Index: head/share/mk/bsd.lib.mk
===================================================================
--- head/share/mk/bsd.lib.mk
+++ head/share/mk/bsd.lib.mk
@@ -69,6 +69,10 @@
 TAG_ARGS=	-T ${TAGS:[*]:S/ /,/g}
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline
Index: head/share/mk/bsd.opts.mk
===================================================================
--- head/share/mk/bsd.opts.mk
+++ head/share/mk/bsd.opts.mk
@@ -69,6 +69,7 @@
     WARNS
 
 __DEFAULT_NO_OPTIONS = \
+    BIND_NOW \
     CCACHE_BUILD \
     CTF \
     INSTALL_AS_USER \
Index: head/share/mk/bsd.prog.mk
===================================================================
--- head/share/mk/bsd.prog.mk
+++ head/share/mk/bsd.prog.mk
@@ -34,6 +34,10 @@
 MK_DEBUG_FILES=	no
 .endif
 
+# ELF hardening knobs
+.if ${MK_BIND_NOW} != "no"
+LDFLAGS+= -Wl,-znow
+.endif
 .if ${MK_RETPOLINE} != "no"
 CFLAGS+= -mretpoline
 CXXFLAGS+= -mretpoline
Index: head/tools/build/options/WITHOUT_BIND_NOW
===================================================================
--- head/tools/build/options/WITHOUT_BIND_NOW
+++ head/tools/build/options/WITHOUT_BIND_NOW
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Do not build all binaries with the
+.Dv DF_BIND_NOW
+flag set.
+Run-time relocation processing will be performed on demand.
Index: head/tools/build/options/WITH_BIND_NOW
===================================================================
--- head/tools/build/options/WITH_BIND_NOW
+++ head/tools/build/options/WITH_BIND_NOW
@@ -0,0 +1,5 @@
+.\" $FreeBSD$
+Build all binaries with the
+.Dv DF_BIND_NOW
+flag set to indicate that the run-time loader should perform all relocation
+processing at process startup rather than on demand.