Hello, please review this binary hardening related change. To improve binary hardening, we should enable full relro in the OpenJDK builds. Currently our build settings enable only partial relro (they miss z,now). See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
"Both partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in the event of a buffer-overflow, but only full RELRO mitigates the above mentioned popular technique of overwriting the GOT entry to get control of program execution." See also : https://wiki.debian.org/Hardening Some documentations/blogs mention slight performance impact of full relro (for startup performance) . My quick checks on an example Linux server show not much impact (checked on linux x86_64) . 1)time on a java HelloWorld varies (for both a patched and unpatched JDK) between 0,6 and 0,7 seconds ; 2) perf - runs on a java HelloWorld show a bit less cycles (not clear why) but more instructions : > "normal JVM" : > 185,085,660 cycles # 2.424 GHz > ( +- 0.54% ) (83.18%) > 128,415,594 stalled-cycles-frontend # 69.38% frontend cycles > idle ( +- 0.80% ) (80.98%) > 84,990,433 stalled-cycles-backend # 45.92% backend cycles > idle ( +- 1.78% ) (65.38%) > 102,950,894 instructions # 0.56 insns per cycle > # 1.25 stalled cycles > per insn ( +- 1.48% ) (86.90%) > > Changed JVM with z,now set : > > 182,514,813 cycles # 2.394 GHz > ( +- 0.58% ) (80.14%) > 126,879,112 stalled-cycles-frontend # 69.52% frontend cycles > idle ( +- 0.81% ) (81.24%) > 82,691,295 stalled-cycles-backend # 45.31% backend cycles > idle ( +- 1.72% ) (69.16%) > 103,958,399 instructions # 0.57 insns per cycle > # 1.22 stalled cycles > per insn ( +- 1.21% ) (89.47%) Bug/webrev : https://bugs.openjdk.java.net/browse/JDK-8241996 http://cr.openjdk.java.net/~mbaesken/webrevs/8241996.0/ Best regards, Matthias
