Patch and documentation cleanup

Update documentation (README.md)
Replace alt-java patch with a binary separate from the JDK
Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
Adapt alt-java test to new binary where there is always a set_speculation function

Related: RHEL-12998
This commit is contained in:
Andrew Hughes 2023-08-24 02:06:25 +01:00
parent b426381567
commit 5082fb0d28
12 changed files with 305 additions and 296 deletions

View File

@ -1,14 +1,12 @@
OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform.
For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream
release page for OpenJDK 17 and the preceding interim releases: release page for OpenJDK 21 and the preceding interim releases:
* 12: https://openjdk.java.net/projects/jdk/12/ * 18: https://openjdk.java.net/projects/jdk/18/
* 13: https://openjdk.java.net/projects/jdk/13/ * 19: https://openjdk.java.net/projects/jdk/19/
* 14: https://openjdk.java.net/projects/jdk/14/ * 20: https://openjdk.java.net/projects/jdk/20/
* 15: https://openjdk.java.net/projects/jdk/15/ * 21: https://openjdk.java.net/projects/jdk/21/
* 16: https://openjdk.java.net/projects/jdk/16/
* 17: https://openjdk.java.net/projects/jdk/17/
# Rebuilding the OpenJDK package # Rebuilding the OpenJDK package
@ -20,21 +18,21 @@ multiple builds which only differ by the platform they were built on.
This does make rebuilding the package slightly more complicated than a This does make rebuilding the package slightly more complicated than a
normal package. Modifications should be made to the normal package. Modifications should be made to the
`java-17-openjdk-portable.specfile` file, which can be found with this `java-21-openjdk-portable.specfile` file, which can be found with this
README file in the source RPM or installed in the documentation tree README file in the source RPM or installed in the documentation tree
by the `java-17-openjdk-headless` RPM. by the `java-21-openjdk-headless` RPM.
Once the modified `java-17-openjdk-portable` RPMs are built, they Once the modified `java-21-openjdk-portable` RPMs are built, they
should be installed and will produce a number of tarballs in the should be installed and will produce a number of tarballs in the
`/usr/lib/jvm` directory. The `java-17-openjdk` RPMs can then be `/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be
built, which will use these tarballs to create the usual RPMs found in built, which will use these tarballs to create the usual RPMs found in
RHEL. The `java-17-openjdk-portable` RPMs can be uninstalled once the RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the
desired final RPMs are produced. desired final RPMs are produced.
Note that the `java-17-openjdk.spec` file has a hard requirement on Note that the `java-21-openjdk.spec` file has a hard requirement on
the exact version of java-17-openjdk-portable to use, so this will the exact version of java-21-openjdk-portable to use, so this will
need to be modified if the version or rpmrelease values are changed in need to be modified if the version or rpmrelease values are changed in
`java-17-openjdk-portable.specfile`. `java-21-openjdk-portable.specfile`.
To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
builds may be disabled using `--without fastdebug` and `--without builds may be disabled using `--without fastdebug` and `--without

100
alt-java.c Normal file
View File

@ -0,0 +1,100 @@
/*
* Copyright (C) 2023 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Red Hat designates this
* particular file as subject to the "Classpath" exception as provided
* by Red Hat in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
*/
#include <errno.h>
#include <libgen.h>
#include <linux/limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <unistd.h>
/* Per task speculation control */
#ifndef PR_GET_SPECULATION_CTRL
# define PR_GET_SPECULATION_CTRL 52
#endif
#ifndef PR_SET_SPECULATION_CTRL
# define PR_SET_SPECULATION_CTRL 53
#endif
/* Speculation control variants */
#ifndef PR_SPEC_STORE_BYPASS
# define PR_SPEC_STORE_BYPASS 0
#endif
/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
#ifndef PR_SPEC_NOT_AFFECTED
# define PR_SPEC_NOT_AFFECTED 0
#endif
#ifndef PR_SPEC_PRCTL
# define PR_SPEC_PRCTL (1UL << 0)
#endif
#ifndef PR_SPEC_ENABLE
# define PR_SPEC_ENABLE (1UL << 1)
#endif
#ifndef PR_SPEC_DISABLE
# define PR_SPEC_DISABLE (1UL << 2)
#endif
#ifndef PR_SPEC_FORCE_DISABLE
# define PR_SPEC_FORCE_DISABLE (1UL << 3)
#endif
#ifndef PR_SPEC_DISABLE_NOEXEC
# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
#endif
static void set_speculation() {
#if defined(__linux__) && defined(__x86_64__)
// PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it
// if ( prctl(PR_SET_SPECULATION_CTRL,
// PR_SPEC_STORE_BYPASS,
// PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
// return;
// }
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
#else
#warning alt-java requested but SSB mitigation not available on this platform.
#endif
}
int main(int argc, char **argv) {
set_speculation();
char our_name[PATH_MAX], java_name[PATH_MAX];
ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1);
if (len < 0) {
perror("I can't find myself");
exit(2);
}
our_name[len] = '\0'; // readlink(2) doesn't append a null byte
char *path = dirname(our_name);
strncpy(java_name, path, PATH_MAX - 1);
size_t remaining_bytes = PATH_MAX - strlen(path) - 1;
strncat(java_name, "/java", remaining_bytes);
execv(java_name, argv);
fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno));
exit(1);
}

