Hello Erik, Florian , currently relro is set already for libjvm.
I think if this works nicely for libjvm, it shouldn't do any harm to set it as
well
in the BASIC_LDFLAGS for other binaries .
I would propose a patch like :
I would involve at least hotspot-dev for a wider discussion on this as libjvm
is
the most affected library.
Hello Erik, Florian , currently relro is set already for libjvm.
I think if this works nicely for libjvm, it shouldn't do any harm to set it as
well
in the BASIC_LDFLAGS for other binaries .
I would propose a patch like :
diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4
--- a/make/autoconf/flags-ldflags.m4 Fri Nov 22 09:06:35 2019 -0500
+++ b/make/autoconf/flags-ldflags.m4 Tue Nov 26 13:05:42 2019 +0100
@@ -70,10 +70,9 @@
fi
# Add -z defs, to forbid undefined symbols in object files.
- BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs"
-
- BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro"
-
+ # add relro (mark relocations read only) for all libs
+ BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro"
+ BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1"
If I understand
https://bugzilla.redhat.com/show_bug.cgi?id=1571359
correct, RedHat is setting those flags already via the build system .
Regarding "bindnow" (ld -z now) , this might be set additionally by
using --
with-extra-ldflags .
Best regards, Matthias
Hello,
I wasn't directly involved in introducing these flags, but my
understanding is that it's always a performance compromise. I would
involve at least hotspot-dev for a wider discussion on this as libjvm is
the most affected library.
/Erik
On 2019-11-25 06:42, Baesken, Matthias wrote:
Hello, I wonder why the binary hardening on linux using Relocation
Read-Only (relro) is not enabled by default.
Some info can be found here :
https://wiki.debian.org/Hardening
https://www.redhat.com/en/blog/hardening-elf-binaries-using-
relocation-read-only-relro
Currently I notice the settings only for debug / fastdebug builds , see
flags-ldflags.m4 :
# Setup debug level-dependent LDFLAGS
if test "x$TOOLCHAIN_TYPE" = xgcc; then
if test "x$OPENJDK_TARGET_OS" = xlinux; then
if test x$DEBUG_LEVEL = xrelease; then
DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -
Wl,-O1"
else
# mark relocations read only on (fast/slow) debug builds
DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro"
fi
if test x$DEBUG_LEVEL = xslowdebug; then
# do relocations at load
DEBUGLEVEL_LDFLAGS="-Wl,-z,now"
fi
fi
Shouldn't we use at least "-Wl,-z,relro" also on product builds ?
For "-Wl,-z,now" some startup performance hits are mentioned in
articles/blogs - any experiences / performance-measurements with this
in
the OpenJDK context ?
Best regards, Matthias
