From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LQP9k-0001r0-QJ for garchives@archives.gentoo.org; Fri, 23 Jan 2009 16:45:21 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DBFC7E0767; Fri, 23 Jan 2009 16:45:18 +0000 (UTC) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.155]) by pigeon.gentoo.org (Postfix) with ESMTP id 9262AE0767 for ; Fri, 23 Jan 2009 16:45:18 +0000 (UTC) Received: by fg-out-1718.google.com with SMTP id e21so2649578fga.14 for ; Fri, 23 Jan 2009 08:45:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=LJfwOzQZQs20JEdSfWtWFCRV+wPtovVSTfbSMJAlV8w=; b=ZnSWWC/0Qky4X1Yvyw+25PMhMWC0F/Mcp5Ex5RPH/HhIL4t+hZOBGbc3TMAlW/9HNf DwLBiqSEw9NGIj6lTPhowYPIVvnwoev7R38ZqyQaZYtFwhjeytXpo5lSjJCL+Wo5TwQK QrgHvJa81fNnMN43qSYSZMv8oZvw3KpCkL0o0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=D13nZ3WAcfNoUDP6YX6/jScyJXsR4i5rBd2nvILxnj8zTwiWFmIAMh4URD7dhlTJh1 POkGNw5pZYDMQO60fhnGI1I6kEsW8KtGRpBzFoQtNxKgTxQx89jL6ZhWALW1h5yfTLBO QbzLGQ293zJ7HpQ9cR187XmrTUcfaqSGGNtHk= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Received: by 10.181.141.7 with SMTP id t7mr3771650bkn.10.1232729117891; Fri, 23 Jan 2009 08:45:17 -0800 (PST) In-Reply-To: <4979DECC.6678.1A67431@pageexec.freemail.hu> References: <49bf44f10901222037x6efccacbqd428e5e7be0899f6@mail.gmail.com> <497985F1.25065.4B5BFE@pageexec.freemail.hu> <49bf44f10901230610y54cf1a67q76fddf7ee5dc19de@mail.gmail.com> <4979DECC.6678.1A67431@pageexec.freemail.hu> Date: Fri, 23 Jan 2009 08:45:17 -0800 Message-ID: <49bf44f10901230845u4c34d6c7ia546fcda81542661@mail.gmail.com> Subject: Re: [gentoo-hardened] Grsecurity slows down a web server? From: Grant To: gentoo-hardened@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 64efb245-cbad-4fad-9b85-024786790570 X-Archives-Hash: d968175764335e960d2cb1dd5fb076d3 >> >> My website seems a bit slower since I enabled grsecurity on that >> >> system. Is that typical? Is it most likely due to MPROTECT, or >> >> something else? >> > >> > can you quantify this slowdown? and what grsec/pax features did you enable? >> >> I enabled the grsecurity "Gentoo (server)" profile in the hardened >> kernel. > > ok, is PAGEEXEC enabled (and SEGMEXEC isn't) and is your cpu some P4 variant > without NX support? that's about the only situation where you should see an > observable slowdown, otherwise i doubt you can percieve a few % without > actual measurements. so if neither is your case, it's definitely worth an > investigation. Very close. PAGEEXEC is enabled, but so is SEGMEXEC. My CPU is a P4-2.8, and I'm not sure about NX support but these are the flags: fpu vme de pse tsc msr pae mce cx8 apic mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc pebs bts pni monitor ds_cpl cid xtpr - Grant