Merge pull request #163 from ibmruntimes/openj9-staging

Merge jdk-17.0.6+5, jdk-17.0.6+6, and OpenJ9 changes to 0.36

Author: JasonFengJ9

closed/autoconf/custom-spec.gmk.in

@@ -131,12 +131,26 @@ endif
 # Usage: $(call CodesignFile, files ...)
 ifeq (,$(CODESIGN))
   CodesignFile =
+else ifeq (debug, $(MACOSX_CODESIGN_MODE))
+  define CodesignFile
+	$(CODESIGN) --remove-signature $1
+	$(CODESIGN) --sign - \
+		--entitlements $(TOPDIR)/make/data/macosxsigning/default-debug.plist \
+		--force \
+		$1
+  endef
+else ifeq (hardened, $(MACOSX_CODESIGN_MODE))
+  define CodesignFile
+	$(CODESIGN) --remove-signature $1
+	$(CODESIGN) --sign "$(MACOSX_CODESIGN_IDENTITY)" \
+		--entitlements $(TOPDIR)/make/data/macosxsigning/default.plist \
+		--force \
+		--options runtime \
+		--timestamp \
+		$1
+  endef
 else
-  CodesignFile = $(CODESIGN) --sign "$(MACOSX_CODESIGN_IDENTITY)" \
-	--entitlements $(TOPDIR)/make/data/macosxsigning/default.plist \
-	--options runtime \
-	--timestamp \
-	$1
+  CodesignFile =
 endif
 
 # Archive from which to import Health Center content.

closed/openjdk-tag.gmk

@@ -1 +1 @@
-OPENJDK_TAG := jdk-17.0.6+4
+OPENJDK_TAG := jdk-17.0.6+6

doc/building.html

@@ -70,6 +70,9 @@ <h1 class="title">Building the JDK</h1>
 <li><a href="#make-control-variables">Make Control Variables</a></li>
 </ul></li>
 <li><a href="#running-tests">Running Tests</a></li>
+<li><a href="#signing">Signing</a><ul>
+<li><a href="#macos-1">macOS</a></li>
+</ul></li>
 <li><a href="#cross-compiling">Cross-compiling</a><ul>
 <li><a href="#cross-compiling-the-easy-way-with-openjdk-devkits">Cross compiling the easy way with OpenJDK devkits</a></li>
 <li><a href="#boot-jdk-and-build-jdk">Boot JDK and Build JDK</a></li>
@@ -488,7 +491,7 @@ <h4 id="general-make-control-variables">General Make Control Variables</h4>
 <li><code>CONF</code> and <code>CONF_NAME</code> - Selecting the configuration(s) to use. See <a href="#using-multiple-configurations">Using Multiple Configurations</a></li>
 </ul>
 <h4 id="test-make-control-variables">Test Make Control Variables</h4>
-<p>These make control variables only make sense when running tests. Please see <a href="testing.html">Testing the JDK</a> for details.</p>
+<p>These make control variables only make sense when running tests. Please see <strong>Testing the JDK</strong> (<a href="testing.html">html</a>, <a href="testing.md">markdown</a>) for details.</p>
 <ul>
 <li><code>TEST</code></li>
 <li><code>TEST_JOBS</code></li>
@@ -514,7 +517,13 @@ <h2 id="running-tests">Running Tests</h2>
 </ul>
 <p>To execute the most basic tests (tier 1), use:</p>
 <pre><code>make run-test-tier1</code></pre>
-<p>For more details on how to run tests, please see the <a href="testing.html">Testing the JDK</a> document.</p>
+<p>For more details on how to run tests, please see <strong>Testing the JDK</strong> (<a href="testing.html">html</a>, <a href="testing.md">markdown</a>).</p>
+<h2 id="signing">Signing</h2>
+<h3 id="macos-1">macOS</h3>
+<p>Modern versions of macOS require applications to be signed and notarizied before distribution. See Apple's documentation for more background on what this means and how it works. To help support this, the JDK build can be configured to automatically sign all native binaries, and the JDK bundle, with all the options needed for successful notarization, as well as all the entitlements required by the JDK. To enable <code>hardened</code> signing, use configure parameter <code>--with-macosx-codesign=hardened</code> and configure the signing identity you wish to use with <code>--with-macosx-codesign-identity=&lt;identity&gt;</code>. The identity refers to a signing identity from Apple that needs to be preinstalled on the build host.</p>
+<p>When not signing for distribution with the hardened option, the JDK build will still attempt to perform <code>adhoc</code> signing to add the special entitlement <code>com.apple.security.get-task-allow</code> to each binary. This entitlement is required to be able to dump core files from a process. Note that adding this entitlement makes the build invalid for notarization, so it is only added when signing in <code>debug</code> mode. To explicitly enable this kind of adhoc signing, use configure parameter <code>--with-macosx-codesign=debug</code>. It will be enabled by default in most cases.</p>
+<p>It's also possible to completely disable any explicit codesign operations done by the JDK build using the configure parameter <code>--without-macosx-codesign</code>. The exact behavior then depends on the architecture. For macOS on x64, it (at least at the time of this writing) results in completely unsigned binaries that should still work fine for development and debugging purposes. On aarch64, the Xcode linker will apply a default &quot;adhoc&quot; signing, without any entitlements. Such a build does not allow dumping core files.</p>
+<p>The default mode &quot;auto&quot; will try for <code>hardened</code> signing if the debug level is <code>release</code> and either the default identity or the specified identity is valid. If hardened isn't possible, then <code>debug</code> signing is chosen if it works. If nothing works, the codesign build step is disabled.</p>
 <h2 id="cross-compiling">Cross-compiling</h2>
 <p>Cross-compiling means using one platform (the <em>build</em> platform) to generate output that can ran on another platform (the <em>target</em> platform).</p>
 <p>The typical reason for cross-compiling is that the build is performed on a more powerful desktop computer, but the resulting binaries will be able to run on a different, typically low-performing system. Most of the complications that arise when building for embedded is due to this separation of <em>build</em> and <em>target</em> systems.</p>

