From 94a25f51fa04cc4db07c454704bb66a22a4035bc Mon Sep 17 00:00:00 2001 From: Jiri Date: Mon, 7 Dec 2020 19:37:12 +0100 Subject: [PATCH] Porting changes from master Replaced alt-java palceholder by real pathced alt-java Fixes comment for speculative store bypass patch Redeffined linux -> __linux__ and __x86_64 -> __x86_64__; should be backported to jdk11 and jdk8 moved wrongly placed icenses to acompany other ones Fixed not-including fastdebugbuild in case of --without fastdebug Added checks and restrictions around alt-java many cosmetic changes taken from more maintained jdk11 Added few missing majorver into descriptions removed lib-style provides for fastdebug_suffix_unquoted fixed missing condition for fastdebug packages being counted as debug ones Fixed typo in variable Add BuildRequires: make Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV) --- .gitignore | 1 + TestSecurityProperties.java | 43 +++++ icedtea_sync.sh | 97 ++++++++++ java-latest-openjdk.spec | 195 ++++++++++++++------ jdk8259949-allow_cf-protection_on_x86.patch | 27 +++ rh1750419-redhat_alt_java.patch | 114 ++++++++++++ sources | 2 +- 7 files changed, 418 insertions(+), 61 deletions(-) create mode 100644 TestSecurityProperties.java create mode 100755 icedtea_sync.sh create mode 100644 jdk8259949-allow_cf-protection_on_x86.patch create mode 100644 rh1750419-redhat_alt_java.patch diff --git a/.gitignore b/.gitignore index 7d14ab0..50482ea 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /jdk-updates-jdk14u-jdk-14.0.2+12.tar.xz /jdk-jdk15-jdk-15+36.tar.xz /jdk-updates-jdk15u-jdk-15.0.1+9.tar.xz +/tapsets-icedtea-3.15.0.tar.xz diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/icedtea_sync.sh b/icedtea_sync.sh new file mode 100755 index 0000000..c3fd5e6 --- /dev/null +++ b/icedtea_sync.sh @@ -0,0 +1,97 @@ +#!/bin/bash + +# Copyright (C) 2019 Red Hat, Inc. +# Written by Andrew John Hughes . +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +ICEDTEA_VERSION=3.15.0 +ICEDTEA_URL=https://icedtea.classpath.org/download/source +ICEDTEA_SIGNING_KEY=CFDA0F9B35964222 + +set -e + +if test "x${WGET}" = "x"; then + WGET=$(which wget); + if test "x${WGET}" = "x"; then + echo "wget not found"; + exit 1; + fi +fi + +if test "x${CHECKSUM}" = "x"; then + CHECKSUM=$(which sha256sum) + if test "x${CHECKSUM}" = "x"; then + echo "sha256sum not found"; + exit 2; + fi +fi + +if test "x${PGP}" = "x"; then + PGP=$(which gpg) + if test "x${PGP}" = "x"; then + echo "gpg not found"; + exit 3; + fi +fi + +if test "x${TAR}" = "x"; then + TAR=$(which tar) + if test "x${TAR}" = "x"; then + echo "tar not found"; + exit 4; + fi +fi + +echo "Dependencies:"; +echo -e "\tWGET: ${WGET}"; +echo -e "\tCHECKSUM: ${CHECKSUM}"; +echo -e "\tPGP: ${PGP}\n"; +echo -e "\tTAR: ${TAR}\n"; + +echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}..."; +if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then + echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed."; + exit 5; +fi + +echo "Downloading IcedTea release tarball..."; +${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz +echo "Downloading IcedTea tarball signature..."; +${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig +echo "Downloading IcedTea tarball checksums..."; +${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256 + +echo "Verifying checksums..."; +${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256 + +echo "Checking signature..."; +${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig + +echo "Extracting files..."; +${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \ + icedtea-${ICEDTEA_VERSION}/tapset \ + icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in + +echo "Replacing desktop files..."; +mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in . + +echo "Creating new tapset tarball..."; +mv -v icedtea-${ICEDTEA_VERSION} openjdk +${TAR} cJf tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk + +rm -rvf openjdk +rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz +rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig +rm -vf icedtea-${ICEDTEA_VERSION}.sha256 diff --git a/java-latest-openjdk.spec b/java-latest-openjdk.spec index bd306b7..13f221e 100644 --- a/java-latest-openjdk.spec +++ b/java-latest-openjdk.spec @@ -11,7 +11,10 @@ # $ rpmbuild -ba java-latest-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: -# $ rhpkg mockbuild --without slowdebug --without fastdebug +# $ fedpkg mockbuild --without slowdebug --without fastdebug +# +# Only produce a debug build on x86_64: +# $ fedpkg local --without release # # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug @@ -43,7 +46,7 @@ %global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. %global debug_on with full debug on %global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. -%global for_fastdebug_on with minimal debug on +%global for_fastdebug with minimal debug on %global for_debug for packages with debug on %if %{with release} @@ -71,7 +74,7 @@ # == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin # != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} -%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) @@ -81,15 +84,35 @@ # we need to distinguish between big and little endian PPC64 %global ppc64le ppc64le %global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs %global multilib_arches %{power64} sparc64 x86_64 -%global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} s390x +# Set of architectures for which we build debug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{debug_arches} %{arm} +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler %global aot_arches x86_64 %{aarch64} -%global fastdebug_arches x86_64 ppc64le aarch64 s390x +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# See https://bugzilla.redhat.com/show_bug.cgi?id=513605 +# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT +%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} -%ifarch %{jit_arches} -%ifnarch %{arm} +%ifarch %{debug_arches} %global include_debug_build 1 %else %global include_debug_build 0 @@ -97,12 +120,9 @@ %else %global include_debug_build 0 %endif -%else -%global include_debug_build 0 -%endif -# On x86_64 and AArch64, we use the Shenandoah HotSpot -%ifarch x86_64 %{aarch64} +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} %global use_shenandoah_hotspot 1 %else %global use_shenandoah_hotspot 0 @@ -115,6 +135,8 @@ %else %global include_fastdebug_build 0 %endif +%else +%global include_fastdebug_build 0 %endif %if %{include_debug_build} @@ -135,7 +157,7 @@ # Test slowdebug first as it provides the best diagnostics %global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} -%ifarch %{jit_arches} +%ifarch %{bootstrap_arches} %global bootstrap_build 1 %else %global bootstrap_build 1 @@ -213,7 +235,7 @@ -%ifarch %{jit_arches} +%ifarch %{systemtap_arches} %global with_systemtap 1 %else %global with_systemtap 0 @@ -235,13 +257,16 @@ %global lts_designator "" %global lts_designator_zip "" +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 3.15.0 + # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global minorver 0 %global buildver 9 -%global rpmrelease 2 +%global rpmrelease 10 # priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk %global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) @@ -300,6 +325,7 @@ # main id and dir of this jdk %define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +################################################################# # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 @@ -308,7 +334,11 @@ %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for any debug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ %else # Don't generate provides/requires for JDK provided shared libraries at all. %global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ @@ -355,13 +385,9 @@ exit 0 %define post_headless() %{expand: -%ifarch %{jit_arches} -# MetaspaceShared::generate_vtable_methods not implemented for PPC JIT -%ifnarch %{ppc64le} -# see https://bugzilla.redhat.com/show_bug.cgi?id=513605 +%ifarch %{share_arches} %{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null %endif -%endif PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then @@ -445,10 +471,8 @@ alternatives \\ %endif --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ -%ifarch %{jit_arches} -%ifnarch s390x +%ifarch %{sa_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ -%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -506,7 +530,7 @@ alternatives \\ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext for X in %{origin} %{javaver} ; do alternatives \\ @@ -636,12 +660,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so -# Zero and S390x don't have SA -%ifarch %{jit_arches} -%ifnarch s390x +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so @@ -655,12 +677,8 @@ exit 0 %{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/client/ -%ifarch %{jit_arches} -%ifnarch %{power64} +%ifarch %{share_arches} %attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa -%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/client/classes.jsa -%endif %endif %dir %{etcjavasubdir} %dir %{etcjavadir -- %{?1}} @@ -722,18 +740,16 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd -%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage -# Zero and S390x don't have SA -%ifarch %{jit_arches} -%ifnarch s390x +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz %endif -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -847,7 +863,7 @@ exit 0 %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} -%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java @@ -857,7 +873,7 @@ exit 0 %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip -%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java-zip @@ -869,6 +885,9 @@ exit 0 %define java_rpo() %{expand: Requires: fontconfig%{?_isa} Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} # Requires rest of java Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} @@ -896,6 +915,9 @@ Requires: ca-certificates Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package Requires: tzdata-java >= 2015d +# for support of kernel stream control +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression @@ -905,11 +927,10 @@ OrderWithRequires: copy-jdk-configs Requires: cups-libs # Post requires alternatives to install tool alternatives Requires(post): %{_sbindir}/alternatives -# chkconfig does not contain alternatives anymore # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{_sbindir}/alternatives # for optional support of kernel stream control, card reader and printing bindings -Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} +Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} # Standard JPackage base provides Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} @@ -930,7 +951,6 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install tool alternatives Requires(post): %{_sbindir}/alternatives -# chkconfig does not contain alternatives anymore # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{_sbindir}/alternatives @@ -981,7 +1001,6 @@ Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install javadoc alternative Requires(post): %{_sbindir}/alternatives -# chkconfig does not contain alternatives anymore # Postun requires alternatives to uninstall javadoc alternative Requires(postun): %{_sbindir}/alternatives @@ -1045,10 +1064,14 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv URL: http://openjdk.java.net/ -# to regenerate source0 (jdk) and source8 (jdk's taspets) run update_package.sh +# to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives Source0: jdk-updates-jdk%{majorver}u-jdk-%{majorver}.%{minorver}.%{securityver}+%{buildver}.tar.xz -Source8: systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (3.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea Source9: jconsole.desktop.in @@ -1065,6 +1088,9 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + ############################################ # # RPM/distribution specific patches @@ -1074,6 +1100,8 @@ Source14: TestECDSA.java # NSS via SunPKCS11 Provider (disabled comment # due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# enable build of speculative store bypass hardened alt-java +Patch600: rh1750419-redhat_alt_java.patch # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -1084,7 +1112,8 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch # Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch - +# JDK-8259949: Use i686 instead of i586 on x86 when -fcf-protection is passed to the compiler, as CMOV is needed +Patch8: jdk8259949-allow_cf-protection_on_x86.patch ############################################# # @@ -1134,13 +1163,14 @@ BuildRequires: gcc >= 4.8.3-8 %if %{with_systemtap} BuildRequires: systemtap-sdt-devel %endif +BuildRequires: make # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} %description -The %{origin_nice} runtime environment. +The %{origin_nice} runtime environment %{majorver}. %if %{include_debug_build} %package slowdebug @@ -1148,7 +1178,7 @@ Summary: %{origin_nice} Runtime Environment %{majorver} %{debug_on} %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug -The %{origin_nice} runtime environment. +The %{origin_nice} runtime environment %{majorver}. %{debug_warning} %endif @@ -1175,7 +1205,7 @@ The %{origin_nice} runtime environment %{majorver} without audio and video suppo %if %{include_debug_build} %package headless-slowdebug -Summary: %{origin_nice} Runtime Environment %{debug_on} +Summary: %{origin_nice} Runtime Environment %{majorver} %{debug_on} %{java_headless_rpo -- %{debug_suffix_unquoted}} @@ -1373,7 +1403,9 @@ Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling %description javadoc The %{origin_nice} %{majorver} API documentation. +%endif +%if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive Requires: javapackages-filesystem @@ -1430,9 +1462,11 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch6 -p1 +%patch8 -p1 popd # openjdk %patch1000 +%patch600 # Extract systemtap tapsets %if %{with_systemtap} @@ -1532,7 +1566,7 @@ bash ../configure \ --with-jobs=1 \ %endif --with-version-build=%{buildver} \ - --with-version-pre="%{ea_designator}"\ + --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{vendor_version_string}" \ --with-vendor-name="Red Hat, Inc." \ @@ -1554,7 +1588,7 @@ bash ../configure \ --with-extra-ldflags="%{ourldflags}" \ --with-num-cores="$NUM_PROC" \ --disable-javac-server \ -%ifarch x86_64 +%ifarch %{zgc_arches} --with-jvm-features=zgc \ %endif --disable-warnings-as-errors @@ -1596,7 +1630,6 @@ ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat # Create fake alt-java as a placeholder for future alt-java pushd ${JAVA_HOME} -cp -a bin/java bin/%{alt_java_name} # add alt-java man page echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 @@ -1612,7 +1645,7 @@ for suffix in %{rev_build_loop} ; do export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} -#check sheandoah is enabled +#check Shenandoah is enabled %if %{use_shenandoah_hotspot} $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version %endif @@ -1625,6 +1658,20 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") || echo "crypto policy are now not honored i jdk15" + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + # Check debug symbols in static libraries (smoke test) export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c @@ -1719,11 +1766,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir} cp -a %{buildoutputdir -- $suffix}/images/%{jdkimage} \ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} -# Install jsa directories so we can owe them -mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{archinstall}/server/ -mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{archinstall}/client/ -mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/ || true ; # sometimes is here, sometimes not, ifout it or || true it out - pushd %{buildoutputdir $suffix}/images/%{jdkimage} %if %{with_systemtap} @@ -1777,7 +1819,7 @@ if ! echo $suffix | grep -q "debug" ; then install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a %{buildoutputdir -- $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} built_doc_archive=jdk-%{majorver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{majorver}.