diff --git a/.gitignore b/.gitignore index e120195..1005198 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b03-4curve.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index cf618a1..a741bba 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -9b8be14e254cd1528086bd851200d7123d62b4d3 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b03-4curve.tar.xz +7797c54d297eafd8a3edda6947e8f32af0df2851 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 2f78280..d4bc4d7 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -103,6 +103,17 @@ Live versions of these release notes can be found at: - JDK-8265832: runtime/StackGap/testme.sh fails to compile in 8u - JDK-8265988: Fix sun/text/IntHashtable/Bug4170614 for JDK 8u - JDK-8266191: Missing aarch64 parts of JDK-8181872 (C1: possible overflow when strength reducing integer multiply by constant) +* Shenandoah + - [backport] JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState + - [backport] JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp + - [backport] JDK-8261251: Shenandoah: Use object size for full GC humongous + - [backport] JDK-8261413: Shenandoah: Disable class-unloading in I-U mode + - [backport] JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 + - [backport] JDK-8266802: Shenandoah: Round up region size to page size unconditionally + - [backport] JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC + - [backport] JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size + - [backport] JDK-8268699: Shenandoah: Add test for JDK-8268127 + - Shenandoah: Process weak roots during class unloading cycle Notes on individual issues: =========================== diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/SOURCES/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch index bdb67b3..4789f0b 100644 --- a/SOURCES/rh1750419-redhat_alt_java.patch +++ b/SOURCES/rh1750419-redhat_alt_java.patch @@ -1,12 +1,13 @@ diff --git openjdk.orig/jdk/make/CompileLaunchers.gmk openjdk/jdk/make/CompileLaunchers.gmk --- openjdk.orig/jdk/make/CompileLaunchers.gmk +++ openjdk/jdk/make/CompileLaunchers.gmk -@@ -255,6 +255,32 @@ +@@ -255,6 +255,33 @@ endif endif ++# -Wno-error=cpp is present to allow commented warning in ifdef part of main.c +$(eval $(call SetupLauncher,alt-java, \ -+ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA,,,user32.lib comctl32.lib, \ ++ -DEXPAND_CLASSPATH_WILDCARDS -DREDHAT_ALT_JAVA -Wno-error=cpp,,,user32.lib comctl32.lib, \ + $(JDK_OUTPUTDIR)/objs/jli_static.lib, $(JAVA_RC_FLAGS), \ + $(JDK_TOPDIR)/src/windows/resource/java.rc, $(JDK_OUTPUTDIR)/objs/java_objs,true)) + @@ -115,12 +116,16 @@ new file mode 100644 diff --git openjdk.orig/jdk/src/share/bin/main.c openjdk/jdk/src/share/bin/main.c --- openjdk.orig/jdk/src/share/bin/main.c +++ openjdk/jdk/src/share/bin/main.c -@@ -32,6 +32,10 @@ +@@ -32,6 +32,14 @@ #include "defines.h" -+#if defined(linux) && defined(__x86_64) ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) +#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif +#endif + #ifdef _MSC_VER diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index bb5826c..78e103e 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -80,6 +80,8 @@ %global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} # Set of architectures which support Java Flight Recorder (JFR) %global jfr_arches %{jit_arches} +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -263,7 +265,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project aarch64-port %global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u302-b03 +%global shenandoah_revision aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -279,7 +281,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 0 +%global rpmrelease 3 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -1150,8 +1152,14 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + # nss fips configuration file -Source15: nss.fips.cfg.in +Source17: nss.fips.cfg.in Source20: repackReproduciblePolycies.sh @@ -1159,9 +1167,6 @@ Source20: repackReproduciblePolycies.sh Source100: config.guess Source101: config.sub -# Ensure vendor settings are correct -Source16: CheckVendor.java - ############################################ # # RPM/distribution specific patches @@ -1755,7 +1760,7 @@ done sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build @@ -1934,10 +1939,25 @@ $JAVA_HOME/bin/java TestCryptoLevel $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + + # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -2402,6 +2422,25 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jun 29 2021 Andrew Hughes - 1:1.8.0.302.b03-0.3.ea +- Introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched +- Patch600, rh1750419-redhat_alt_java.patch, amended to die, if it is used wrongly +- Introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures +- Resolves: rhbz#1966233 + +* Mon Jun 28 2021 Andrew Hughes - 1:1.8.0.302.b03-0.2.ea +- Re-order source files to sync with Fedora. +- Resolves: rhbz#1966233 + +* Mon Jun 28 2021 Severin Gehwolf - 1:1.8.0.302.b03-0.2.ea +- Add a test verifying system crypto policies can be disabled +- Resolves: rhbz#1966233 + +* Mon Jun 28 2021 Andrew Hughes - 1:1.8.0.302.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23 (EA) +- Update release notes for 8u302-b03-shenandoah-merge-2021-06-23. +- Resolves: rhbz#1967812 + * Sun Jun 27 2021 Andrew Hughes - 1:1.8.0.302.b03-0.0.ea - Update to aarch64-shenandoah-jdk8u302-b03 (EA) - Update release notes for 8u302-b03.