binary Hardening on linux using Relocation Read-Only (relro)
Baesken, Matthias
matthias.baesken at sap.com
Mon Nov 25 14:42:05 UTC 2019
Hello, I wonder why the binary hardening on linux using Relocation Read-Only (relro) is not enabled by default.
Some info can be found here :
https://wiki.debian.org/Hardening
https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
Currently I notice the settings only for debug / fastdebug builds , see flags-ldflags.m4 :
# Setup debug level-dependent LDFLAGS
if test "x$TOOLCHAIN_TYPE" = xgcc; then
if test "x$OPENJDK_TARGET_OS" = xlinux; then
if test x$DEBUG_LEVEL = xrelease; then
DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -Wl,-O1"
else
# mark relocations read only on (fast/slow) debug builds
DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro"
fi
if test x$DEBUG_LEVEL = xslowdebug; then
# do relocations at load
DEBUGLEVEL_LDFLAGS="-Wl,-z,now"
fi
fi
Shouldn't we use at least "-Wl,-z,relro" also on product builds ?
For "-Wl,-z,now" some startup performance hits are mentioned in articles/blogs - any experiences / performance-measurements with this in the OpenJDK context ?
Best regards, Matthias
More information about the build-dev
mailing list