doc/building.md

@@ -818,7 +818,7 @@ configuration, as opposed to the "configure time" configuration.
 #### Test Make Control Variables
 
 These make control variables only make sense when running tests. Please see
-[Testing the JDK](testing.html) for details.
+**Testing the JDK** ([html](testing.html), [markdown](testing.md)) for details.
 
   * `TEST`
   * `TEST_JOBS`
@@ -865,8 +865,44 @@ To execute the most basic tests (tier 1), use:
 make run-test-tier1
 ```
 
-For more details on how to run tests, please see the [Testing
-the JDK](testing.html) document.
+For more details on how to run tests, please see **Testing the JDK**
+([html](testing.html), [markdown](testing.md)).
+
+## Signing
+
+### macOS
+
+Modern versions of macOS require applications to be signed and notarizied before
+distribution. See Apple's documentation for more background on what this means
+and how it works. To help support this, the JDK build can be configured to
+automatically sign all native binaries, and the JDK bundle, with all the options
+needed for successful notarization, as well as all the entitlements required by
+the JDK. To enable `hardened` signing, use configure parameter
+`--with-macosx-codesign=hardened` and configure the signing identity you wish to
+use with `--with-macosx-codesign-identity=<identity>`. The identity refers to a
+signing identity from Apple that needs to be preinstalled on the build host.
+
+When not signing for distribution with the hardened option, the JDK build will
+still attempt to perform `adhoc` signing to add the special entitlement
+`com.apple.security.get-task-allow` to each binary. This entitlement is required
+to be able to dump core files from a process. Note that adding this entitlement
+makes the build invalid for notarization, so it is only added when signing in
+`debug` mode. To explicitly enable this kind of adhoc signing, use configure
+parameter `--with-macosx-codesign=debug`. It will be enabled by default in most
+cases.
+
+It's also possible to completely disable any explicit codesign operations done
+by the JDK build using the configure parameter `--without-macosx-codesign`.
+The exact behavior then depends on the architecture. For macOS on x64, it (at
+least at the time of this writing) results in completely unsigned binaries that
+should still work fine for development and debugging purposes. On aarch64, the
+Xcode linker will apply a default "adhoc" signing, without any entitlements.
+Such a build does not allow dumping core files.
+
+The default mode "auto" will try for `hardened` signing if the debug level is
+`release` and either the default identity or the specified identity is valid.
+If hardened isn't possible, then `debug` signing is chosen if it works. If
+nothing works, the codesign build step is disabled.
 
 ## Cross-compiling
 

make/Bundles.gmk

@@ -278,16 +278,7 @@ ifneq ($(filter product-bundles% legacy-bundles, $(MAKECMDGOALS)), )
