RFR: 8241996: on linux set full relro in the linker flags

Erik Joelsson erik.joelsson at oracle.com
Wed Apr 1 14:33:22 UTC 2020 

Hello Matthias,

We are currently setting -z now for slowdebug builds. That should be 
removed if it's now set by default for all configs.

/Erik

On 2020-04-01 06:35, Baesken, Matthias wrote:
> Hello, please review this binary hardening related change.
>
> To improve binary hardening, we should enable full relro in the OpenJDK builds. Currently
> our build settings enable only partial relro (they miss z,now).
> See https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro
>
> "Both partial and full RELRO reorder the ELF internal data sections to protect them from being overwritten in the event of a buffer-overflow,
> but only full RELRO mitigates the above mentioned popular technique of overwriting the GOT entry to get control of program execution."
>
> See also :
> https://wiki.debian.org/Hardening
>
> Some documentations/blogs mention slight performance impact of full relro (for startup performance) .
>
> My quick checks on an example Linux server show not much impact (checked on linux x86_64) .
> 1)time on a   java HelloWorld  varies   (for both a patched and  unpatched  JDK)    between 0,6 and 0,7 seconds  ;
> 2) perf - runs on a java HelloWorld   show  a bit less  cycles (not clear why) but more  instructions :
>
>
>> "normal  JVM" :
>>          185,085,660      cycles                    #    2.424 GHz                      ( +-  0.54% )  (83.18%)
>>          128,415,594      stalled-cycles-frontend   #   69.38% frontend cycles idle     ( +-  0.80% )  (80.98%)
>>           84,990,433      stalled-cycles-backend    #   45.92% backend  cycles idle     ( +-  1.78% )  (65.38%)
>>          102,950,894      instructions              #    0.56  insns per cycle
>>                                                     #    1.25  stalled cycles per insn  ( +-  1.48% )  (86.90%)
>> Changed JVM with z,now  set :
>>          182,514,813      cycles                    #    2.394 GHz                      ( +-  0.58% )  (80.14%)
>>          126,879,112      stalled-cycles-frontend   #   69.52% frontend cycles idle     ( +-  0.81% )  (81.24%)
>>           82,691,295      stalled-cycles-backend    #   45.31% backend  cycles idle     ( +-  1.72% )  (69.16%)
>>          103,958,399      instructions              #    0.57  insns per cycle
>>                                                     #    1.22  stalled cycles per insn  ( +-  1.21% )  (89.47%)
>
> Bug/webrev :
>
> https://bugs.openjdk.java.net/browse/JDK-8241996
>
> http://cr.openjdk.java.net/~mbaesken/webrevs/8241996.0/
>
>
> Best regards, Matthias

More information about the build-dev mailing list