Hello, I have a question regarding the AIX -bnorwexec linker flag . I think it is related to an AIX security feature SED , see also : https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.securi... When building with the additional -bnorwexec linker flag we signal the OS that we "request" the SED feature . Please compare a patched and an unpatched java ( patched is flagged "request" while unpatched uses the "system" setting ). bash-4.3$ sedmgr -d /patched_jdk/images/jdk/bin/java /patched_jdk/images/images/jdk/bin/java : request bash-4.3$ sedmgr -d /normal_jdk/images/jdk/bin/java /normal_jdk/images/jdk/bin/java : system System config on the example machine is "normal" (default) select : bash-4.3$ sedmgr Stack Execution Disable (SED) mode: select SED configured in kernel: select In our internal tests I noticed so far no issues when setting the -bnorwexec linker flag in OpenJDK on AIX . Do you have any experience with it, do you see issues when setting the flag ? The documentation of the flag is a bit short . https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.cmds3/... norwexec Specifies that if the system's sed_config setting is not off, the process' private data areas will have non-execute permission. Patch would be : diff -r 0d7fb7f07134 make/autoconf/flags-ldflags.m4 --- a/make/autoconf/flags-ldflags.m4 Mon Apr 08 06:56:37 2019 +0100 +++ b/make/autoconf/flags-ldflags.m4 Mon Apr 08 10:50:07 2019 +0200 @@ -1,5 +1,5 @@ # -# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -88,7 +88,7 @@ BASIC_LDFLAGS_JVM_ONLY="-library=%none -mt -z noversion" elif test "x$TOOLCHAIN_TYPE" = xxlc; then - BASIC_LDFLAGS="-b64 -brtl -bnolibpath -bexpall -bernotok -btextpsize:64K \ + BASIC_LDFLAGS="-b64 -brtl -bnorwexec -bnolibpath -bexpall -bernotok -btextpsize:64K \ -bdatapsize:64K -bstackpsize:64K" # libjvm.so has gotten too large for normal TOC size; compile with qpic=large and link with bigtoc BASIC_LDFLAGS_JVM_ONLY="-Wl,-lC_r -bbigtoc" Best regards, Matthias
From a build point of view, the patch looks good. I cannot comment on the validity of adding the flag though. /Erik On 2019-04-12 02:15, Baesken, Matthias wrote:
Hello, I have a question regarding the AIX -bnorwexec linker flag . I think it is related to an AIX security feature SED , see also :
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.securi...
When building with the additional -bnorwexec linker flag we signal the OS that we "request" the SED feature . Please compare a patched and an unpatched java ( patched is flagged "request" while unpatched uses the "system" setting ).
bash-4.3$ sedmgr -d /patched_jdk/images/jdk/bin/java /patched_jdk/images/images/jdk/bin/java : request
bash-4.3$ sedmgr -d /normal_jdk/images/jdk/bin/java /normal_jdk/images/jdk/bin/java : system
System config on the example machine is "normal" (default) select : bash-4.3$ sedmgr Stack Execution Disable (SED) mode: select SED configured in kernel: select
In our internal tests I noticed so far no issues when setting the -bnorwexec linker flag in OpenJDK on AIX . Do you have any experience with it, do you see issues when setting the flag ?
The documentation of the flag is a bit short .
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.cmds3/...
norwexec
Specifies that if the system's sed_config setting is not off, the process' private data areas will have non-execute permission.
Patch would be :
diff -r 0d7fb7f07134 make/autoconf/flags-ldflags.m4 --- a/make/autoconf/flags-ldflags.m4 Mon Apr 08 06:56:37 2019 +0100 +++ b/make/autoconf/flags-ldflags.m4 Mon Apr 08 10:50:07 2019 +0200 @@ -1,5 +1,5 @@ # -# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -88,7 +88,7 @@ BASIC_LDFLAGS_JVM_ONLY="-library=%none -mt -z noversion" elif test "x$TOOLCHAIN_TYPE" = xxlc; then - BASIC_LDFLAGS="-b64 -brtl -bnolibpath -bexpall -bernotok -btextpsize:64K \ + BASIC_LDFLAGS="-b64 -brtl -bnorwexec -bnolibpath -bexpall -bernotok -btextpsize:64K \ -bdatapsize:64K -bstackpsize:64K" # libjvm.so has gotten too large for normal TOC size; compile with qpic=large and link with bigtoc BASIC_LDFLAGS_JVM_ONLY="-Wl,-lC_r -bbigtoc"
Best regards, Matthias
Thanks ! Let's see what other AIX developers say about it . Best regards, Matthias
-----Original Message----- From: Erik Joelsson <erik.joelsson@oracle.com> Sent: Freitag, 12. April 2019 15:30 To: Baesken, Matthias <matthias.baesken@sap.com>; ppc-aix-port- dev@openjdk.java.net; 'build-dev@openjdk.java.net' <build- dev@openjdk.java.net> Subject: Re: AIX : -bnorwexec linker flag
From a build point of view, the patch looks good. I cannot comment on the validity of adding the flag though.