       $(SYMBOLS_EXCLUDE_PATTERN), \
       $(ALL_JRE_FILES))
 
-  # On Macosx release builds, when there is a code signing certificate available,
-  # the final bundle layout can be signed.
-  SIGN_BUNDLE := false
-  ifeq ($(call isTargetOs, macosx)+$(DEBUG_LEVEL), true+release)
-    ifneq ($(CODESIGN), )
-      SIGN_BUNDLE := true
-    endif
-  endif
-
-  ifeq ($(SIGN_BUNDLE), true)
+  ifeq ($(MACOSX_CODESIGN_MODE), hardened)
     # Macosx release build and code signing available.
 
     ################################################################################

make/autoconf/basic_tools.m4

@@ -160,25 +160,23 @@ AC_DEFUN([BASIC_CHECK_MAKE_VERSION],
 AC_DEFUN([BASIC_CHECK_MAKE_OUTPUT_SYNC],
 [
   # Check if make supports the output sync option and if so, setup using it.
-  AC_MSG_CHECKING([if make --output-sync is supported])
-  if $MAKE --version -O > /dev/null 2>&1; then
-    OUTPUT_SYNC_SUPPORTED=true
-    AC_MSG_RESULT([yes])
-    AC_MSG_CHECKING([for output-sync value])
-    AC_ARG_WITH([output-sync], [AS_HELP_STRING([--with-output-sync],
-      [set make output sync type if supported by make. @<:@recurse@:>@])],
-      [OUTPUT_SYNC=$with_output_sync])
-    if test "x$OUTPUT_SYNC" = "x"; then
-      OUTPUT_SYNC=none
-    fi
-    AC_MSG_RESULT([$OUTPUT_SYNC])
-    if ! $MAKE --version -O$OUTPUT_SYNC > /dev/null 2>&1; then
-      AC_MSG_ERROR([Make did not the support the value $OUTPUT_SYNC as output sync type.])
-    fi
-  else
-    OUTPUT_SYNC_SUPPORTED=false
-    AC_MSG_RESULT([no])
-  fi
+  UTIL_ARG_WITH(NAME: output-sync, TYPE: literal,
+      VALID_VALUES: [none recurse line target], DEFAULT: recurse,
+      OPTIONAL: true, ENABLED_DEFAULT: true,
+      ENABLED_RESULT: OUTPUT_SYNC_SUPPORTED,
+      CHECKING_MSG: [for make --output-sync value],
+      DESC: [set make --output-sync type if supported by make],
+      CHECK_AVAILABLE:
+      [
+        AC_MSG_CHECKING([if make --output-sync is supported])
+        if ! $MAKE --version -O > /dev/null 2>&1; then
+          AC_MSG_RESULT([no])
+          AVAILABLE=false
+        else
+          AC_MSG_RESULT([yes])
+        fi
+      ]
+  )
   AC_SUBST(OUTPUT_SYNC_SUPPORTED)
   AC_SUBST(OUTPUT_SYNC)
 ])
@@ -378,43 +376,6 @@ AC_DEFUN_ONCE([BASIC_SETUP_COMPLEX_TOOLS],
     UTIL_REQUIRE_PROGS(MIG, mig)
     UTIL_REQUIRE_PROGS(XATTR, xattr)
     UTIL_LOOKUP_PROGS(CODESIGN, codesign)
-
-    if test "x$CODESIGN" != "x"; then
-      # Check for user provided code signing identity.
-      # If no identity was provided, fall back to "openjdk_codesign".
-      AC_ARG_WITH([macosx-codesign-identity], [AS_HELP_STRING([--with-macosx-codesign-identity],
-        [specify the code signing identity])],
-        [MACOSX_CODESIGN_IDENTITY=$with_macosx_codesign_identity],
-        [MACOSX_CODESIGN_IDENTITY=openjdk_codesign]
-      )
-
-      AC_SUBST(MACOSX_CODESIGN_IDENTITY)
-
-      # Verify that the codesign certificate is present
