diff --git a/README.md b/README.md index 8a2724b..cf5e219 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,12 @@ -OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform. +OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform. -For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream -release page for OpenJDK 17 and the preceding interim releases: +For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream +release page for OpenJDK 21 and the preceding interim releases: -* 12: https://openjdk.java.net/projects/jdk/12/ -* 13: https://openjdk.java.net/projects/jdk/13/ -* 14: https://openjdk.java.net/projects/jdk/14/ -* 15: https://openjdk.java.net/projects/jdk/15/ -* 16: https://openjdk.java.net/projects/jdk/16/ -* 17: https://openjdk.java.net/projects/jdk/17/ +* 18: https://openjdk.java.net/projects/jdk/18/ +* 19: https://openjdk.java.net/projects/jdk/19/ +* 20: https://openjdk.java.net/projects/jdk/20/ +* 21: https://openjdk.java.net/projects/jdk/21/ # Rebuilding the OpenJDK package @@ -20,21 +18,21 @@ multiple builds which only differ by the platform they were built on. This does make rebuilding the package slightly more complicated than a normal package. Modifications should be made to the -`java-17-openjdk-portable.specfile` file, which can be found with this +`java-21-openjdk-portable.specfile` file, which can be found with this README file in the source RPM or installed in the documentation tree -by the `java-17-openjdk-headless` RPM. +by the `java-21-openjdk-headless` RPM. -Once the modified `java-17-openjdk-portable` RPMs are built, they +Once the modified `java-21-openjdk-portable` RPMs are built, they should be installed and will produce a number of tarballs in the -`/usr/lib/jvm` directory. The `java-17-openjdk` RPMs can then be +`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be built, which will use these tarballs to create the usual RPMs found in -RHEL. The `java-17-openjdk-portable` RPMs can be uninstalled once the +RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the desired final RPMs are produced. -Note that the `java-17-openjdk.spec` file has a hard requirement on -the exact version of java-17-openjdk-portable to use, so this will +Note that the `java-21-openjdk.spec` file has a hard requirement on +the exact version of java-21-openjdk-portable to use, so this will need to be modified if the version or rpmrelease values are changed in -`java-17-openjdk-portable.specfile`. +`java-21-openjdk-portable.specfile`. To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` builds may be disabled using `--without fastdebug` and `--without diff --git a/alt-java.c b/alt-java.c new file mode 100644 index 0000000..644d002 --- /dev/null +++ b/alt-java.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2023 Red Hat, Inc. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Red Hat designates this + * particular file as subject to the "Classpath" exception as provided + * by Red Hat in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* Per task speculation control */ +#ifndef PR_GET_SPECULATION_CTRL +# define PR_GET_SPECULATION_CTRL 52 +#endif +#ifndef PR_SET_SPECULATION_CTRL +# define PR_SET_SPECULATION_CTRL 53 +#endif +/* Speculation control variants */ +#ifndef PR_SPEC_STORE_BYPASS +# define PR_SPEC_STORE_BYPASS 0 +#endif +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ + +#ifndef PR_SPEC_NOT_AFFECTED +# define PR_SPEC_NOT_AFFECTED 0 +#endif +#ifndef PR_SPEC_PRCTL +# define PR_SPEC_PRCTL (1UL << 0) +#endif +#ifndef PR_SPEC_ENABLE +# define PR_SPEC_ENABLE (1UL << 1) +#endif +#ifndef PR_SPEC_DISABLE +# define PR_SPEC_DISABLE (1UL << 2) +#endif +#ifndef PR_SPEC_FORCE_DISABLE +# define PR_SPEC_FORCE_DISABLE (1UL << 3) +#endif +#ifndef PR_SPEC_DISABLE_NOEXEC +# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) +#endif + +static void set_speculation() { +#if defined(__linux__) && defined(__x86_64__) + // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it + // if ( prctl(PR_SET_SPECULATION_CTRL, + // PR_SPEC_STORE_BYPASS, + // PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { + // return; + // } + prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); +#else +#warning alt-java requested but SSB mitigation not available on this platform. +#endif +} + +int main(int argc, char **argv) { + set_speculation(); + + char our_name[PATH_MAX], java_name[PATH_MAX]; + ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1); + if (len < 0) { + perror("I