RFR [XS] 8234809: set relro in linker flags when building with gcc - was RE: binary Hardening on linux using Relocation Read-Only (relro)
Baesken, Matthias
matthias.baesken at sap.com
Tue Nov 26 17:00:28 UTC 2019
Thanks !
Florian, may I add you as reviewer ?
Best regards, Matthias
> Looks good.
>
> /Erik
>
> On 2019-11-26 05:07, Baesken, Matthias wrote:
> >> Hello Erik, Florian , currently relro is set already for libjvm.
> >> I think if this works nicely for libjvm, it shouldn't do any harm to set it as
> well
> >> in the BASIC_LDFLAGS for other binaries .
> >> I would propose a patch like :
> > Hello, here is my webrev , please review .
> >
> > Bug/webrev :
> >
> > https://bugs.openjdk.java.net/browse/JDK-8234809
> >
> > http://cr.openjdk.java.net/~mbaesken/webrevs/8234809.0/
> >
> >
> > Thanks, Matthias
> >
> >>> I would involve at least hotspot-dev for a wider discussion on this as
> libjvm
> >> is
> >>> the most affected library.
> >> Hello Erik, Florian , currently relro is set already for libjvm.
> >> I think if this works nicely for libjvm, it shouldn't do any harm to set it as
> well
> >> in the BASIC_LDFLAGS for other binaries .
> >> I would propose a patch like :
> >>
> >> diff -r 80e1201f6c9a make/autoconf/flags-ldflags.m4
> >> --- a/make/autoconf/flags-ldflags.m4 Fri Nov 22 09:06:35 2019 -0500
> >> +++ b/make/autoconf/flags-ldflags.m4 Tue Nov 26 13:05:42 2019 +0100
> >> @@ -70,10 +70,9 @@
> >> fi
> >>
> >> # Add -z defs, to forbid undefined symbols in object files.
> >> - BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs"
> >> -
> >> - BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1 -Wl,-z,relro"
> >> -
> >> + # add relro (mark relocations read only) for all libs
> >> + BASIC_LDFLAGS="$BASIC_LDFLAGS -Wl,-z,defs -Wl,-z,relro"
> >> + BASIC_LDFLAGS_JVM_ONLY="-Wl,-O1"
> >>
> >>
> >> If I understand
> >> https://bugzilla.redhat.com/show_bug.cgi?id=1571359
> >> correct, RedHat is setting those flags already via the build system .
> >>
> >> Regarding "bindnow" (ld -z now) , this might be set additionally by
> using --
> >> with-extra-ldflags .
> >>
> >>
> >> Best regards, Matthias
> >>
> >>
> >>> Hello,
> >>>
> >>> I wasn't directly involved in introducing these flags, but my
> >>> understanding is that it's always a performance compromise. I would
> >>> involve at least hotspot-dev for a wider discussion on this as libjvm is
> >>> the most affected library.
> >>>
> >>> /Erik
> >>>
> >>> On 2019-11-25 06:42, Baesken, Matthias wrote:
> >>>> Hello, I wonder why the binary hardening on linux using Relocation
> >>> Read-Only (relro) is not enabled by default.
> >>>> Some info can be found here :
> >>>>
> >>>> https://wiki.debian.org/Hardening
> >>>>
> >>>> https://www.redhat.com/en/blog/hardening-elf-binaries-using-
> >>> relocation-read-only-relro
> >>>>
> >>>> Currently I notice the settings only for debug / fastdebug builds , see
> >>> flags-ldflags.m4 :
> >>>> # Setup debug level-dependent LDFLAGS
> >>>> if test "x$TOOLCHAIN_TYPE" = xgcc; then
> >>>> if test "x$OPENJDK_TARGET_OS" = xlinux; then
> >>>> if test x$DEBUG_LEVEL = xrelease; then
> >>>>
> >>>
> DEBUGLEVEL_LDFLAGS_JDK_ONLY="$DEBUGLEVEL_LDFLAGS_JDK_ONLY -
> >>> Wl,-O1"
> >>>> else
> >>>> # mark relocations read only on (fast/slow) debug builds
> >>>> DEBUGLEVEL_LDFLAGS_JDK_ONLY="-Wl,-z,relro"
> >>>> fi
> >>>> if test x$DEBUG_LEVEL = xslowdebug; then
> >>>> # do relocations at load
> >>>> DEBUGLEVEL_LDFLAGS="-Wl,-z,now"
> >>>> fi
> >>>> fi
> >>>>
> >>>> Shouldn't we use at least "-Wl,-z,relro" also on product builds ?
> >>>>
> >>>> For "-Wl,-z,now" some startup performance hits are mentioned in
> >>> articles/blogs - any experiences / performance-measurements with
> this
> >> in
> >>> the OpenJDK context ?
> >>>> Best regards, Matthias
> >>>>
More information about the build-dev
mailing list