-      AC_MSG_CHECKING([if codesign certificate is present])
-      $RM codesign-testfile
-      $TOUCH codesign-testfile
-      $CODESIGN -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile 2>&AS_MESSAGE_LOG_FD \
-          >&AS_MESSAGE_LOG_FD || CODESIGN=
-      $RM codesign-testfile
-      if test "x$CODESIGN" = x; then
-        AC_MSG_RESULT([no])
-      else
-        AC_MSG_RESULT([yes])
-        # Verify that the codesign has --option runtime
-        AC_MSG_CHECKING([if codesign has --option runtime])
-        $RM codesign-testfile
-        $TOUCH codesign-testfile
-        $CODESIGN --option runtime -s "$MACOSX_CODESIGN_IDENTITY" codesign-testfile \
-            2>&AS_MESSAGE_LOG_FD >&AS_MESSAGE_LOG_FD || CODESIGN=
-        $RM codesign-testfile
-        if test "x$CODESIGN" = x; then
-          AC_MSG_ERROR([codesign does not have --option runtime. macOS 10.13.6 and above is required.])
-        else
-          AC_MSG_RESULT([yes])
-        fi
-      fi
-    fi
     UTIL_REQUIRE_PROGS(SETFILE, SetFile)
   fi
   if ! test "x$OPENJDK_TARGET_OS" = "xwindows"; then

make/autoconf/configure.ac

@@ -249,6 +249,7 @@ JDKOPT_EXCLUDE_TRANSLATIONS
 JDKOPT_ENABLE_DISABLE_MANPAGES
 JDKOPT_ENABLE_DISABLE_CDS_ARCHIVE
 JDKOPT_ENABLE_DISABLE_COMPATIBLE_CDS_ALIGNMENT
+JDKOPT_SETUP_MACOSX_SIGNING
 
 ###############################################################################
 #

make/autoconf/jdk-options.m4

@@ -727,3 +727,105 @@ AC_DEFUN_ONCE([JDKOPT_SETUP_REPRODUCIBLE_BUILD],
   AC_SUBST(SOURCE_DATE)
   AC_SUBST(ENABLE_REPRODUCIBLE_BUILD)
 ])
+
+################################################################################
+#
+# Setup signing on macOS. This can either be setup to sign with a real identity
+# and enabling the hardened runtime, or it can simply add the debug entitlement
+# com.apple.security.get-task-allow without actually signing any binaries. The
+# latter is needed to be able to debug processes and dump core files on modern
+# versions of macOS. It can also be skipped completely.
+#
+# Check if codesign will run with the given parameters
+# $1: Parameters to run with
+# $2: Checking message
+# Sets CODESIGN_SUCCESS=true/false
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_PARAMS],
+[
+  PARAMS="$1"
+  MESSAGE="$2"
+  CODESIGN_TESTFILE="$CONFIGURESUPPORT_OUTPUTDIR/codesign-testfile"
+  $RM "$CODESIGN_TESTFILE"
+  $TOUCH "$CODESIGN_TESTFILE"
+  CODESIGN_SUCCESS=false
+  $CODESIGN $PARAMS "$CODESIGN_TESTFILE" 2>&AS_MESSAGE_LOG_FD \
+      >&AS_MESSAGE_LOG_FD && CODESIGN_SUCCESS=true
+  $RM "$CODESIGN_TESTFILE"
+  AC_MSG_CHECKING([$MESSAGE])
+  if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+    AC_MSG_RESULT([yes])
+  else
+    AC_MSG_RESULT([no])
+  fi
+])
+
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_HARDENED],
+[
+  JDKOPT_CHECK_CODESIGN_PARAMS([-s "$MACOSX_CODESIGN_IDENTITY" --option runtime],
