Date: Tue, 27 Mar 2018 20:33:07 +0200 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com, lkrg-users@...ts.openwall.com Subject: LKRG 0.2 Hi, We'd like to announce Linux Kernel Runtime Guard (LKRG) version 0.2: http://www.openwall.com/lkrg/ The following changes have been made between LKRG 0.1 and 0.2: *) Add support for being loaded at early boot stage (e.g. from initramfs) *) [CI] Add a new sysctl to control whether LKRG performs code integrity checks on random events (or only at regular intervals) *) Reduce performance impact, e.g. in our specific test case: -> Average cost of running a fully enabled LKRG => 2.5% -> Average cost of running LKRG without the code integrity checks on random events (disabled with the new sysctl) => 0.7% *) [CI] Fix a potential deadlock bug caused by get_online_cpus() function, which might sleep if CONFIG_PREEMPT_VOLUNTARY=y *) [CI] Fix dynamic NOPs injected by *_JUMP_LABEL for MWESTMERE *) [CI] Remove false positives caused by *_JUMP_LABEL in corner case scenarios *) [ED] Remove false positives when kernel executes usermode helper binaries Legend: [CI] - Code Integrity [ED] - Exploit Detection The "specific test case" mentioned above is building John the Ripper 1.8.0-jumbo-1 with "./configure CFLAGS='-O0'" (that is, with compiler optimizations disabled in order to artificially reduce the amount of processing in userspace and increase the frequency of syscalls, thereby exposing LKRG's possible performance impact more) and "make -j8" on an Atom C2750 machine (8 Silvermont cores) running VzLinux (Virtuozzo 7). The performance impact is measured only for the "make -j8" step (that is, at full system load, which is most relevant for server capacity). Like before, this release is almost entirely due to work by Adam 'pi3' Zabrocki. Thanks, Adam! Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.