> If we have NX (which anything made in the last few years will) > it's a performance win to use the hardware NX instead of the > segment limit hack we implemented in execshield.
It's more than performance. The segment limit hack is a hack, and does not actually do full enforcement in all cases (though we have already bent over backward to ensure that these cases do not come up by default). Hardware NX is 100% reliable. > Syscalls in particular should be a lot faster, as you get to > use the sysenter/sysexit instructions which are faster than using > the int 80h entrypoint. (The way the segment limits work is > incompatible with sysenter/sysexit). This is indeed quite a big hit. Thanks, Roland _______________________________________________ Fedora-kernel-list mailing list Fedora-kernel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-kernel-list