View File

@ -241,12 +241,6 @@
%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
%global ourldflags %{__global_ldflags} %global ourldflags %{__global_ldflags}
# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
# the initialization must be here. Later the pkg-config have buggy behavior
# looks like openjdk RPM specific bug
# Always set this so the nss.cfg file is not broken
%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
# In some cases, the arch used by the JDK does # In some cases, the arch used by the JDK does
# not match _arch. # not match _arch.
# Also, in some cases, the machine name used by SystemTap # Also, in some cases, the machine name used by SystemTap
@ -382,7 +376,7 @@
%global top_level_dir_name %{vcstag} %global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 35 %global buildver 35
%global rpmrelease 1 %global rpmrelease 2
#%%global tagsuffix %%{nil} #%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
@ -425,6 +419,7 @@
# output dir stub # output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
%global altjavaoutputdir install/altjava.install
%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} %define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch # we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
@ -594,8 +589,8 @@ Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/openjdk-jdk%{featu
# Release notes # Release notes
Source10: NEWS Source10: NEWS
# nss configuration file # Source code for alt-java
Source11: nss.cfg.in Source11: alt-java.c
# Removed libraries that we link instead # Removed libraries that we link instead
Source12: remove-intree-libraries.sh Source12: remove-intree-libraries.sh
@ -621,16 +616,6 @@ Source18: TestTranslations.java
# #
############################################ ############################################
# Ignore AWTError when assistive technologies are loaded
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# NSS via SunPKCS11 Provider (disabled due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
Patch600: rh1750419-redhat_alt_java.patch
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# Crypto policy and FIPS support patches # Crypto policy and FIPS support patches
# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
@ -675,6 +660,10 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
# #
############################################# #############################################
# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
# PR: https://github.com/openjdk/jdk/pull/15409
Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
# Currently empty # Currently empty
############################################# #############################################
@ -713,7 +702,7 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel BuildRequires: libXrender-devel
BuildRequires: libXt-devel BuildRequires: libXt-devel
BuildRequires: libXtst-devel BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg # Requirement for setting up nss.fips.cfg
BuildRequires: nss-devel BuildRequires: nss-devel
# Requirement for system security property test # Requirement for system security property test
# N/A for portable. RHEL7 doesn't provide them # N/A for portable. RHEL7 doesn't provide them
@ -961,14 +950,10 @@ sh %{SOURCE12} %{top_level_dir_name}
# Patch the JDK # Patch the JDK
pushd %{top_level_dir_name} pushd %{top_level_dir_name}
%patch1 -p1
%patch3 -p1
%patch6 -p1
# Add crypto policy and FIPS support # Add crypto policy and FIPS support
%patch1001 -p1 %patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security # Patches in need of upstreaming
%patch1000 -p1 %patch6 -p1
%patch600 -p1
popd # openjdk popd # openjdk
@ -1024,9 +1009,6 @@ done
# Prepare desktop files # Prepare desktop files
# Portables do not have desktop integration # Portables do not have desktop integration
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
%build %build
# How many CPU's do we have? # How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@ -1060,6 +1042,10 @@ EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming
%endif %endif
export EXTRA_CFLAGS EXTRA_CPP_FLAGS export EXTRA_CFLAGS EXTRA_CPP_FLAGS
echo "Building %{SOURCE11}"
mkdir -p %{altjavaoutputdir}
gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
function buildjdk() { function buildjdk() {
@ -1192,7 +1178,6 @@ function installjdk() {
# Install local files which are distributed with the JDK # Install local files which are distributed with the JDK
install -m 644 %{SOURCE10} ${imagepath} install -m 644 %{SOURCE10} ${imagepath}
install -m 644 nss.cfg ${imagepath}/conf/security/
# Create fake alt-java as a placeholder for future alt-java # Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath} pushd ${imagepath}
@ -1226,6 +1211,7 @@ function packagejdk() {
local bundledir=$(pwd)/${1}/bundles local bundledir=$(pwd)/${1}/bundles
local packagesdir=$(pwd)/${2} local packagesdir=$(pwd)/${2}
local srcdir=$(pwd)/%{top_level_dir_name} local srcdir=$(pwd)/%{top_level_dir_name}
local altjavadir=$(pwd)/${3}
echo "Packaging build from ${imagesdir} to ${packagesdir}..." echo "Packaging build from ${imagesdir} to ${packagesdir}..."
mkdir -p ${packagesdir} mkdir -p ${packagesdir}
@ -1286,6 +1272,7 @@ function packagejdk() {
for s in 16 24 32 48 ; do for s in 16 24 32 48 ; do
cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname}
done done
cp -av ${altjavadir}/%{alt_java_name} ${miscname}
tar -cJf ${miscarchive} ${miscname} tar -cJf ${miscarchive} ${miscname}
genchecksum ${miscarchive} genchecksum ${miscarchive}
fi fi
@ -1370,7 +1357,7 @@ for suffix in %{build_loop} ; do
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols}
installjdk ${builddir} ${installdir} installjdk ${builddir} ${installdir}
fi fi
packagejdk ${installdir} ${packagesdir} packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir}
%if %{system_libs} %if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources # Restore original source tree we modified by removing full in-tree sources
@ -1432,10 +1419,11 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendo
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
# Check alt-java launcher has SSB mitigation on supported architectures # Check alt-java launcher has SSB mitigation on supported architectures
# set_speculation function exists in both cases, so check for prctl call
%ifarch %{ssbd_arches} %ifarch %{ssbd_arches}
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl
%else %else
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi
%endif %endif
%if ! 0%{?flatpak} %if ! 0%{?flatpak}
@ -1671,6 +1659,16 @@ done
%{_jvmdir}/%{miscportablearchive}.sha256sum %{_jvmdir}/%{miscportablearchive}.sha256sum
%changelog %changelog
* Thu Aug 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-2
- Update documentation (README.md, add missing JEP to release notes)
- Replace alt-java patch with a binary separate from the JDK
- Adapt alt-java test to new binary where there is always a set_speculation function
- Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
- * No accessibility subpackage to warrant RH1648242 patch any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
* Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1 * Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1
- Update to jdk-21.0.0+35 - Update to jdk-21.0.0+35
- Update release notes to 21.0.0+35 - Update release notes to 21.0.0+35

