RE: binary Hardening on linux using Relocation Read-Only (relro)

Tue, 26 Nov 2019 04:27:50 -0800 

> I would  involve at least hotspot-dev for a wider discussion on this as 
> libjvm is
> the most affected library.

Hello Erik, Florian ,  currently   relro  is set already  for libjvm.
I think if this works nicely  for libjvm, it shouldn't do any harm to set it as 
well   in the BASIC_LDFLAGS  for other binaries .
I would propose a patch like :

diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4
--- a/make/autoconf/flags-ldflags.m4    Fri Nov 22 09:06:35 2019 -0500
+++ b/make/autoconf/flags-ldflags.m4    Tue Nov 26 13:05:42 2019 +0100
@@ -70,10 +70,9 @@
     fi
 
     # Add -z defs, to forbid undefined symbols in object files.
-    BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs"
-
-    BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro"
-
+    # add relro (mark relocations read only) for all libs
+    BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro"
+    BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1"


If I understand 
https://bugzilla.redhat.com/show_bug.cgi?id=1571359
correct, RedHat is setting those flags already  via the build system .

Regarding  "bindnow"  (ld -z now) ,   this might be set  additionally   by 
using --with-extra-ldflags .


Best regards, Matthias


> Hello,
> 
> I wasn't directly involved in introducing these flags, but my
> understanding is that it's always a performance compromise. I would
> involve at least hotspot-dev for a wider discussion on this as libjvm is
> the most affected library.
> 
> /Erik
> 
> On 2019-11-25 06:42, Baesken, Matthias wrote:
> > Hello,   I wonder why  the  binary hardening  on linux  using Relocation
> Read-Only (relro)  is not enabled by default.
> >
> > Some info can be found here :
> >
> > https://wiki.debian.org/Hardening
> >
> > https://www.redhat.com/en/blog/hardening-elf-binaries-using-
> relocation-read-only-relro
> >
> >
> > Currently I  notice  the settings only  for debug  / fastdebug builds , see
> flags-ldflags.m4 :
> >
> >    # Setup debug level-dependent LDFLAGS
> >    if test "x$TOOLCHAIN_TYPE" = xgcc; then
> >      if test "x$OPENJDK_TARGET_OS" = xlinux; then
> >        if test x$DEBUG_LEVEL = xrelease; then
> >
> DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -
> Wl,-O1"
> >        else
> >          # mark relocations read only on (fast/slow) debug builds
> >          DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro"
> >        fi
> >        if test x$DEBUG_LEVEL = xslowdebug; then
> >          # do relocations at load
> >          DEBUGLEVEL_LDFLAGS="-Wl,-z,now"
> >        fi
> >      fi
> >
> > Shouldn't we use  at least  "-Wl,-z,relro" also on product builds ?
> >
> > For  "-Wl,-z,now"   some  startup  performance hits are mentioned in
> articles/blogs -  any experiences / performance-measurements   with this in
> the OpenJDK  context ?
> >
> > Best regards, Matthias
> >

Reply via email to