Hello, I wonder why the binary hardening on linux using Relocation Read-Only (relro) is not enabled by default.
Some info can be found here : https://wiki.debian.org/Hardening https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro Currently I notice the settings only for debug / fastdebug builds , see flags-ldflags.m4 : # Setup debug level-dependent LDFLAGS if test "x$TOOLCHAIN_TYPE" = xgcc; then if test "x$OPENJDK_TARGET_OS" = xlinux; then if test x$DEBUG_LEVEL = xrelease; then DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -Wl,-O1" else # mark relocations read only on (fast/slow) debug builds DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" fi if test x$DEBUG_LEVEL = xslowdebug; then # do relocations at load DEBUGLEVEL_LDFLAGS="-Wl,-z,now" fi fi Shouldn't we use at least "-Wl,-z,relro" also on product builds ? For "-Wl,-z,now" some startup performance hits are mentioned in articles/blogs - any experiences / performance-measurements with this in the OpenJDK context ? Best regards, Matthias