View File

@ -226,12 +226,6 @@
%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
%global ourldflags %{__global_ldflags} %global ourldflags %{__global_ldflags}
# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
# the initialization must be here. Later the pkg-config have buggy behavior
# looks like openjdk RPM specific bug
# Always set this so the nss.cfg file is not broken
%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
# In some cases, the arch used by the JDK does # In some cases, the arch used by the JDK does
# not match _arch. # not match _arch.
# Also, in some cases, the machine name used by SystemTap # Also, in some cases, the machine name used by SystemTap
@ -352,9 +346,9 @@
%global top_level_dir_name %{vcstag} %global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 35 %global buildver 35
%global rpmrelease 1 %global rpmrelease 2
# Settings used by the portable build # Settings used by the portable build
%global portablerelease 1 %global portablerelease 2
%global portablesuffix el9 %global portablesuffix el9
%global portablebuilddir /builddir/build/BUILD %global portablebuilddir /builddir/build/BUILD
@ -440,6 +434,7 @@
%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} %define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
%global alt_java_name alt-java %global alt_java_name alt-java
%global alt_java_versioned %{alt_java_name}-%{featurever}
%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ %global rpm_state_dir %{_localstatedir}/lib/rpm-state/
@ -536,7 +531,7 @@ key=java
alternatives \\ alternatives \\
--install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
--slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
--slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{_bindir}/%{alt_java_versioned} \\
--slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
--slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
--slave %{_mandir}/man1/java.1$ext java.1$ext \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\
@ -815,6 +810,7 @@ exit 0
%define files_jre_headless() %{expand: %define files_jre_headless() %{expand:
%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
%{_bindir}/%{alt_java_versioned}
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile
@ -825,7 +821,6 @@ exit 0
%{_jvmdir}/%{jrelnk -- %{?1}} %{_jvmdir}/%{jrelnk -- %{?1}}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
@ -919,7 +914,6 @@ exit 0
%{etcjavadir -- %{?1}}/conf/security/policy/README.txt %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
# This is a config template, thus not config-noreplace # This is a config template, thus not config-noreplace
@ -1028,7 +1022,6 @@ exit 0
%if %{is_release_build -- %{?1}} %if %{is_release_build -- %{?1}}
%ghost %{_bindir}/javac %ghost %{_bindir}/javac
%ghost %{_jvmdir}/java %ghost %{_jvmdir}/java
%ghost %{_jvmdir}/%{alt_java_name}
%ghost %{_bindir}/jlink %ghost %{_bindir}/jlink
%ghost %{_bindir}/jmod %ghost %{_bindir}/jmod
%ghost %{_bindir}/jhsdb %ghost %{_bindir}/jhsdb
@ -1315,8 +1308,8 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
# Desktop files. Adapted from IcedTea # Desktop files. Adapted from IcedTea
Source9: jconsole.desktop.in Source9: jconsole.desktop.in
# nss configuration file # Source code for alt-java
Source11: nss.cfg.in Source11: alt-java.c
# Removed libraries that we link instead # Removed libraries that we link instead
Source12: remove-intree-libraries.sh Source12: remove-intree-libraries.sh
@ -1356,20 +1349,6 @@ Source20: java-%{featurever}-openjdk-portable.specfile
# #
############################################ ############################################
# NSS via SunPKCS11 Provider (disabled comment
# due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
Patch600: rh1750419-redhat_alt_java.patch
