RFR [XS] 8234809: set relro in linker flags when building with gcc - was RE: binary Hardening on linux using Relocation Read-Only (relro)

Erik Joelsson erik.joelsson at oracle.com
Tue Nov 26 16:32:17 UTC 2019 

Looks good.

/Erik

On 2019-11-26 05:07, Baesken, Matthias wrote:
>> Hello Erik, Florian ,  currently   relro  is set already  for libjvm.
>> I think if this works nicely  for libjvm, it shouldn't do any harm to set it as well
>> in the BASIC_LDFLAGS  for other binaries .
>> I would propose a patch like :
> Hello,  here is my webrev , please review .
>
> Bug/webrev :
>
> https://bugs.openjdk.java.net/browse/JDK-8234809
>
> http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/
>
>
> Thanks, Matthias
>
>>> I would  involve at least hotspot-dev for a wider discussion on this as libjvm
>> is
>>> the most affected library.
>> Hello Erik, Florian ,  currently   relro  is set already  for libjvm.
>> I think if this works nicely  for libjvm, it shouldn't do any harm to set it as well
>> in the BASIC_LDFLAGS  for other binaries .
>> I would propose a patch like :
>>
>> diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4
>> --- a/make/autoconf/flags-ldflags.m4    Fri Nov 22 09:06:35 2019 -0500
>> +++ b/make/autoconf/flags-ldflags.m4    Tue Nov 26 13:05:42 2019 +0100
>> @@ -70,10 +70,9 @@
>>       fi
>>
>>       # Add -z defs, to forbid undefined symbols in object files.
>> -    BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs"
>> -
>> -    BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro"
>> -
>> +    # add relro (mark relocations read only) for all libs
>> +    BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro"
>> +    BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1"
>>
>>
>> If I understand
>> https://bugzilla.redhat.com/show_bug.cgi?id=1571359
>> correct, RedHat is setting those flags already  via the build system .
>>
>> Regarding  "bindnow"  (ld -z now) ,   this might be set  additionally   by using --
>> with-extra-ldflags .
>>
>>
>> Best regards, Matthias
>>
>>
>>> Hello,
>>>
>>> I wasn't directly involved in introducing these flags, but my
>>> understanding is that it's always a performance compromise. I would
>>> involve at least hotspot-dev for a wider discussion on this as libjvm is
>>> the most affected library.
>>>
>>> /Erik
>>>
>>> On 2019-11-25 06:42, Baesken, Matthias wrote:
>>>> Hello,   I wonder why  the  binary hardening  on linux  using Relocation
>>> Read-Only (relro)  is not enabled by default.
>>>> Some info can be found here :
>>>>
>>>> https://wiki.debian.org/Hardening
>>>>
>>>> https://www.redhat.com/en/blog/hardening-elf-binaries-using-
>>> relocation-read-only-relro
>>>>
>>>> Currently I  notice  the settings only  for debug  / fastdebug builds , see
>>> flags-ldflags.m4 :
>>>>     # Setup debug level-dependent LDFLAGS
>>>>     if test "x$TOOLCHAIN_TYPE" = xgcc; then
>>>>       if test "x$OPENJDK_TARGET_OS" = xlinux; then
>>>>         if test x$DEBUG_LEVEL = xrelease; then
>>>>
>>> DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -
>>> Wl,-O1"
>>>>         else
>>>>           # mark relocations read only on (fast/slow) debug builds
>>>>           DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro"
>>>>         fi
>>>>         if test x$DEBUG_LEVEL = xslowdebug; then
>>>>           # do relocations at load
>>>>           DEBUGLEVEL_LDFLAGS="-Wl,-z,now"
>>>>         fi
>>>>       fi
>>>>
>>>> Shouldn't we use  at least  "-Wl,-z,relro" also on product builds ?
>>>>
>>>> For  "-Wl,-z,now"   some  startup  performance hits are mentioned in
>>> articles/blogs -  any experiences / performance-measurements   with this
>> in
>>> the OpenJDK  context ?
>>>> Best regards, Matthias
>>>>

More information about the build-dev mailing list