonXP, etc. you get the 
picture.

So if you have an NX bit, yes, use it.  If you don't, SEGMEXEC is a good 
alternative.  It is safe to enable both options, PaX is smart enough to 
choose between the two.

Gordon Malm (gengor)

Re: [gentoo-hardened] Grsecurity slows down a web server?

[pageexec]

On 23 Jan 2009 at 9:16, Grant wrote:

> > There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
> > have the hardware NX bit (or XD bit in Intel wording)
> 
> I do have SEGMEXEC enabled though.  Should it still be noticeably (but
> slightly) slower?  If so, I suppose the best thing to do would be to
> upgrade the CPU?

if both PAGEEXEC and SEGMEXEC are enabled, PaX uses one of them by default,
depending on whether your CPU and kernel config supports the NX bit or not
(yes, you need to enable PAE support in the kernel in order to actually be
able to use the NX bit). in your case the CPU has no NX support so PaX should
have fallen back to SEGMEXEC (pspax could confirm it) and not PAGEEXEC. can
you check what really happened? because if PAGEEXEC was chosen by default on
your CPU, there's a bug somewhere...

Re: [gentoo-hardened] Grsecurity slows down a web server?

[pageexec]

On 24 Jan 2009 at 8:51, Grant wrote:

> Nope, you guys are absolutely right.  It falls back to peMRS whether
> or not I enable PAGEEXEC since I don't have the nx flag.

ok, so coming back to your original problem, are you saying that you
had an observable slowdown due to SEGMEXEC? if so, i'd like to see some
numbers and think about it, if you have some time.

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

>> > There is no "nx" in your cpuinfo flags. Therefore, your P4 does not
>> > have the hardware NX bit (or XD bit in Intel wording)
>>
>> I do have SEGMEXEC enabled though.  Should it still be noticeably (but
>> slightly) slower?  If so, I suppose the best thing to do would be to
>> upgrade the CPU?
>
> if both PAGEEXEC and SEGMEXEC are enabled, PaX uses one of them by default,
> depending on whether your CPU and kernel config supports the NX bit or not
> (yes, you need to enable PAE support in the kernel in order to actually be
> able to use the NX bit). in your case the CPU has no NX support so PaX should
> have fallen back to SEGMEXEC (pspax could confirm it) and not PAGEEXEC. can
> you check what really happened? because if PAGEEXEC was chosen by default on
> your CPU, there's a bug somewhere...

Nope, you guys are absolutely right.  It falls back to peMRS whether
or not I enable PAGEEXEC since I don't have the nx flag.

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[Grant]

>> Nope, you guys are absolutely right.  It falls back to peMRS whether
>> or not I enable PAGEEXEC since I don't have the nx flag.
>
> ok, so coming back to your original problem, are you saying that you
> had an observable slowdown due to SEGMEXEC? if so, i'd like to see some
> numbers and think about it, if you have some time.

I thought there was a slowdown going from no grsecurity to grsecurity
"Gentoo (server)",  but now I'm not so sure.  I'll keep an eye on it
for sure.  Would you consider an external http monitor's response
times over 24 hours a good indicator of whether or not I should
investigate further and do real benchmarking?

- Grant

Re: [gentoo-hardened] Grsecurity slows down a web server?

[pageexec]

On 24 Jan 2009 at 10:48, Grant wrote:

> >> Nope, you guys are absolutely right.  It falls back to peMRS whether
> >> or not I enable PAGEEXEC since I don't have the nx flag.
> >
> > ok, so coming back to your original problem, are you saying that you
> > had an observable slowdown due to SEGMEXEC? if so, i'd like to see some
> > numbers and think about it, if you have some time.
> 
> I thought there was a slowdown going from no grsecurity to grsecurity
> "Gentoo (server)",  but now I'm not so sure.  I'll keep an eye on it
> for sure.  Would you consider an external http monitor's response
> times over 24 hours a good indicator of whether or not I should
> investigate further and do real benchmarking?

well, i thought you'd tell me what made you think that things became
slower than before ;). however if there's a slowdown, i doubt timing
over a network would be the best way to find out, i'd prefer direct
measurements on the affected host. so whenever you feel like it's
still worth doing it... ;)