/Erik
On 2019-04-12 02:15, Baesken, Matthias wrote:
Hello, I have a question regarding the AIX -bnorwexec linker flag . I think it is related to an AIX security feature SED , see also :
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm. aix.security/stack_exec_disable_flags.htm
When building with the additional -bnorwexec linker flag we signal the
OS that we "request" the SED feature .
Please compare a patched and an unpatched java ( patched is flagged "request" while unpatched uses the "system" setting ).
bash-4.3$ sedmgr -d /patched_jdk/images/jdk/bin/java /patched_jdk/images/images/jdk/bin/java : request
bash-4.3$ sedmgr -d /normal_jdk/images/jdk/bin/java /normal_jdk/images/jdk/bin/java : system
System config on the example machine is "normal" (default) select : bash-4.3$ sedmgr Stack Execution Disable (SED) mode: select SED configured in kernel: select
In our internal tests I noticed so far no issues when setting the - bnorwexec linker flag in OpenJDK on AIX . Do you have any experience with it, do you see issues when setting the flag ?
The documentation of the flag is a bit short .
https://www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm. aix.cmds3/ld.htm
norwexec
Specifies that if the system's sed_config setting is not off, the process'
private data areas will have non-execute permission.
Patch would be :
diff -r 0d7fb7f07134 make/autoconf/flags-ldflags.m4 --- a/make/autoconf/flags-ldflags.m4 Mon Apr 08 06:56:37 2019 +0100 +++ b/make/autoconf/flags-ldflags.m4 Mon Apr 08 10:50:07 2019 +0200 @@ -1,5 +1,5 @@ # -# Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2019, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -88,7 +88,7 @@ BASIC_LDFLAGS_JVM_ONLY="-library=%none -mt -z noversion" elif test "x$TOOLCHAIN_TYPE" = xxlc; then - BASIC_LDFLAGS="-b64 -brtl -bnolibpath -bexpall -bernotok -
btextpsize:64K \
+ BASIC_LDFLAGS="-b64 -brtl -bnorwexec -bnolibpath -bexpall -bernotok -btextpsize:64K \ -bdatapsize:64K -bstackpsize:64K" # libjvm.so has gotten too large for normal TOC size; compile with qpic=large and link with bigtoc BASIC_LDFLAGS_JVM_ONLY="-Wl,-lC_r -bbigtoc"
Best regards, Matthias
Hi Maybe that the patch is good, but the original code, though working fine, is bad. --- a/make/autoconf/flags-ldflags.m4 - BASIC_LDFLAGS="-b64 -brtl -bnolibpath -bexpall -bernotok -btextpsize:64K \ On AIX, using -brtl and -bexpall is OK for fixing issues quick and dirty. However, when building and delivering professional products, these options should be used only in last resort. On AIX, the default is to NOT export all symbols. Instead, one should build the list of needed symbols and inform the linker with -bE and -bI linker options of the list of symbols that need to be exported/imported. That's more work, but it's the good way. Using -bexpall means that all symbols contained in a library will be exported. Thus, an executable may want to load a symbol (like strcmp, which is first provided by the libc.a) from another library, breaking the upward compatibility. In addition, -bexpall creates performance issues. And also, sometimes, the linker explodes due to too many symbols. As an example, the current versions of CMake and MariaDB for AIX make use of -bexpall (and, much worse, -expfull). We are changing the code of these 2 packages in order to no more use -bexpall (nor -bexpfull). Regards, Tony
Hi Tony, agree the -bexpall is not good . Do you have a good (/ better) solution for the issue , do you use visibility attributes in the C/C++ or export-lists ? Maybe someone from IBM could comment on this too . Best regards, Matthias From: REIX, Tony <tony.reix@atos.net> Sent: Montag, 15. April 2019 16:18 To: Baesken, Matthias <matthias.baesken@sap.com>; ppc-aix-port-dev@openjdk.java.net; 'build-dev@openjdk.java.net' <build-dev@openjdk.java.net> Subject: RE: AIX : -bnorwexec linker flag Hi Maybe that the patch is good, but the original code, though working fine, is bad. --- a/make/autoconf/flags-ldflags.m4 - BASIC_LDFLAGS="-b64 -brtl -bnolibpath -bexpall -bernotok -btextpsize:64K \ On AIX, using -brtl and -bexpall is OK for fixing issues quick and