# Ignore AWTError when assistive technologies are loaded
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# Crypto policy and FIPS support patches # Crypto policy and FIPS support patches
# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
@ -1414,6 +1393,10 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
# #
############################################# #############################################
# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
# PR: https://github.com/openjdk/jdk/pull/15409
Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
# Currently empty # Currently empty
############################################# #############################################
@ -1451,7 +1434,7 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel BuildRequires: libXrender-devel
BuildRequires: libXt-devel BuildRequires: libXt-devel
BuildRequires: libXtst-devel BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg # Requirement for setting up nss.fips.cfg
BuildRequires: nss-devel BuildRequires: nss-devel
# Requirement for system security property test # Requirement for system security property test
BuildRequires: crypto-policies BuildRequires: crypto-policies
@ -1867,15 +1850,10 @@ sh %{SOURCE12} %{top_level_dir_name}
# Patch the JDK # Patch the JDK
pushd %{top_level_dir_name} pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch6 -p1
# Add crypto policy and FIPS support # Add crypto policy and FIPS support
%patch1001 -p1 %patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security # Patches in need of upstreaming
%patch1000 -p1 %patch6 -p1
%patch600 -p1
popd # openjdk popd # openjdk
@ -1945,9 +1923,6 @@ for file in %{SOURCE9}; do
done done
done done
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
%build %build
function customisejdk() { function customisejdk() {
@ -2045,10 +2020,12 @@ $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=tru
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
# Check alt-java launcher has SSB mitigation on supported architectures # Check alt-java launcher has SSB mitigation on supported architectures
# set_speculation function exists in both cases, so check for prctl call
alt_java_binary=${RPM_BUILD_ROOT}%{_bindir}/%{alt_java_versioned}
%ifarch %{ssbd_arches} %ifarch %{ssbd_arches}
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation nm ${alt_java_binary} | grep prctl
%else %else
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi
%endif %endif
%if ! 0%{?flatpak} %if ! 0%{?flatpak}
@ -2161,6 +2138,10 @@ jdk_image=$(pwd)/%{installoutputdir -- ${suffix}}
docdir=$(pwd)/%{installoutputdir -- "-docs"} docdir=$(pwd)/%{installoutputdir -- "-docs"}
miscdir=%{installoutputdir -- "-misc"} miscdir=%{installoutputdir -- "-misc"}
# Install %{alt_java_name} binary versioned
install -D -p -m 755 ${miscdir}/%{alt_java_name} \
$RPM_BUILD_ROOT%{_bindir}/%{alt_java_versioned}
# Install release notes and rebuild instructions # Install release notes and rebuild instructions
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
install -d -m 755 ${commondocdir} install -d -m 755 ${commondocdir}
@ -2509,6 +2490,17 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Thu Aug 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-2
- Update documentation (README.md)
- Replace alt-java patch with a binary separate from the JDK
- Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
- Adapt alt-java test to new binary where there is always a set_speculation function
- Related: RHEL-12998
* Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1 * Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1
- Update to jdk-21.0.0+35 - Update to jdk-21.0.0+35
- Update system crypto policy & FIPS patch from new fips-21u tree - Update system crypto policy & FIPS patch from new fips-21u tree

