Re: RFR [XS] 8234809: set relro in linker flags when building with gcc - was RE: binary Hardening on linux using Relocation Read-Only (relro)
* Matthias Baesken: > Florian, may I add you as reviewer ? Sure, but I don't have a formal reviewer role. Thanks, Florian
RE: RFR [XS] 8234809: set relro in linker flags when building with gcc - was RE: binary Hardening on linux using Relocation Read-Only (relro)
Thanks ! Florian, may I add you as reviewer ? Best regards, Matthias > Looks good. > > /Erik > > On 2019-11-26 05:07, Baesken, Matthias wrote: > >> Hello Erik, Florian , currently relro is set already for libjvm. > >> I think if this works nicely for libjvm, it shouldn't do any harm to set > >> it as > well > >> in the BASIC_LDFLAGS for other binaries . > >> I would propose a patch like : > > Hello, here is my webrev , please review . > > > > Bug/webrev : > > > > https://bugs.openjdk.java.net/browse/JDK-8234809 > > > > http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/ > > > > > > Thanks, Matthias > > > >>> I would involve at least hotspot-dev for a wider discussion on this as > libjvm > >> is > >>> the most affected library. > >> Hello Erik, Florian , currently relro is set already for libjvm. > >> I think if this works nicely for libjvm, it shouldn't do any harm to set > >> it as > well > >> in the BASIC_LDFLAGS for other binaries . > >> I would propose a patch like : > >> > >> diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4 > >> --- a/make/autoconf/flags-ldflags.m4Fri Nov 22 09:06:35 2019 -0500 > >> +++ b/make/autoconf/flags-ldflags.m4Tue Nov 26 13:05:42 2019 +0100 > >> @@ -70,10 +70,9 @@ > >> fi > >> > >> # Add -z defs, to forbid undefined symbols in object files. > >> -BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs" > >> - > >> -BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro" > >> - > >> +# add relro (mark relocations read only) for all libs > >> +BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro" > >> +BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1" > >> > >> > >> If I understand > >> https://bugzilla.redhat.com/show_bug.cgi?id=1571359 > >> correct, RedHat is setting those flags already via the build system . > >> > >> Regarding "bindnow" (ld -z now) , this might be set additionally by > using -- > >> with-extra-ldflags . > >> > >> > >> Best regards, Matthias > >> > >> > >>> Hello, > >>> > >>> I wasn't directly involved in introducing these flags, but my > >>> understanding is that it's always a performance compromise. I would > >>> involve at least hotspot-dev for a wider discussion on this as libjvm is > >>> the most affected library. > >>> > >>> /Erik > >>> > >>> On 2019-11-25 06:42, Baesken, Matthias wrote: > Hello, I wonder why the binary hardening on linux using Relocation > >>> Read-Only (relro) is not enabled by default. > Some info can be found here : > > https://wiki.debian.org/Hardening > > https://www.redhat.com/en/blog/hardening-elf-binaries-using- > >>> relocation-read-only-relro > > Currently I notice the settings only for debug / fastdebug builds , > see > >>> flags-ldflags.m4 : > # Setup debug level-dependent LDFLAGS > if test "x$TOOLCHAIN_TYPE" = xgcc; then > if test "x$OPENJDK_TARGET_OS" = xlinux; then > if test x$DEBUG_LEVEL = xrelease; then > > >>> > DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY - > >>> Wl,-O1" > else > # mark relocations read only on (fast/slow) debug builds > DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" > fi > if test x$DEBUG_LEVEL = xslowdebug; then > # do relocations at load > DEBUGLEVEL_LDFLAGS="-Wl,-z,now" > fi > fi > > Shouldn't we use at least "-Wl,-z,relro" also on product builds ? > > For "-Wl,-z,now" some startup performance hits are mentioned in > >>> articles/blogs - any experiences / performance-measurements with > this > >> in > >>> the OpenJDK context ? > Best regards, Matthias >
Re: RFR [XS] 8234809: set relro in linker flags when building with gcc - was RE: binary Hardening on linux using Relocation Read-Only (relro)