+      [if codesign with hardened runtime is possible])
+])
+
+AC_DEFUN([JDKOPT_CHECK_CODESIGN_DEBUG],
+[
+  JDKOPT_CHECK_CODESIGN_PARAMS([-s -], [if debug mode codesign is possible])
+])
+
+AC_DEFUN([JDKOPT_SETUP_MACOSX_SIGNING],
+[
+  ENABLE_CODESIGN=false
+  if test "x$OPENJDK_TARGET_OS" = "xmacosx" && test "x$CODESIGN" != "x"; then
+
+    UTIL_ARG_WITH(NAME: macosx-codesign, TYPE: literal, OPTIONAL: true,
+        VALID_VALUES: [hardened debug auto], DEFAULT: auto,
+        ENABLED_DEFAULT: true,
+        CHECKING_MSG: [for macosx code signing mode],
+        DESC: [set the macosx code signing mode (hardened, debug, auto)]
+    )
+
+    MACOSX_CODESIGN_MODE=disabled
+    if test "x$MACOSX_CODESIGN_ENABLED" = "xtrue"; then
+
+      # Check for user provided code signing identity.
+      UTIL_ARG_WITH(NAME: macosx-codesign-identity, TYPE: string,
+          DEFAULT: openjdk_codesign, CHECK_VALUE: UTIL_CHECK_STRING_NON_EMPTY,
+          DESC: [specify the macosx code signing identity],
+          CHECKING_MSG: [for macosx code signing identity]
+      )
+      AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+
+      if test "x$MACOSX_CODESIGN" = "xauto"; then
+        # Only try to default to hardened signing on release builds
+        if test "x$DEBUG_LEVEL" = "xrelease"; then
+          JDKOPT_CHECK_CODESIGN_HARDENED
+          if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+            MACOSX_CODESIGN_MODE=hardened
+          fi
+        fi
+        if test "x$MACOSX_CODESIGN_MODE" = "xdisabled"; then
+          JDKOPT_CHECK_CODESIGN_DEBUG
+          if test "x$CODESIGN_SUCCESS" = "xtrue"; then
+            MACOSX_CODESIGN_MODE=debug
+          fi
+        fi
+        AC_MSG_CHECKING([for macosx code signing mode])
+        AC_MSG_RESULT([$MACOSX_CODESIGN_MODE])
+      elif test "x$MACOSX_CODESIGN" = "xhardened"; then
+        JDKOPT_CHECK_CODESIGN_HARDENED
+        if test "x$CODESIGN_SUCCESS" = "xfalse"; then
+          AC_MSG_ERROR([Signing with hardened runtime is not possible])
+        fi
+        MACOSX_CODESIGN_MODE=hardened
+      elif test "x$MACOSX_CODESIGN" = "xdebug"; then
+        JDKOPT_CHECK_CODESIGN_DEBUG
+        if test "x$CODESIGN_SUCCESS" = "xfalse"; then
+          AC_MSG_ERROR([Signing in debug mode is not possible])
+        fi
+        MACOSX_CODESIGN_MODE=debug
+      else
+        AC_MSG_ERROR([unknown value for --with-macosx-codesign: $MACOSX_CODESIGN])
+      fi
+    fi
+    AC_SUBST(MACOSX_CODESIGN_IDENTITY)
+    AC_SUBST(MACOSX_CODESIGN_MODE)
+  fi
+])

make/autoconf/spec.gmk.in

@@ -443,7 +443,8 @@ MACOSX_VERSION_MIN=@MACOSX_VERSION_MIN@
 # The highest allowed version of macosx
 MACOSX_VERSION_MAX=@MACOSX_VERSION_MAX@
 
-# The macosx code signing identity to use
+# The macosx code signing configuration
+MACOSX_CODESIGN_MODE:=@MACOSX_CODESIGN_MODE@
 MACOSX_CODESIGN_IDENTITY=@MACOSX_CODESIGN_IDENTITY@
 
 # Toolchain type: gcc, clang, xlc, microsoft...