View File

@ -0,0 +1,125 @@
commit d0523302416bc6507696f20d1068f16427bcf6b8
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Thu Aug 24 01:23:49 2023 +0100
8009550: PlatformPCSC should load versioned so
diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java
index bff273c6548..e5a6b288ff8 100644
--- a/src/java.base/share/classes/sun/security/util/Debug.java
+++ b/src/java.base/share/classes/sun/security/util/Debug.java
@@ -81,6 +81,7 @@ public static void Help()
System.err.println("logincontext login context results");
System.err.println("jca JCA engine class debugging");
System.err.println("keystore KeyStore debugging");
+ System.err.println("pcsc Smartcard library debugging");
System.err.println("policy loading and granting");
System.err.println("provider security provider debugging");
System.err.println("pkcs11 PKCS11 session manager debugging");
diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
index bacff32efbc..d9f605ada1e 100644
--- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2023, Red Hat Inc. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -46,8 +47,13 @@ class PlatformPCSC {
private static final String PROP_NAME = "sun.security.smartcardio.library";
- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
+ private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so",
+ "/usr/local/$LIBISA/libpcsclite.so",
+ "/usr/lib/$ARCH-linux-gnu/libpcsclite.so",
+ "/usr/lib/arm-linux-gnueabi/libpcsclite.so",
+ "/usr/lib/arm-linux-gnueabihf/libpcsclite.so",
+ "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" };
+ private static final String[] LIB_SUFFIXES = { ".1", ".0", "" };
private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
PlatformPCSC() {
@@ -73,23 +79,38 @@ public Throwable run() {
});
// expand $LIBISA to the system specific directory name for libraries
+ // expand $ARCH to the Debian system architecture in use
private static String expand(String lib) {
int k = lib.indexOf("$LIBISA");
- if (k == -1) {
- return lib;
+ if (k != -1) {
+ String libDir;
+ if ("64".equals(System.getProperty("sun.arch.data.model"))) {
+ // assume Linux convention
+ libDir = "lib64";
+ } else {
+ // must be 32-bit
+ libDir = "lib";
+ }
+ lib = lib.replace("$LIBISA", libDir);
}
- String s1 = lib.substring(0, k);
- String s2 = lib.substring(k + 7);
- String libDir;
- if ("64".equals(System.getProperty("sun.arch.data.model"))) {
- // assume Linux convention
- libDir = "lib64";
- } else {
- // must be 32-bit
- libDir = "lib";
+
+ k = lib.indexOf("$ARCH");
+ if (k != -1) {
+ String arch = System.getProperty("os.arch");
+ lib = lib.replace("$ARCH", getDebianArchitecture(arch));
}
- String s = s1 + libDir + s2;
- return s;
+
+ return lib;
+ }
+
+ private static String getDebianArchitecture(String jdkArch) {
+ return switch (jdkArch) {
+ case "amd64" -> "x86_64";
+ case "ppc" -> "powerpc";
+ case "ppc64" -> "powerpc64";
+ case "ppc64le" -> "powerpc64le";
+ default -> jdkArch;
+ };
}
private static String getLibraryName() throws IOException {
@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException {
if (lib.length() != 0) {
return lib;
}
- lib = expand(LIB1);
- if (new File(lib).isFile()) {
- // if LIB1 exists, use that
- return lib;
- }
- lib = expand(LIB2);
- if (new File(lib).isFile()) {
- // if LIB2 exists, use that
- return lib;
+
+ for (String template : LIB_TEMPLATES) {
+ for (String suffix : LIB_SUFFIXES) {
+ lib = expand(template) + suffix;
+ if (debug != null) {
+ debug.println("Looking for " + lib);
+ }
+ if (new File(lib).isFile()) {
+ // if library exists, use that
+ return lib;
+ }
+ }
}
// As of macos 11, framework libraries have been removed from the file