%{minorver}.%{securityver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip + cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{majorver}.%{minorver}.%{securityver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l %{buildoutputdir -- $suffix}/bundles/ fi # Install icons and menu entries @@ -2045,6 +2087,39 @@ require "copy_jdk_configs.lua" %endif %changelog +* Tue Jan 19 2021 Andrew Hughes - 1:15.0.1.9-10.rolling +- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV) + +* Tue Dec 22 2020 Jiri Vanek - 1:15.0.1.9-9.rolling +- fixed missing condition for fastdebug packages being counted as debug ones + +* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-8.rolling +- removed lib-style provides for fastdebug_suffix_unquoted + +* Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling +- many cosmetic changes taken from more maintained jdk11 +- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches + instead of various hardcoded ifarches +- updated systemtap +- added requires excludes for debug pkgs +- removed redundant logic around jsa files +- added runtime requires of lksctp-tools and libXcomposite% +- added and used Source15 TestSecurityProperties.java, but is made always positive as jdk15 now does not honor system policies +- s390x excluded form fastdebug build + +* Thu Dec 17 2020 Andrew Hughes - 1:15.0.1.9-5.rolling +- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched +- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly +- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures + +* Wed Dec 9 2020 Jiri Vanek - 1:15.0.1.9-4.rolling +- moved wrongly placed licenses to accompany other ones +- this bad placement was killng parallel-installability and thus having bad impact to leapp if used + +* Tue Dec 01 2020 Jiri Vanek - 1:15.0.1.9-3.rolling +- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch +- no longer copying of java->alt-java as it is created by patch600 + * Mon Nov 23 2020 Jiri Vanek - 1:15.0.1.9-2.rolling - Create a copy of java as alt-java with alternatives and man pages - java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there... diff --git a/jdk8259949-allow_cf-protection_on_x86.patch b/jdk8259949-allow_cf-protection_on_x86.patch new file mode 100644 index 0000000..283fecf --- /dev/null +++ b/jdk8259949-allow_cf-protection_on_x86.patch @@ -0,0 +1,27 @@ +diff --git openjdk.orig/make/autoconf/flags-cflags.m4 openjdk/make/autoconf/flags-cflags.m4 +--- openjdk.orig/make/autoconf/flags-cflags.m4 ++++ openjdk/make/autoconf/flags-cflags.m4 +@@ -715,9 +715,21 @@ + # CFLAGS PER CPU + if test "x$TOOLCHAIN_TYPE" = xgcc || test "x$TOOLCHAIN_TYPE" = xclang; then + # COMMON to gcc and clang ++ AC_MSG_CHECKING([if $1 is x86]) + if test "x$FLAGS_CPU" = xx86; then +- # Force compatibility with i586 on 32 bit intel platforms. +- $1_CFLAGS_CPU="-march=i586" ++ AC_MSG_RESULT([yes]) ++ AC_MSG_CHECKING([if control flow protection is enabled by additional compiler flags]) ++ if echo "${EXTRA_CFLAGS}${EXTRA_CXXFLAGS}${EXTRA_ASFLAGS}" | ${GREP} -q 'fcf-protection' ; then ++ # cf-protection requires CMOV and thus i686 ++ $1_CFLAGS_CPU="-march=i686" ++ AC_MSG_RESULT([yes, forcing ${$1_CFLAGS_CPU}]) ++ else ++ # Force compatibility with i586 on 32 bit intel platforms. ++ $1_CFLAGS_CPU="-march=i586" ++ AC_MSG_RESULT([no, forcing ${$1_CFLAGS_CPU}]) ++ fi ++ else ++ AC_MSG_RESULT([no]) + fi + fi + diff --git a/rh1750419-redhat_alt_java.patch b/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..70f45d4 --- /dev/null +++ b/rh1750419-redhat_alt_java.patch @@ -0,0 +1,114 @@ +diff -r 1356affa5e44 make/modules/java.base/Launcher.gmk +--- openjdk/make/modules/java.base/Launcher.gmk ++++ openjdk/make/modules/java.base/Launcher.gmk +@@ -37,6 +37,14 @@ + + $(eval $(call SetupBuildLauncher, java, \ + CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ ++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ + EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ + VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ + OPTIMIZATION := HIGH, \ + +diff -r 25e94aa812b2 src/share/bin/alt_main.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff -r 25e94aa812b2 src/share/bin/main.c +--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 ++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +@@ -34,6 +34,14 @@ + #include "jli_util.h" + #include "jni.h" + ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) ++#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 + diff --git a/sources b/sources index eb2292c..cd9fd17 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ +SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 SHA512 (jdk-updates-jdk15u-jdk-15.0.1+9.tar.xz) = acc488cf608d8104342e4fd88ddf8bb06d8674a2640d049a482cd0aaf8bf4e3acdbf78388f71fa87bbc177ce66ba182483340f787b8e13e5ca0cca0d4b62f938 -SHA512 (systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz) = cf578221b77d8c7e019f69909bc86c419c5fb5e10bceba9592ff6e7f96887b0a7f07c9cefe90800975247a078785ca190fdec5c2d0f841bb447cee784b570f7d