> Hello Erik, Florian , currently relro is set already for libjvm. > I think if this works nicely for libjvm, it shouldn't do any harm to set it > as well > in the BASIC_LDFLAGS for other binaries . > I would propose a patch like :
Hello, here is my webrev , please review . Bug/webrev : https://bugs.openjdk.java.net/browse/JDK-8234809 http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/ Thanks, Matthias > > > I would involve at least hotspot-dev for a wider discussion on this as > > libjvm > is > > the most affected library. > > Hello Erik, Florian , currently relro is set already for libjvm. > I think if this works nicely for libjvm, it shouldn't do any harm to set it > as well > in the BASIC_LDFLAGS for other binaries . > I would propose a patch like : > > diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4 > --- a/make/autoconf/flags-ldflags.m4 Fri Nov 22 09:06:35 2019 -0500 > +++ b/make/autoconf/flags-ldflags.m4 Tue Nov 26 13:05:42 2019 +0100 > @@ -70,10 +70,9 @@ > fi > > # Add -z defs, to forbid undefined symbols in object files. > - BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs" > - > - BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro" > - > + # add relro (mark relocations read only) for all libs > + BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro" > + BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1" > > > If I understand > https://bugzilla.redhat.com/show_bug.cgi?id=1571359 > correct, RedHat is setting those flags already via the build system . > > Regarding "bindnow" (ld -z now) , this might be set additionally by > using -- > with-extra-ldflags . > > > Best regards, Matthias > > > > Hello, > > > > I wasn't directly involved in introducing these flags, but my > > understanding is that it's always a performance compromise. I would > > involve at least hotspot-dev for a wider discussion on this as libjvm is > > the most affected library. > > > > /Erik > > > > On 2019-11-25 06:42, Baesken, Matthias wrote: > > > Hello, I wonder why the binary hardening on linux using Relocation > > Read-Only (relro) is not enabled by default. > > > > > > Some info can be found here : > > > > > > https://wiki.debian.org/Hardening > > > > > > https://www.redhat.com/en/blog/hardening-elf-binaries-using- > > relocation-read-only-relro > > > > > > > > > Currently I notice the settings only for debug / fastdebug builds , > > > see > > flags-ldflags.m4 : > > > > > > # Setup debug level-dependent LDFLAGS > > > if test "x$TOOLCHAIN_TYPE" = xgcc; then > > > if test "x$OPENJDK_TARGET_OS" = xlinux; then > > > if test x$DEBUG_LEVEL = xrelease; then > > > > > DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY - > > Wl,-O1" > > > else > > > # mark relocations read only on (fast/slow) debug builds > > > DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" > > > fi > > > if test x$DEBUG_LEVEL = xslowdebug; then > > > # do relocations at load > > > DEBUGLEVEL_LDFLAGS="-Wl,-z,now" > > > fi > > > fi > > > > > > Shouldn't we use at least "-Wl,-z,relro" also on product builds ? > > > > > > For "-Wl,-z,now" some startup performance hits are mentioned in > > articles/blogs - any experiences / performance-measurements with this > in > > the OpenJDK context ? > > > > > > Best regards, Matthias > > >
