The package rpms/java-11-openjdk.git has added or updated architecture specific content in
its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/java-11-openjdk.git/commit/?id=ce....
Change:
+%ifarch %{ssbd_arches}
Thanks.
Full change:
============
commit cef412cef76d21e033ba122cec239e88170aeb0a
Author: Jiri Vanek <jvanek(a)redhat.com>
Date: Thu Dec 17 14:17:05 2020 +0100
Added checks and restrictions around alt-java
diff --git a/java-11-openjdk.spec b/java-11-openjdk.spec
index d9d8821..7ce6e7c 100644
--- a/java-11-openjdk.spec
+++ b/java-11-openjdk.spec
@@ -101,6 +101,8 @@
%global shenandoah_arches x86_64 %{aarch64}
# Set of architectures for which we build the Z garbage collector
%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
@@ -259,7 +261,7 @@
%global top_level_dir_name %{origin}
%global minorver 0
%global buildver 11
-%global rpmrelease 5
+%global rpmrelease 6
#%%global tagsuffix ""
# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when
moving to 11 we had to add another digit
%if %is_system_jdk
@@ -1598,6 +1600,16 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed
"s|\.java||")
$JAVA_HOME/bin/javac -d . %{SOURCE15}
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename
%{SOURCE15})|sed "s|\.java||")
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false;
fi
+%endif
+
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image}
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
@@ -1974,6 +1986,11 @@ require "copy_jdk_configs.lua"
%changelog
+* Thu Dec 17 2020 Andrew Hughes <gnu.andrew(a)redhat.com> - 1:11.0.9.11-6
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other
alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real
alt-java architectures
+
* Tue Dec 01 2020 Jiri Vanek <jvanek(a)redhat.com> - 1:11.0.9.11-5
- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by
new patch
- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch
index a7b7fdc..e6355f2 100644
--- a/rh1750419-redhat_alt_java.patch
+++ b/rh1750419-redhat_alt_java.patch
@@ -1,12 +1,13 @@
diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
+++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
-@@ -41,6 +41,15 @@
+@@ -41,6 +41,16 @@
OPTIMIZATION := HIGH, \
))
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
+$(eval $(call SetupBuildLauncher, alt-java, \
-+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \
++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA
-Wno-error=cpp, \
+ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
+ LIBS_windows := user32.lib comctl32.lib, \
+ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
@@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h
diff -r 25e94aa812b2 src/share/bin/main.c
--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
+++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
-@@ -34,6 +34,10 @@
+@@ -34,6 +34,14 @@
#include "jli_util.h"
#include "jni.h"
++#ifdef REDHAT_ALT_JAVA
+#if defined(__linux__) && defined(__x86_64__)
+#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
+#endif
+
#ifdef _MSC_VER