Looks good. /Erik On 2019-11-26 05:07, Baesken, Matthias wrote: Hello Erik, Florian , currently relro is set already for libjvm. I think if this works nicely for libjvm, it shouldn't do any harm to set it as well in the BASIC_LDFLAGS for other binaries . I would propose a patch like : Hello, here is my webrev , please review . Bug/webrev : https://bugs.openjdk.java.net/browse/JDK-8234809 http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/ Thanks, Matthias I would involve at least hotspot-dev for a wider discussion on this as libjvm is the most affected library. Hello Erik, Florian , currently relro is set already for libjvm. I think if this works nicely for libjvm, it shouldn't do any harm to set it as well in the BASIC_LDFLAGS for other binaries . I would propose a patch like : diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4 --- a/make/autoconf/flags-ldflags.m4Fri Nov 22 09:06:35 2019 -0500 +++ b/make/autoconf/flags-ldflags.m4Tue Nov 26 13:05:42 2019 +0100 @@ -70,10 +70,9 @@ fi # Add -z defs, to forbid undefined symbols in object files. -BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs" - -BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro" - +# add relro (mark relocations read only) for all libs +BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro" +BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1" If I understand https://bugzilla.redhat.com/show_bug.cgi?id=1571359 correct, RedHat is setting those flags already via the build system . Regarding "bindnow" (ld -z now) , this might be set additionally by using -- with-extra-ldflags . Best regards, Matthias Hello, I wasn't directly involved in introducing these flags, but my understanding is that it's always a performance compromise. I would involve at least hotspot-dev for a wider discussion on this as libjvm is the most affected library. /Erik On 2019-11-25 06:42, Baesken, Matthias wrote: Hello, I wonder why the binary hardening on linux using Relocation Read-Only (relro) is not enabled by default. Some info can be found here : https://wiki.debian.org/Hardening https://www.redhat.com/en/blog/hardening-elf-binaries-using- relocation-read-only-relro Currently I notice the settings only for debug / fastdebug builds , see flags-ldflags.m4 : # Setup debug level-dependent LDFLAGS if test "x$TOOLCHAIN_TYPE" = xgcc; then if test "x$OPENJDK_TARGET_OS" = xlinux; then if test x$DEBUG_LEVEL = xrelease; then DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY - Wl,-O1" else # mark relocations read only on (fast/slow) debug builds DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" fi if test x$DEBUG_LEVEL = xslowdebug; then # do relocations at load DEBUGLEVEL_LDFLAGS="-Wl,-z,now" fi fi Shouldn't we use at least "-Wl,-z,relro" also on product builds ? For "-Wl,-z,now" some startup performance hits are mentioned in articles/blogs - any experiences / performance-measurements with this in the OpenJDK context ? Best regards, Matthias
Re: binary Hardening on linux using Relocation Read-Only (relro)
* Matthias Baesken: > If I understand > https://bugzilla.redhat.com/show_bug.cgi?id=1571359 > correct, RedHat is setting those flags already via the build system . BFD ld in binutils defaults to relro, except perhaps on s390x where your version might not implement the partial RELRO variant that you get without -z now (BIND_NOW is not enabled by default). > Regarding "bindnow" (ld -z now) , this might be set additionally by > using --with-extra-ldflags . Yes, that is usually more controversial because it can have an impact on startup time. But even the AWT libraries have relatively few function references, so it probably does not matter. On the other hand, all this security hardening is typically not very effective because part of classes.jsa is mapped rwx at a fixed address, so you can just abuse that (if you want to inject machine code directly, I'm sure there are other options for bytecode). Thanks, Florian
RFR [XS] 8234809: set relro in linker flags when building with gcc - was RE: binary Hardening on linux using Relocation Read-Only (relro)
> Hello Erik, Florian , currently relro is set already for libjvm. > I think if this works nicely for libjvm, it shouldn't do any harm to set it > as well > in the BASIC_LDFLAGS for other binaries . > I would propose a patch like : Hello, here is my webrev , please review . Bug/webrev : https://bugs.openjdk.java.net/browse/JDK-8234809 http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/ Thanks, Matthias > > > I would involve at least hotspot-dev for a wider discussion on this as > > libjvm > is > > the most affected library. > > Hello Erik, Florian , currently relro is set already for libjvm. > I think if this works nicely for libjvm, it shouldn't do any harm to set it > as well > in the BASIC_LDFLAGS for other binaries . > I would propose a patch like : > > diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4 > --- a/make/autoconf/flags-ldflags.m4Fri Nov 22 09:06:35 2019 -0500 > +++ b/make/autoconf/flags-ldflags.m4Tue Nov 26 13:05:42 2019 +0100 > @@ -70,10 +70,9 @@ > fi > > # Add -z defs, to forbid undefined symbols in object files. > -BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs" > - > -BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro" > - > +# add relro (mark relocations read only) for all libs > +BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro" > +BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1" > > > If I understand > https://bugzilla.redhat.com/show_bug.cgi?id=1571359 > correct, RedHat is setting those flags already via the build system . > > Regarding "bindnow" (ld -z now) , this might be set additionally by > using -- > with-extra-ldflags . > > > Best regards, Matthias > > > > Hello, > > > > I wasn't directly involved in introducing these flags, but my > > understanding is that it's always a performance compromise. I would > > involve at least hotspot-dev for a wider discussion on this as libjvm is > > the most affected library. > > > > /Erik > > > > On 2019-11-25 06:42, Baesken, Matthias wrote: > > > Hello, I wonder why the binary hardening on linux using Relocation > > Read-Only (relro) is not enabled by default. > > > > > > Some info can be found here : > > > > > > https://wiki.debian.org/Hardening > > > > > > https://www.redhat.com/en/blog/hardening-elf-binaries-using- > > relocation-read-only-relro > > > > > > > > > Currently I notice the settings only for debug / fastdebug builds , > > > see > > flags-ldflags.m4 : > > > > > ># Setup debug level-dependent LDFLAGS > > >if test "x$TOOLCHAIN_TYPE" = xgcc; then > > > if test "x$OPENJDK_TARGET_OS" = xlinux; then > > >if test x$DEBUG_LEVEL = xrelease; then > > > > > DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY - > > Wl,-O1" > > >else > > > # mark relocations read only on (fast/slow) debug builds > > > DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" > > >fi > > >if test x$DEBUG_LEVEL = xslowdebug; then > > > # do relocations at load > > > DEBUGLEVEL_LDFLAGS="-Wl,-z,now" > > >fi > > > fi > > > > > > Shouldn't we use at least "-Wl,-z,relro" also on product builds ? > > > > > > For "-Wl,-z,now" some startup performance hits are mentioned in > > articles/blogs - any experiences / performance-measurements with this > in > > the OpenJDK context ? > > > > > > Best regards, Matthias > > >
RE: binary Hardening on linux using Relocation Read-Only (relro)
> I would involve at least hotspot-dev for a wider discussion on this as > libjvm is > the most affected library. Hello Erik, Florian , currently relro is set already for libjvm. I think if this works nicely for libjvm, it shouldn't do any harm to set it as well in the BASIC_LDFLAGS for other binaries . I would propose a patch like : diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4 --- a/make/autoconf/flags-ldflags.m4Fri Nov 22 09:06:35 2019 -0500 +++ b/make/autoconf/flags-ldflags.m4Tue Nov 26 13:05:42 2019 +0100 @@ -70,10 +70,9 @@ fi # Add -z defs, to forbid undefined symbols in object files. -BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs" - -BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro" - +# add relro (mark relocations read only) for all libs +BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro" +BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1" If I understand https://bugzilla.redhat.com/show_bug.cgi?id=1571359 correct, RedHat is setting those flags already via the build system . Regarding "bindnow" (ld -z now) , this might be set additionally by using --with-extra-ldflags . Best regards, Matthias > Hello, > > I wasn't directly involved in introducing these flags, but my > understanding is that it's always a performance compromise. I would > involve at least hotspot-dev for a wider discussion on this as libjvm is > the most affected library. > > /Erik > > On 2019-11-25 06:42, Baesken, Matthias wrote: > > Hello, I wonder why the binary hardening on linux using Relocation > Read-Only (relro) is not enabled by default. > > > > Some info can be found here : > > > > https://wiki.debian.org/Hardening > > > > https://www.redhat.com/en/blog/hardening-elf-binaries-using- > relocation-read-only-relro > > > > > > Currently I notice the settings only for debug / fastdebug builds , see > flags-ldflags.m4 : > > > ># Setup debug level-dependent LDFLAGS > >if test "x$TOOLCHAIN_TYPE" = xgcc; then > > if test "x$OPENJDK_TARGET_OS" = xlinux; then > >if test x$DEBUG_LEVEL = xrelease; then > > > DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY - > Wl,-O1" > >else > > # mark relocations read only on (fast/slow) debug builds > > DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" > >fi > >if test x$DEBUG_LEVEL = xslowdebug; then > > # do relocations at load > > DEBUGLEVEL_LDFLAGS="-Wl,-z,now" > >fi > > fi > > > > Shouldn't we use at least "-Wl,-z,relro" also on product builds ? > > > > For "-Wl,-z,now" some startup performance hits are mentioned in > articles/blogs - any experiences / performance-measurements with this in > the OpenJDK context ? > > > > Best regards, Matthias > >
Re: binary Hardening on linux using Relocation Read-Only (relro)
* Claes Redestad: > On 2019-11-25 18:30, Florian Weimer wrote: >> That being said, relocation processing for libjvm.so adds a couple of >> milliseconds to startup, and it looks like their number is growing with >> each release. > > This piqued my interest, so I took a quick look: > > readelf --relocs libjvm.so | wc -l > > 8: 85635 > 9: 112645 > 11: 105607 > 13: 107912 > jdk/jdk: 106175 > > 9 saw a big jump, yes, but things look pretty stable since, even > improving a bit (various cleanups and feature removals..?). I see slightly higher numbers with the default build flags. The recent drop by ~1000 relocations is due to the CMS removal. > Of course improvements in this area would be most welcome (not an area > I've been paying attention to - maybe I should?) Unfortunately, I'm not aware of a good tool to gather relocation statistics with a goal towards avoiding them. Some cases may be easy changes (e.g., rewriting arrays of character strings). I suspect that quite a bit is related to C++ vtables. Thanks, Florian
Re: binary Hardening on linux using Relocation Read-Only (relro)
On 2019-11-25 18:30, Florian Weimer wrote: That being said, relocation processing for libjvm.so adds a couple of milliseconds to startup, and it looks like their number is growing with each release. This piqued my interest, so I took a quick look: readelf --relocs libjvm.so | wc -l 8: 85635 9: 112645 11: 105607 13: 107912 jdk/jdk: 106175 9 saw a big jump, yes, but things look pretty stable since, even improving a bit (various cleanups and feature removals..?). Of course improvements in this area would be most welcome (not an area I've been paying attention to - maybe I should?) Thanks! /Claes
Re: binary Hardening on linux using Relocation Read-Only (relro)
* Matthias Baesken: > For "-Wl,-z,now" some startup performance hits are mentioned in > articles/blogs - any experiences / performance-measurements with this > in the OpenJDK context ? While libjvm.so needs a staggering amount of relocations, most of them are relative. They are not eligible for lazy binding, and they have to be performed at startup even without BIND_NOW. That being said, relocation processing for libjvm.so adds a couple of milliseconds to startup, and it looks like their number is growing with each release. Thanks, Florian
Re: binary Hardening on linux using Relocation Read-Only (relro)
Hello, I wasn't directly involved in introducing these flags, but my understanding is that it's always a performance compromise. I would involve at least hotspot-dev for a wider discussion on this as libjvm is the most affected library. /Erik On 2019-11-25 06:42, Baesken, Matthias wrote: Hello, I wonder why the binary hardening on linux using Relocation Read-Only (relro) is not enabled by default. Some info can be found here : https://wiki.debian.org/Hardening https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro Currently I notice the settings only for debug / fastdebug builds , see flags-ldflags.m4 : # Setup debug level-dependent LDFLAGS if test "x$TOOLCHAIN_TYPE" = xgcc; then if test "x$OPENJDK_TARGET_OS" = xlinux; then if test x$DEBUG_LEVEL = xrelease; then DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -Wl,-O1" else # mark relocations read only on (fast/slow) debug builds DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro" fi if test x$DEBUG_LEVEL = xslowdebug; then # do relocations at load DEBUGLEVEL_LDFLAGS="-Wl,-z,now" fi fi Shouldn't we use at least "-Wl,-z,relro" also on product builds ? For "-Wl,-z,now" some startup performance hits are mentioned in articles/blogs - any experiences / performance-measurements with this in the OpenJDK context ? Best regards, Matthias