can't find myself"); + exit(2); + } + + our_name[len] = '\0'; // readlink(2) doesn't append a null byte + char *path = dirname(our_name); + strncpy(java_name, path, PATH_MAX - 1); + + size_t remaining_bytes = PATH_MAX - strlen(path) - 1; + strncat(java_name, "/java", remaining_bytes); + + execv(java_name, argv); + fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno)); + + exit(1); +} + diff --git a/java-21-openjdk-portable.specfile b/java-21-openjdk-portable.specfile index 4489c1c..bc2ca96 100644 --- a/java-21-openjdk-portable.specfile +++ b/java-21-openjdk-portable.specfile @@ -241,12 +241,6 @@ %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') %global ourldflags %{__global_ldflags} -# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path -# the initialization must be here. Later the pkg-config have buggy behavior -# looks like openjdk RPM specific bug -# Always set this so the nss.cfg file is not broken -%global NSS_LIBDIR %(pkg-config --variable=libdir nss) - # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap @@ -382,7 +376,7 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 35 -%global rpmrelease 1 +%global rpmrelease 2 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -425,6 +419,7 @@ # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%global altjavaoutputdir install/altjava.install %define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} @@ -594,8 +589,8 @@ Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/openjdk-jdk%{featu # Release notes Source10: NEWS -# nss configuration file -Source11: nss.cfg.in +# Source code for alt-java +Source11: alt-java.c # Removed libraries that we link instead Source12: remove-intree-libraries.sh @@ -621,16 +616,6 @@ Source18: TestTranslations.java # ############################################ -# Ignore AWTError when assistive technologies are loaded -Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# NSS via SunPKCS11 Provider (disabled due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch -# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch - # Crypto policy and FIPS support patches # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch @@ -675,6 +660,10 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch # ############################################# +# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo +# PR: https://github.com/openjdk/jdk/pull/15409 +Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch + # Currently empty ############################################# @@ -713,7 +702,7 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirement for setting up nss.cfg +# Requirement for setting up nss.fips.cfg BuildRequires: nss-devel # Requirement for system security property test # N/A for portable. RHEL7 doesn't provide them @@ -961,14 +950,10 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} -%patch1 -p1 -%patch3 -p1 -%patch6 -p1 # Add crypto policy and FIPS support %patch1001 -p1 -# nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 -%patch600 -p1 +# Patches in need of upstreaming +%patch6 -p1 popd # openjdk @@ -1024,9 +1009,6 @@ done # Prepare desktop files # Portables do not have desktop integration -# Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg - %build # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) @@ -1060,6 +1042,10 @@ EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming %endif export EXTRA_CFLAGS EXTRA_CPP_FLAGS +echo "Building %{SOURCE11}" +mkdir -p %{altjavaoutputdir} +gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11} + echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" function buildjdk() { @@ -1192,7 +1178,6 @@ function installjdk() { # Install local files which are distributed with the JDK install -m 644 %{SOURCE10} ${imagepath} - install -m 644 nss.cfg ${imagepath}/conf/security/ # Create fake alt-java as a placeholder for future alt-java pushd ${imagepath} @@ -1226,6 +1211,7 @@ function packagejdk() { local bundledir=$(pwd)/${1}/bundles local packagesdir=$(pwd)/${2} local srcdir=$(pwd)/%{top_level_dir_name} + local altjavadir=$(pwd)/${3} echo "Packaging build from ${imagesdir} to ${packagesdir}..." mkdir -p ${packagesdir} @@ -1286,6 +1272,7 @@ function packagejdk() { for s in 16 24 32 48 ; do cp -av ${srcdir}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png ${miscname} done + cp -av ${altjavadir}/%{alt_java_name} ${miscname} tar -cJf ${miscarchive} ${miscname} genchecksum ${miscarchive} fi @@ -1370,7 +1357,7 @@ for suffix in %{build_loop} ; do buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} installjdk ${builddir} ${installdir} fi - packagejdk ${installdir} ${packagesdir} + packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir} %if %{system_libs} # Restore original source tree we modified by removing full in-tree sources @@ -1432,10 +1419,11 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendo if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi # Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call %ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl %else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi %endif %if ! 