dirty. However, when building and delivering professional products, these options should be used only in last resort. On AIX, the default is to NOT export all symbols. Instead, one should build the list of needed symbols and inform the linker with -bE and -bI linker options of the list of symbols that need to be exported/imported. That's more work, but it's the good way. Using -bexpall means that all symbols contained in a library will be exported. Thus, an executable may want to load a symbol (like strcmp, which is first provided by the libc.a) from another library, breaking the upward compatibility. In addition, -bexpall creates performance issues. And also, sometimes, the linker explodes due to too many symbols. As an example, the current versions of CMake and MariaDB for AIX make use of -bexpall (and, much worse, -expfull). We are changing the code of these 2 packages in order to no more use -bexpall (nor -bexpfull). Regards, Tony
Hi Matthias, When building on AIX packages that make use of configure/Makefile/libtool, the code of these packages is aware of AIX constraints and libtool is able to generate and use .exp export files. With the new CMake that we will deliver soon, it will be possible to do the same: now CMake knows about constraints of AIX and some changes (only for AIX) in the CMakeLists.txt files are enough for handling not-standard cases where .exp files must be exported/used explicitely. Looking at source code of OpenJDK, there are: configure.ac/Makefile.in and many .gmk files . I was unable to build in my AIX test VMs, for now. However, I guess that some changes must be made in order to build the export list of symbols of lib*.a (or lib*.so) that are required by other archive/lib*.so or by executables. Regards Cordialement, Tony Reix tony.reix@atos.net ATOS / Bull SAS ATOS Expert IBM Coop Architect & Technical Leader Office : +33 (0) 4 76 29 72 67 1 rue de Provence - 38432 Échirolles - France www.atos.net<https://mail.ad.bull.net/owa/redir.aspx?C=PvphmPvCZkGrAgHVnWGsdMcDKgzl_dEIsM6rX0g4u4v8V81YffzBGkWrtQeAXNovd3ttkJL8JIc.&URL=http%3a%2f%2fwww.atos.net%2f> ________________________________ De : Baesken, Matthias <matthias.baesken@sap.com> Envoyé : lundi 15 avril 2019 16:47:18 À : REIX, Tony; ppc-aix-port-dev@openjdk.java.net; 'build-dev@openjdk.java.net' Objet : RE: AIX : -bnorwexec linker flag Hi Tony, agree the -bexpall is not good . Do you have a good (/ better) solution for the issue , do you use visibility attributes in the C/C++ or export-lists ? Maybe someone from IBM could comment on this too . Best regards, Matthias From: REIX, Tony <tony.reix@atos.net> Sent: Montag, 15. April 2019 16:18 To: Baesken, Matthias <matthias.baesken@sap.com>; ppc-aix-port-dev@openjdk.java.net; 'build-dev@openjdk.java.net' <build-dev@openjdk.java.net> Subject: RE: AIX : -bnorwexec linker flag Hi Maybe that the patch is good, but the original code, though working fine, is bad. --- a/make/autoconf/flags-ldflags.m4 - BASIC_LDFLAGS="-b64 -brtl -bnolibpath -bexpall -bernotok -btextpsize:64K \ On AIX, using -brtl and -bexpall is OK for fixing issues quick and dirty. However, when building and delivering professional products, these options should be used only in last resort. On AIX, the default is to NOT export all symbols. Instead, one should build the list of needed symbols and inform the linker with -bE and -bI linker options of the list of symbols that need to be exported/imported. That's more work, but it's the good way. Using -bexpall means that all symbols contained in a library will be exported. Thus, an executable may want to load a symbol (like strcmp, which is first provided by the libc.a) from another library, breaking the upward compatibility. In addition, -bexpall creates performance issues. And also, sometimes, the linker explodes due to too many symbols. As an example, the current versions of CMake and MariaDB for AIX make use of -bexpall (and, much worse, -expfull). We are changing the code of these 2 packages in order to no more use -bexpall (nor -bexpfull). Regards, Tony
participants (3)
-
Baesken, Matthias
-
Erik Joelsson
-
REIX, Tony