What about bsd.lib.mk?

Do you plan to add documentation anywhere explaining what the mitigation does? In particular, you need to also set WITH_BIND_NOW to get "full" RELRO.

should be applicable only to linking binaries, i.e. .plt and .got.plt

Not quite sure where it should go - this WITH_RELRO won't actually be used with the option on by default. Maybe describe partial/full RELRO in the BIND_NOW option?

Or add here

Binaries will not have a GNU_RELRO segment and the .plt and .got.plt sections will not be switched to read-only after applying relocations.
See also BIND_NOW.

Or maybe src.conf isn't the right place to try to explain this, and we should have text in security(7) or a man page on elf hardening?

Perhaps in BIND_NOW

The combination of the
.Va BIND_NOW
and
.Va RELRO
options provide "full" Relocation Read-Only (RELRO) support.
With full RELRO the entire GOT is made read-only after performing relocation at
startup, avoiding GOT overwrite attacks.

I don't really follow. RELRO applies to shared libs too.

I think it'd make the most sense to describe the mitigation in security.7 (or anywhere that's not src.conf.5), but mention briefly the relationship between RELRO and BIND_NOW here. Your last suggestion seems fine to me. I'd also add "see the WITH_BIND_NOW option" to the description of WITH_RELRO.

Yes of course, just a braino.

security.7 needs a more major overhaul, I should document it more fully there in the future. For now I think the last suggestion along with a xref is fine. The xref would have to be in both WITH_RELRO and WITHOUT_RELRO.