0%{?flatpak} @@ -1671,6 +1659,16 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Thu Aug 24 2023 Andrew Hughes - 1:21.0.0.0.35-2 +- Update documentation (README.md, add missing JEP to release notes) +- Replace alt-java patch with a binary separate from the JDK +- Adapt alt-java test to new binary where there is always a set_speculation function +- Drop stale patches that are of little use any more: +- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work +- * No accessibility subpackage to warrant RH1648242 patch any more +- * No use of system libjpeg turbo to warrant RH649512 patch any more +- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed + * Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 - Update to jdk-21.0.0+35 - Update release notes to 21.0.0+35 diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec index dc2852d..0e49e88 100644 --- a/java-21-openjdk.spec +++ b/java-21-openjdk.spec @@ -226,12 +226,6 @@ %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') %global ourldflags %{__global_ldflags} -# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path -# the initialization must be here. Later the pkg-config have buggy behavior -# looks like openjdk RPM specific bug -# Always set this so the nss.cfg file is not broken -%global NSS_LIBDIR %(pkg-config --variable=libdir nss) - # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap @@ -352,9 +346,9 @@ %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup %global buildver 35 -%global rpmrelease 1 +%global rpmrelease 2 # Settings used by the portable build -%global portablerelease 1 +%global portablerelease 2 %global portablesuffix el9 %global portablebuilddir /builddir/build/BUILD @@ -440,6 +434,7 @@ %define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} %global alt_java_name alt-java +%global alt_java_versioned %{alt_java_name}-%{featurever} %global rpm_state_dir %{_localstatedir}/lib/rpm-state/ @@ -536,7 +531,7 @@ key=java alternatives \\ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ - --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{_bindir}/%{alt_java_versioned} \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ @@ -815,6 +810,7 @@ exit 0 %define files_jre_headless() %{expand: %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_bindir}/%{alt_java_versioned} %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile @@ -825,7 +821,6 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib @@ -919,7 +914,6 @@ exit 0 %{etcjavadir -- %{?1}}/conf/security/policy/README.txt %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security -%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access # This is a config template, thus not config-noreplace @@ -1028,7 +1022,6 @@ exit 0 %if %{is_release_build -- %{?1}} %ghost %{_bindir}/javac %ghost %{_jvmdir}/java -%ghost %{_jvmdir}/%{alt_java_name} %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod %ghost %{_bindir}/jhsdb @@ -1315,8 +1308,8 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea Source9: jconsole.desktop.in -# nss configuration file -Source11: nss.cfg.in +# Source code for alt-java +Source11: alt-java.c # Removed libraries that we link instead Source12: remove-intree-libraries.sh @@ -1356,20 +1349,6 @@ Source20: java-%{featurever}-openjdk-portable.specfile # ############################################ -# NSS via SunPKCS11 Provider (disabled comment -# due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch - -# Ignore AWTError when assistive technologies are loaded -Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch - # Crypto policy and FIPS support patches # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch @@ -1414,6 +1393,10 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch # ############################################# +# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo +# PR: https://github.com/openjdk/jdk/pull/15409 +Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch + # Currently empty ############################################# @@ -1451,7 +1434,7 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirement for setting up nss.cfg and nss.fips.cfg +# Requirement for setting up nss.fips.cfg BuildRequires: nss-devel # Requirement for system security property test BuildRequires: crypto-policies @@ -1867,15 +1850,10 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch6 -p1 # Add crypto policy and FIPS support %patch1001 -p1 -# nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 -%patch600 -p1 +# Patches in need of upstreaming +%patch6 -p1 popd # openjdk @@ -1945,9 +1923,6 @@ for file in %{SOURCE9}; do done done -# Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg - %build function customisejdk() { @@ -1989,7 +1964,7 @@ for suffix in %{build_loop} ; do portablenvr="%{name}-%{VERSION}-%{portablerelease}.%{portablesuffix}.%{_arch}" for file in $(find ${installdir} -type f) ; do if file ${file} | grep -q 'ELF'; then - %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} + %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} fi done @@ -2045,10 +2020,12 @@ $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=tru if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi # Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call +alt_java_binary=${RPM_BUILD_ROOT}%{_bindir}/%{alt_java_versioned} %ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +nm ${alt_java_binary} | grep prctl %else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi %endif %if ! 0%{?flatpak} @@ -2161,6 +2138,10 @@ jdk_image=$(pwd)/%{installoutputdir -- ${suffix}} docdir=$(pwd)/%{installoutputdir -- "-docs"} miscdir=%{installoutputdir -- "-misc"} +# Install %{alt_java_name} binary versioned +install -D -p -m 755 ${miscdir}/%{alt_java_name} \ + $RPM_BUILD_ROOT%{_bindir}/%{alt_java_versioned} + # Install release notes and rebuild instructions commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} install -d -m 755 ${commondocdir} @@ -2509,6 +2490,17 @@ cjc.mainProgram(args) %endif %changelog +* Thu Aug 24 2023 Andrew Hughes - 1:21.0.0.0.35-2 +- Update documentation (README.md) +- Replace alt-java patch with a binary separate from the JDK +- Drop stale patches that are of little use any more: +- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work +- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more +- * No use of system libjpeg turbo to warrant RH649512 patch any more +- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed +- Adapt alt-java test to new binary where there is always a set_speculation function +- Related: RHEL-45217 + * Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 - Update to jdk-21.0.0+35 - Update system crypto policy & FIPS patch from new fips-21u tree diff --git a/jdk8009550-rh910107-fail_to_load_pcsc_library.patch b/jdk8009550-rh910107-fail_to_load_pcsc_library.patch new file mode 100644 index 0000000..9213937 --- /dev/null +++ b/jdk8009550-rh910107-fail_to_load_pcsc_library.patch @@ -0,0 +1,125 @@ +commit d0523302416bc6507696f20d1068f16427bcf6b8 +Author: Andrew Hughes +Date: Thu Aug 24 01:23:49 2023 +0100 + + 8009550: PlatformPCSC should load versioned so + +diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java +index bff273c6548..e5a6b288ff8 100644 +--- a/src/java.base/share/classes/sun/security/util/Debug.java ++++ b/src/java.base/share/classes/sun/security/util/Debug.java +@@ -81,6 +81,7 @@ public static void Help() + System.err.println("logincontext login context results"); + System.err.println("jca JCA engine class debugging"); + System.err.println("keystore KeyStore debugging"); ++ System.err.println("pcsc Smartcard library debugging"); + System.err.println("policy loading and granting"); + System.err.println("provider security provider debugging"); + System.err.println("pkcs11 PKCS11 session manager debugging"); +diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java +index bacff32efbc..d9f605ada1e 100644 +--- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java ++++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java +@@ -1,5 +1,6 @@ + /* + * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2023, Red Hat Inc. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -46,8 +47,13 @@ class PlatformPCSC { + + private static final String PROP_NAME = "sun.security.smartcardio.library"; + +- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so"; +- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so"; ++ private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so", ++ "/usr/local/$LIBISA/libpcsclite.so", ++ "/usr/lib/$ARCH-linux-gnu/libpcsclite.so", ++ "/usr/lib/arm-linux-gnueabi/libpcsclite.so", ++ "/usr/lib/arm-linux-gnueabihf/libpcsclite.so", ++ "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" }; ++ private static final String[] LIB_SUFFIXES = { ".1", ".0", "" }; + private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC"; + + PlatformPCSC() { +@@ -73,23 +79,38 @@ public Throwable run() { + }); + + // expand $LIBISA to the system specific directory name for libraries ++ // expand $ARCH to the Debian system architecture in use + private static String expand(String lib) { + int k = lib.indexOf("$LIBISA"); +- if (k == -1) { +- return lib; ++ if (k != -1) { ++ String libDir; ++ if ("64".equals(System.getProperty("sun.arch.data.model"))) { ++ // assume Linux convention ++ libDir = "lib64"; ++ } else { ++ // must be 32-bit ++ libDir = "lib"; ++ } ++ lib = lib.replace("$LIBISA", libDir); + } +- String s1 = lib.substring(0, k); +- String s2 = lib.substring(k + 7); +- String libDir; +- if ("64".equals(System.getProperty("sun.arch.data.model"))) { +- // assume Linux convention +- libDir = "lib64"; +- } else { +- // must be 32-bit +- libDir = "lib"; ++ ++ k = lib.indexOf("$ARCH"); ++ if (k != -1) { ++ String arch = System.getProperty("os.arch"); ++ lib = lib.replace("$ARCH", getDebianArchitecture(arch)); + } +- String s = s1 + libDir + s2; +- return s; ++ ++ return lib; ++ } ++ ++ private static String getDebianArchitecture(String jdkArch) { ++ return switch (jdkArch) { ++ case "amd64" -> "x86_64"; ++ case "ppc" -> "powerpc"; ++ case "ppc64" -> "powerpc64"; ++ case "ppc64le" -> "powerpc64le"; ++ default -> jdkArch; ++ }; + } + + private static String getLibraryName() throws IOException { +@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException { + if (lib.length() != 0) { + return lib; + } +- lib = expand(LIB1); +- if (new File(lib).isFile()) { +- // if LIB1 exists, use that +- return lib; +- } +- lib = expand(LIB2); +- if (new File(lib).isFile()) { +- // if LIB2 exists, use that +- return lib; ++ ++ for (String template : LIB_TEMPLATES) { ++ for (String suffix : LIB_SUFFIXES) { ++ lib = expand(template) + suffix; ++ if (debug != null) { ++ debug.println("Looking for " + lib); ++ } ++ if (new File(lib).isFile()) { ++ // if library exists, use that ++ return lib; ++ } ++ } + } + + // As of macos 11, framework libraries have been removed from the file diff --git a/nss.cfg.in b/nss.cfg.in deleted file mode 100644 index 377a39c..0000000 --- a/nss.cfg.in +++ /dev/null @@ -1,5 +0,0 @@ -name = NSS -nssLibraryDirectory = @NSS_LIBDIR@ -nssDbMode = noDb -attributes = compatibility -handleStartupErrors = ignoreMultipleInitialisation diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch deleted file mode 100644 index 3042186..0000000 --- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java ---- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200 -+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200 -@@ -595,7 +595,11 @@ - toolkit = new HeadlessToolkit(toolkit); - } - if (!GraphicsEnvironment.isHeadless()) { -- loadAssistiveTechnologies(); -+ try { -+ loadAssistiveTechnologies(); -+ } catch (AWTError error) { -+ // ignore silently -+ } - } - } - return toolkit; diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch deleted file mode 100644 index c178077..0000000 --- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security -index 68a9c1a2d08..7aa25eb2cb7 100644 ---- openjdk.orig/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI - security.provider.tbd=Apple - #endif - security.provider.tbd=SunPKCS11 -+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg - - # - # Security providers used when FIPS mode support is active diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch deleted file mode 100644 index 53026ad..0000000 --- a/rh1648644-java_access_bridge_privileged_security.