View File

@ -1,5 +0,0 @@
name = NSS
nssLibraryDirectory = @NSS_LIBDIR@
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation

View File

@ -1,16 +0,0 @@
diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
@@ -595,7 +595,11 @@
toolkit = new HeadlessToolkit(toolkit);
}
if (!GraphicsEnvironment.isHeadless()) {
- loadAssistiveTechnologies();
+ try {
+ loadAssistiveTechnologies();
+ } catch (AWTError error) {
+ // ignore silently
+ }
}
}
return toolkit;

View File

@ -1,12 +0,0 @@
diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
index 68a9c1a2d08..7aa25eb2cb7 100644
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
security.provider.tbd=Apple
#endif
security.provider.tbd=SunPKCS11
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Security providers used when FIPS mode support is active

View File

@ -1,20 +0,0 @@
--- openjdk/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -304,6 +304,8 @@
#
package.access=sun.misc.,\
sun.reflect.,\
+ org.GNOME.Accessibility.,\
+ org.GNOME.Bonobo.,\
#
# List of comma-separated packages that start with or equal this string
@@ -316,6 +318,8 @@
#
package.definition=sun.misc.,\
sun.reflect.,\
+ org.GNOME.Accessibility.,\
+ org.GNOME.Bonobo.,\
#
# Determines whether this properties file can be appended to

View File

@ -1,15 +0,0 @@
diff --git a/openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
index bacff32efbc..ff7b3dcc81c 100644
--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
@@ -46,8 +46,8 @@ class PlatformPCSC {
private static final String PROP_NAME = "sun.security.smartcardio.library";
- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
+ private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
+ private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
PlatformPCSC() {

View File

@ -1,117 +0,0 @@
diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
index 700ddefda49..2882de68eb2 100644
--- openjdk.orig/make/modules/java.base/Launcher.gmk
+++ openjdk/make/modules/java.base/Launcher.gmk
@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
OPTIMIZATION := HIGH, \
))
+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
+$(eval $(call SetupBuildLauncher, alt-java, \
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
+ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
+ OPTIMIZATION := HIGH, \
+))
+
ifeq ($(call isTargetOs, windows), true)
$(eval $(call SetupBuildLauncher, javaw, \
CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
new file mode 100644
index 00000000000..697df2898ac
--- /dev/null
+++ openjdk/src/java.base/share/native/launcher/alt_main.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#ifdef REDHAT_ALT_JAVA
+
+#include <sys/prctl.h>
+
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+ if ( prctl(PR_SET_SPECULATION_CTRL,
+ PR_SPEC_STORE_BYPASS,
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ return;
+ }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
+#endif // REDHAT_ALT_JAVA
diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
index b734fe2ba78..79dc8307650 100644
--- openjdk.orig/src/java.base/share/native/launcher/main.c
+++ openjdk/src/java.base/share/native/launcher/main.c
@@ -34,6 +34,14 @@
#include "jli_util.h"
#include "jni.h"
+#ifdef REDHAT_ALT_JAVA
+#if defined(__linux__) && defined(__x86_64__)
+#include "alt_main.h"
+#else
+#warning alt-java requested but SSB mitigation not available on this platform.
+#endif
+#endif
+
/*
* Entry point.
*/

View File

@ -1,19 +0,0 @@
Remove uses of FAR in jpeg code
Upstream libjpeg-trubo removed the (empty) FAR macro:
http://sourceforge.net/p/libjpeg-turbo/code/1312/
Adjust our code to not use the undefined FAR macro anymore.
diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
@@ -1385,7 +1385,7 @@
/* and fill it in */
dst_ptr = icc_data;
for (seq_no = first; seq_no < last; seq_no++) {
- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
unsigned int length =
icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;