Subject: Re: Veriexec enabled by default
To: None <tech-kern@NetBSD.org>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 10/26/2006 23:39:58
This is a multi-part message in MIME format.

--Boundary_(ID_up5i7tgqLTa9gg+oTU0C0A)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 7BIT

Someone suggested trying to reduce the overhead even more. So, attached
diff produces these numbers:

optimized-1:Process fork+exit: 182.9655 microseconds
optimized-1:Process fork+execve: 666.6250 microseconds
optimized-1:Process fork+/bin/sh -c: 2282.0000 microseconds

optimized-2:Process fork+exit: 188.7407 microseconds
optimized-2:Process fork+execve: 680.2500 microseconds
optimized-2:Process fork+/bin/sh -c: 2281.0000 microseconds

optimized-3:Process fork+exit: 191.2222 microseconds
optimized-3:Process fork+execve: 665.1250 microseconds
optimized-3:Process fork+/bin/sh -c: 2274.6667 microseconds

-e.

Elad Efrat wrote:
> Jason Thorpe wrote:
> 
>> How about results for just GENERIC?  LOCKDEBUG, especially, is going to
>> skew the results.
> 
> no-veriexec-1:Process fork+exit: 186.2222 microseconds
> no-veriexec-1:Process fork+execve: 690.7500 microseconds
> no-veriexec-1:Process fork+/bin/sh -c: 2323.6667 microseconds
> 
> veriexec-nop-1:Process fork+exit: 191.7308 microseconds
> veriexec-nop-1:Process fork+execve: 673.5000 microseconds
> veriexec-nop-1:Process fork+/bin/sh -c: 2299.0000 microseconds
> 
> no-veriexec-2:Process fork+exit: 186.8621 microseconds
> no-veriexec-2:Process fork+execve: 661.1250 microseconds
> no-veriexec-2:Process fork+/bin/sh -c: 2286.3333 microseconds
> 
> veriexec-nop-2:Process fork+exit: 195.2963 microseconds
> veriexec-nop-2:Process fork+execve: 688.5000 microseconds
> veriexec-nop-2:Process fork+/bin/sh -c: 2308.0000 microseconds
> 
> no-veriexec-3:Process fork+exit: 186.5926 microseconds
> no-veriexec-3:Process fork+execve: 680.6250 microseconds
> no-veriexec-3:Process fork+/bin/sh -c: 2273.6667 microseconds
> 
> veriexec-nop-3:Process fork+exit: 194.5769 microseconds
> veriexec-nop-3:Process fork+execve: 685.7500 microseconds
> veriexec-nop-3:Process fork+/bin/sh -c: 2293.3333 microseconds
> 
> -e.
> 


-- 
Elad Efrat

--Boundary_(ID_up5i7tgqLTa9gg+oTU0C0A)
Content-type: text/plain; name=veriexec_optimize.diff
Content-transfer-encoding: 7BIT
Content-disposition: inline; filename=veriexec_optimize.diff

Index: dev/verified_exec.c
===================================================================
RCS file: /cvsroot/src/sys/dev/verified_exec.c,v
retrieving revision 1.44
diff -u -p -r1.44 verified_exec.c
--- dev/verified_exec.c	12 Oct 2006 01:30:51 -0000	1.44
+++ dev/verified_exec.c	26 Oct 2006 21:20:14 -0000
@@ -343,6 +343,8 @@ veriexec_load(struct veriexec_params *pa
 	veriexec_report("New entry.", params->file, NULL, REPORT_DEBUG);
 
 	error = veriexec_hashadd(nid.ni_vp, e);
+	if (!error)
+		veriexec_active = TRUE;
 
  out:
 	vrele(nid.ni_vp);
Index: sys/verified_exec.h
===================================================================
RCS file: /cvsroot/src/sys/sys/verified_exec.h,v
retrieving revision 1.39
diff -u -p -r1.39 verified_exec.h
--- sys/verified_exec.h	11 Aug 2006 19:17:47 -0000	1.39
+++ sys/verified_exec.h	26 Oct 2006 21:20:15 -0000
@@ -113,6 +113,7 @@ extern int veriexec_strict;
 extern const struct sysctlnode *veriexec_count_node;
 #endif /* VERIEXEC_NEED_NODE */
 extern int veriexec_hook;
+extern boolean_t veriexec_active;
 
 /*
  * Operations vector for verified exec, this defines the characteristics
Index: kern/kern_verifiedexec.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_verifiedexec.c,v
retrieving revision 1.67
diff -u -p -r1.67 kern_verifiedexec.c
--- kern/kern_verifiedexec.c	24 Oct 2006 22:38:41 -0000	1.67
+++ kern/kern_verifiedexec.c	26 Oct 2006 21:20:18 -0000
@@ -70,6 +70,8 @@ const struct sysctlnode *veriexec_count_
 
 int veriexec_hook;
 
+boolean_t veriexec_active = FALSE;
+
 /* Veriexecs table of hash types and their associated information. */
 LIST_HEAD(veriexec_ops_head, veriexec_fp_ops) veriexec_ops_list;
 
@@ -406,7 +408,7 @@ veriexec_verify(struct lwp *l, struct vn
 		return (0);
 
 	/* Lookup veriexec table entry, save pointer if requested. */
-	vfe = veriexec_lookup(vp);
+	vfe = veriexec_active ? veriexec_lookup(vp) : NULL;
 	if (ret != NULL)
 		*ret = vfe;
 	if (vfe == NULL)

--Boundary_(ID_up5i7tgqLTa9gg+oTU0C0A)--