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -304,6 +304,8 @@ - # - package.access=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # List of comma-separated packages that start with or equal this string -@@ -316,6 +318,8 @@ - # - package.definition=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # Determines whether this properties file can be appended to diff --git a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch deleted file mode 100644 index 4c1476f..0000000 --- a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -index bacff32efbc..ff7b3dcc81c 100644 ---- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -@@ -46,8 +46,8 @@ class PlatformPCSC { - - private static final String PROP_NAME = "sun.security.smartcardio.library"; - -- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so"; -- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so"; -+ private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so.1"; -+ private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1"; - private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC"; - - PlatformPCSC() { diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch deleted file mode 100644 index d877ca8..0000000 --- a/rh1750419-redhat_alt_java.patch +++ /dev/null @@ -1,117 +0,0 @@ -diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk -index 700ddefda49..2882de68eb2 100644 ---- openjdk.orig/make/modules/java.base/Launcher.gmk -+++ openjdk/make/modules/java.base/Launcher.gmk -@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \ - OPTIMIZATION := HIGH, \ - )) - -+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c -+$(eval $(call SetupBuildLauncher, alt-java, \ -+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ -+ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \ -+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ -+ OPTIMIZATION := HIGH, \ -+)) -+ - ifeq ($(call isTargetOs, windows), true) - $(eval $(call SetupBuildLauncher, javaw, \ - CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ -diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h -new file mode 100644 -index 00000000000..697df2898ac ---- /dev/null -+++ openjdk/src/java.base/share/native/launcher/alt_main.h -@@ -0,0 +1,73 @@ -+/* -+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#ifdef REDHAT_ALT_JAVA -+ -+#include -+ -+ -+/* Per task speculation control */ -+#ifndef PR_GET_SPECULATION_CTRL -+# define PR_GET_SPECULATION_CTRL 52 -+#endif -+#ifndef PR_SET_SPECULATION_CTRL -+# define PR_SET_SPECULATION_CTRL 53 -+#endif -+/* Speculation control variants */ -+#ifndef PR_SPEC_STORE_BYPASS -+# define PR_SPEC_STORE_BYPASS 0 -+#endif -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+ -+#ifndef PR_SPEC_NOT_AFFECTED -+# define PR_SPEC_NOT_AFFECTED 0 -+#endif -+#ifndef PR_SPEC_PRCTL -+# define PR_SPEC_PRCTL (1UL << 0) -+#endif -+#ifndef PR_SPEC_ENABLE -+# define PR_SPEC_ENABLE (1UL << 1) -+#endif -+#ifndef PR_SPEC_DISABLE -+# define PR_SPEC_DISABLE (1UL << 2) -+#endif -+#ifndef PR_SPEC_FORCE_DISABLE -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) -+#endif -+#ifndef PR_SPEC_DISABLE_NOEXEC -+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) -+#endif -+ -+static void set_speculation() __attribute__((constructor)); -+static void set_speculation() { -+ if ( prctl(PR_SET_SPECULATION_CTRL, -+ PR_SPEC_STORE_BYPASS, -+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { -+ return; -+ } -+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+} -+ -+#endif // REDHAT_ALT_JAVA -diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c -index b734fe2ba78..79dc8307650 100644 ---- openjdk.orig/src/java.base/share/native/launcher/main.c -+++ openjdk/src/java.base/share/native/launcher/main.c -@@ -34,6 +34,14 @@ - #include "jli_util.h" - #include "jni.h" - -+#ifdef REDHAT_ALT_JAVA -+#if defined(__linux__) && defined(__x86_64__) -+#include "alt_main.h" -+#else -+#warning alt-java requested but SSB mitigation not available on this platform. -+#endif -+#endif -+ - /* - * Entry point. - */ diff --git a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch deleted file mode 100644 index 1b706a1..0000000 --- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +++ /dev/null @@ -1,19 +0,0 @@ -Remove uses of FAR in jpeg code - -Upstream libjpeg-trubo removed the (empty) FAR macro: -http://sourceforge.net/p/libjpeg-turbo/code/1312/ - -Adjust our code to not use the undefined FAR macro anymore. - -diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ---- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c -@@ -1385,7 +1385,7 @@ - /* and fill it in */ - dst_ptr = icc_data; - for (seq_no = first; seq_no < last; seq_no++) { -- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; -+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; - unsigned int length = - icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; -