Added checks and restrictions around alt-java

java-11-openjdk.spec

@@ -101,6 +101,8 @@
 %global shenandoah_arches x86_64 %{aarch64}
 # Set of architectures for which we build the Z garbage collector
 %global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
 
 # By default, we build a debug build during main build on JIT architectures
 %if %{with slowdebug}
@@ -259,7 +261,7 @@
 %global top_level_dir_name   %{origin}
 %global minorver        0
 %global buildver        11
-%global rpmrelease      5
+%global rpmrelease      6
 #%%global tagsuffix      ""
 # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit
 %if %is_system_jdk
@@ -1598,6 +1600,16 @@ $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
 $JAVA_HOME/bin/javac -d . %{SOURCE15}
 $JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
 
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
 # Check debug symbols in static libraries (smoke test)
 export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image}
 readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
@@ -1974,6 +1986,11 @@ require "copy_jdk_configs.lua"
 
 
 %changelog
+* Thu Dec 17 2020 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.9.11-6
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+
 * Tue Dec 01 2020 Jiri Vanek <jvanek@redhat.com> - 1:11.0.9.11-5
 - removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch
 - added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch

rh1750419-redhat_alt_java.patch

@@ -1,12 +1,13 @@
 diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
 --- openjdk/make/launcher/Launcher-java.base.gmk      Wed Nov 25 08:27:15 2020 +0100
 +++ openjdk/make/launcher/Launcher-java.base.gmk      Tue Dec 01 12:29:30 2020 +0100
-@@ -41,6 +41,15 @@
+@@ -41,6 +41,16 @@
      OPTIMIZATION := HIGH, \
  ))
  
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
 +$(eval $(call SetupBuildLauncher, alt-java, \
-+    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \
++    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
 +    LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
 +    LIBS_windows := user32.lib comctl32.lib, \
 +    EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
@@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h
 diff -r 25e94aa812b2 src/share/bin/main.c
 --- openjdk/src/java.base/share/native/launcher/main.c	Wed Feb 05 12:20:36 2020 -0300
 +++ openjdk/src/java.base/share/native/launcher/main.c	Tue Jun 02 17:15:28 2020 +0100
-@@ -34,6 +34,10 @@
+@@ -34,6 +34,14 @@
  #include "jli_util.h"
  #include "jni.h"
  
++#ifdef REDHAT_ALT_JAVA
 +#if defined(__linux__) && defined(__x86_64__)
 +#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
 +#endif
 +
  #ifdef _MSC_VER