binary Hardening on linux using Relocation Read-Only (relro)
Erik Joelsson
erik.joelsson at oracle.com
Mon Nov 25 16:41:46 UTC 2019
Hello,
I wasn't directly involved in introducing these flags, but my
understanding is that it's always a performance compromise. I would
involve at least hotspot-dev for a wider discussion on this as libjvm is
the most affected library.
/Erik
On 2019-11-25 06:42, Baesken, Matthias wrote:
> Hello, I wonder why the binary hardening on linux using Relocation Read-Only (relro) is not enabled by default.
>
> Some info can be found here :
>
> https://wiki.debian.org/Hardening
>
> https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
>
>
> Currently I notice the settings only for debug / fastdebug builds , see flags-ldflags.m4 :
>
> # Setup debug level-dependent LDFLAGS
> if test "x$TOOLCHAIN_TYPE" = xgcc; then
> if test "x$OPENJDK_TARGET_OS" = xlinux; then
> if test x$DEBUG_LEVEL = xrelease; then
> DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -Wl,-O1"
> else
> # mark relocations read only on (fast/slow) debug builds
> DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro"
> fi
> if test x$DEBUG_LEVEL = xslowdebug; then
> # do relocations at load
> DEBUGLEVEL_LDFLAGS="-Wl,-z,now"
> fi
> fi
>
> Shouldn't we use at least "-Wl,-z,relro" also on product builds ?
>
> For "-Wl,-z,now" some startup performance hits are mentioned in articles/blogs - any experiences / performance-measurements with this in the OpenJDK context ?
>
> Best regards, Matthias
>
More information about the build-dev
mailing list