The package rpms/java-11-openjdk.git has added or updated architecture specific content in its spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s): https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=d5fdf....
Change: +%ifarch %{ssbd_arches}
Thanks.
Full change: ============
commit d5fdf83904c08e21fb6871cf724780c0f7802e89 Author: Jiri Vanek jvanek@redhat.com Date: Thu Dec 17 14:17:05 2020 +0100
Added checks and restrictions around alt-java
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 1428f50..1d5e9da 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -101,6 +101,8 @@ %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector %global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64
# By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -259,7 +261,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 11 -%global rpmrelease 5 +%global rpmrelease 6 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -1598,6 +1600,16 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|.java||") $JAVA_HOME/bin/javac -d . %{SOURCE15} $JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|.java||")
+# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c @@ -1974,6 +1986,11 @@ require "copy_jdk_configs.lua"
%changelog +* Thu Dec 17 2020 Andrew Hughes gnu.andrew@redhat.com - 1:11.0.9.11-6 +- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched +- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly +- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures + * Tue Dec 01 2020 Jiri Vanek jvanek@redhat.com - 1:11.0.9.11-5 - removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch - added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch index a7b7fdc..e6355f2 100644 --- a/rh1750419-redhat_alt_java.patch +++ b/rh1750419-redhat_alt_java.patch @@ -1,12 +1,13 @@ diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk --- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 +++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 -@@ -41,6 +41,15 @@ +@@ -41,6 +41,16 @@ OPTIMIZATION := HIGH, \ ))
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c +$(eval $(call SetupBuildLauncher, alt-java, \ -+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ + LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ + LIBS_windows := user32.lib comctl32.lib, \ + EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ @@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h diff -r 25e94aa812b2 src/share/bin/main.c --- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 +++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 -@@ -34,6 +34,10 @@ +@@ -34,6 +34,14 @@ #include "jli_util.h" #include "jni.h"
++#ifdef REDHAT_ALT_JAVA +#if defined(__linux__) && defined(__x86_64__) +#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif +#endif + #ifdef _MSC_VER
commit fdf2aac83b2ea1f80da78d0a9d796a3016a01d5c Author: Jiri Vanek jvanek@redhat.com Date: Thu Dec 17 13:33:05 2020 +0100
Redeffined linux -> __linux__ and __x86_64 -> __x86_64__
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch index eaac9f1..a7b7fdc 100644 --- a/rh1750419-redhat_alt_java.patch +++ b/rh1750419-redhat_alt_java.patch @@ -102,7 +102,7 @@ diff -r 25e94aa812b2 src/share/bin/main.c #include "jli_util.h" #include "jni.h"
-+#if defined(linux) && defined(__x86_64) ++#if defined(__linux__) && defined(__x86_64__) +#include "alt_main.h" +#endif +
commit dd7adeb2b621608c0e8e5962cb02990264936c9c Author: Jiri jvanek@redhat.com Date: Mon Dec 7 20:05:31 2020 +0100
Fixes comment for speculative store bypass patch
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index e9d8a09..1428f50 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -1102,7 +1102,7 @@ Source15: TestSecurityProperties.java # NSS via SunPKCS11 Provider (disabled comment # due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# enable build of spectre/meltdown hardened alt-java +# enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch
# Ignore AWTError when assistive technologies are loaded
commit cee2608ae606adc3f780e9082d264c4c695d9702 Author: Jiri jvanek@redhat.com Date: Tue Dec 1 14:13:12 2020 +0100
Replaced alt-java palceholder by real pathced alt-java
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec index 8ab0776..e9d8a09 100644 --- a/java-11-openjdk.spec +++ b/java-11-openjdk.spec @@ -259,7 +259,7 @@ %global top_level_dir_name %{origin} %global minorver 0 %global buildver 11 -%global rpmrelease 4 +%global rpmrelease 5 #%%global tagsuffix "" # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -1102,6 +1102,8 @@ Source15: TestSecurityProperties.java # NSS via SunPKCS11 Provider (disabled comment # due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# enable build of spectre/meltdown hardened alt-java +Patch600: rh1750419-redhat_alt_java.patch
# Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -1125,8 +1127,6 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# RH1566890: CVE-2018-3639 -Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch
@@ -1393,7 +1393,6 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 @@ -1401,6 +1400,7 @@ pushd %{top_level_dir_name} popd # openjdk
%patch1000 +%patch600
# Extract systemtap tapsets %if %{with_systemtap} @@ -1566,7 +1566,6 @@ ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java pushd ${JAVA_HOME} -cp -a bin/java bin/%{alt_java_name} # add alt-java man page echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 @@ -1975,6 +1974,11 @@ require "copy_jdk_configs.lua"
%changelog +* Tue Dec 01 2020 Jiri Vanek jvanek@redhat.com - 1:11.0.9.11-5 +- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch +- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch +- no longer copying of java->alt-java as it is created by patch600 + * Mon Nov 23 2020 Jiri Vanek jvanek@redhat.com - 1:11.0.9.11-4 - Create a copy of java as alt-java with alternatives and man pages - java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there... diff --git a/rh1566890-CVE_2018_3639-speculative_store_bypass.patch b/rh1566890-CVE_2018_3639-speculative_store_bypass.patch deleted file mode 100644 index bd52828..0000000 --- a/rh1566890-CVE_2018_3639-speculative_store_bypass.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp ---- openjdk/src/hotspot/os/linux/os_linux.cpp -+++ openjdk/src/hotspot/os/linux/os_linux.cpp -@@ -107,6 +107,8 @@ - # include <inttypes.h> - # include <sys/ioctl.h> - -+#include <sys/prctl.h> -+ - #ifndef _GNU_SOURCE - #define _GNU_SOURCE - #include <sched.h> -@@ -4984,6 +4986,48 @@ - extern void report_error(char* file_name, int line_no, char* title, - char* format, ...); - -+/* Per task speculation control */ -+#ifndef PR_GET_SPECULATION_CTRL -+# define PR_GET_SPECULATION_CTRL 52 -+#endif -+#ifndef PR_SET_SPECULATION_CTRL -+# define PR_SET_SPECULATION_CTRL 53 -+#endif -+/* Speculation control variants */ -+#ifndef PR_SPEC_STORE_BYPASS -+# define PR_SPEC_STORE_BYPASS 0 -+#endif -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+ -+#ifndef PR_SPEC_NOT_AFFECTED -+# define PR_SPEC_NOT_AFFECTED 0 -+#endif -+#ifndef PR_SPEC_PRCTL -+# define PR_SPEC_PRCTL (1UL << 0) -+#endif -+#ifndef PR_SPEC_ENABLE -+# define PR_SPEC_ENABLE (1UL << 1) -+#endif -+#ifndef PR_SPEC_DISABLE -+# define PR_SPEC_DISABLE (1UL << 2) -+#endif -+#ifndef PR_SPEC_FORCE_DISABLE -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) -+#endif -+#ifndef PR_SPEC_DISABLE_NOEXEC -+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) -+#endif -+ -+static void set_speculation() __attribute__((constructor)); -+static void set_speculation() { -+ if ( prctl(PR_SET_SPECULATION_CTRL, -+ PR_SPEC_STORE_BYPASS, -+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { -+ return; -+ } -+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+} -+ - // this is called _before_ most of the global arguments have been parsed - void os::init(void) { - char dummy; // used to get a guess on initial stack address diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..eaac9f1 --- /dev/null +++ b/rh1750419-redhat_alt_java.patch @@ -0,0 +1,111 @@ +diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk +--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 ++++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 +@@ -41,6 +41,15 @@ + OPTIMIZATION := HIGH, \ + )) + ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \ ++ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ ++ LIBS_windows := user32.lib comctl32.lib, \ ++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ + ifeq ($(OPENJDK_TARGET_OS), windows) + $(eval $(call SetupBuildLauncher, javaw, \ + CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ + +diff -r 25e94aa812b2 src/share/bin/alt_main.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include <sys/prctl.h> ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff -r 25e94aa812b2 src/share/bin/main.c +--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 ++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +@@ -34,6 +34,10 @@ + #include "jli_util.h" + #include "jni.h" + ++#if defined(linux) && defined(__x86_64) ++#include "alt_main.h" ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 +
arch-excludes@lists.fedoraproject.org