Thanks ! Florian, may I add you as reviewer ?
Best regards, Matthias > Looks good. > > /Erik > > On 2019-11-26 05:07, Baesken, Matthias wrote: > >> Hello Erik, Florian , currently relro is set already for libjvm. > >> I think if this works nicely for libjvm, it shouldn't do any harm to set > >> it as > well > >> in the BASIC_LDFLAGS for other binaries . > >> I would propose a patch like : > > Hello, here is my webrev , please review . > > > > Bug/webrev : > > > > https://bugs.openjdk.java.net/browse/JDK-8234809 > > > > http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/ > > > > > > Thanks, Matthias > > > >>> I would involve at least hotspot-dev for a wider discussion on this as > libjvm > >> is > >>> the most affected library. > >> Hello Erik, Florian , currently relro is set already for libjvm. > >> I think if this works nicely for libjvm, it shouldn't do any harm to set > >> it as > well > >> in the BASIC_LDFLAGS for other binaries . > >> I would propose a patch like : > >> > >> diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4 > >> --- a/make/autoconf/flags-ldflags.m4 Fri Nov 22 09:06:35 2019 -0500 > >> +++ b/make/autoconf/flags-ldflags.m4 Tue Nov 26 13:05:42 2019 +0100 > >> @@ -70,10 +70,9 @@ > >> fi > >> > >> # Add -z defs, to forbid undefined symbols in object files. > >> - BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs" > >> - > >> - BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro" > >> - > >> + # add relro (mark relocations read only) for all libs > >> + BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro" > >> + BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1" > >> > >> > >> If I understand > >> https://bugzilla.redhat.com/show_bug.cgi?id=1571359 > >> correct, RedHat is setting those flags already via the build system . > >> > >> Regarding "bindnow" (ld -z now) , this might be set additionally by > using -- > >> with-extra-ldflags . > >> > >> > >> Best regards, Matthias > >> > >> > >>> Hello, > >>> > >>> I wasn't directly involved in introducing these flags, but my > >>> understanding is that it's always a performance compromise. I would > >>> involve at least hotspot-dev for a wider discussion on this as libjvm is > >>> the most affected library. > >>> > >>> /Erik > >>> > >>> On 2019-11-25 06:42, Baesken, Matthias wrote: > >>>> Hello, I wonder why the binary hardening on linux using Relocation > >>> Read-Only (relro) is not enabled by default. > >>>> Some info can be found here : > >>>> > >>>> https://wiki.debian.org/Hardening > >>>> > >>>> https://www.redhat.com/en/blog/hardening-elf-binaries-using- > >>> relocation-read-only-relro > >>>> > >>>> Currently I notice the settings only for debug / fastdebug builds , > >>>> see > >>> flags-ldflags.m4 : > >>>> # Setup debug level-dependent LDFLAGS > >>>> if test "x$TOOLCHAIN_TYPE" = xgcc; then > >>>> if test "x$OPENJDK_TARGET_OS" = xlinux; then > >>>> if test x$DEBUG_LEVEL = xrelease; then > >>>> > >>> > DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY - > >>> Wl,-O1" > >>>> else > >>>> # mark relocations read only on (fast/slow) debug builds > >>>> DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" > >>>> fi > >>>> if test x$DEBUG_LEVEL = xslowdebug; then > >>>> # do relocations at load > >>>> DEBUGLEVEL_LDFLAGS="-Wl,-z,now" > >>>> fi > >>>> fi > >>>> > >>>> Shouldn't we use at least "-Wl,-z,relro" also on product builds ? > >>>> > >>>> For "-Wl,-z,now" some startup performance hits are mentioned in > >>> articles/blogs - any experiences / performance-measurements with > this > >> in > >>> the OpenJDK context ? > >>>> Best regards, Matthias > >>>>
