RFR: 8241996: on linux set full relro in the linker flags

Claes Redestad claes.redestad at oracle.com
Wed Apr 1 13:53:45 UTC 2020 

Hi,

I took this for a spin on my setup, and see a ~500k increase in both
instructions and cycles - I guess one of your runs saw more
interference than the other.

 From a startup performance point of view the advertised cost seems
more or less negligible. (For context we've optimized away 10M
instructions since JDK 14 GA - a 0.5M step in the wrong direction won't
be noticeable)

/Claes

On 2020-04-01 15:35, Baesken, Matthias wrote:
> Hello, please review this binary hardening related change.
> 
> To improve binary hardening, we should enable full relro in the OpenJDK 
> builds. Currently
> our build settings enable only partial relro (they miss z,now).
> See 
> https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
> 
> "Both partial and full RELRO reorder the ELF internal data sections to 
> protect them from being overwritten in the event of a buffer-overflow,
> but only full RELRO mitigates the above mentioned popular technique of 
> overwriting the GOT entry to get control of program execution."
> 
> See also :
> https://wiki.debian.org/Hardening
> 
> Some documentations/blogs mention slight performance impact of full 
> relro (for startup performance) .
> 
> 
> My quick checks on an example Linux server show not much impact (checked 
> on linux x86_64) .
> 
> 1)time on a   java HelloWorld  varies   (for both a patched and  
> unpatched  JDK)    between 0,6 and 0,7 seconds  ;
> 
> 2) perf - runs on a java HelloWorld   show  a bit less  cycles (not 
> clear why) but more  instructions :
> 
>> "normal  JVM" :
> 
>>         185,085,660      cycles                    #    2.424 GHz                      ( +-  0.54% )  (83.18%)
> 
>>         128,415,594      stalled-cycles-frontend   #   69.38% frontend cycles idle     ( +-  0.80% )  (80.98%)
> 
>>          84,990,433      stalled-cycles-backend    #   45.92% backend  cycles idle     ( +-  1.78% )  (65.38%)
> 
>>         102,950,894      instructions              #    0.56  insns per cycle
> 
>>                                                    #    1.25  stalled cycles per insn  ( +-  1.48% )  (86.90%)
> 
>> 
> 
>> Changed JVM with z,now  set :
> 
>> 
> 
>>         182,514,813      cycles                    #    2.394 GHz                      ( +-  0.58% )  (80.14%)
> 
>>         126,879,112      stalled-cycles-frontend   #   69.52% frontend cycles idle     ( +-  0.81% )  (81.24%)
> 
>>          82,691,295      stalled-cycles-backend    #   45.31% backend  cycles idle     ( +-  1.72% )  (69.16%)
> 
>>         103,958,399      instructions              #    0.57  insns per cycle
> 
>>                                                    #    1.22  stalled cycles per insn  ( +-  1.21% )  (89.47%)
> 
> Bug/webrev :
> 
> https://bugs.openjdk.java.net/browse/JDK-8241996
> 
> http://cr.openjdk.java.net/~mbaesken/webrevs/8241996.0/
> 
> Best regards, Matthias
>

More information about the build-dev mailing list