From c242df0540a0550c9af5dc33abd4bdcdac946e05 Mon Sep 17 00:00:00 2001 From: Jason Katonica Date: Tue, 6 Aug 2024 15:18:11 -0400 Subject: [PATCH] Tolerate OpenJCEPlus FIPS binaries with jlink When using `jlink` to create a JRE a user may make use of the `jlink` argument `--strip-debug`. This argument executes a strip to remove unnecessary symbols and information from a library to provide for a minimal footprint size of the runtime being created. This update skips performing any strip commands against the FIPS libraries contained in the `openjceplus` module. This is required since any changes to the FIPS libraries will cause a failure when loading the library since a self verification process is done when the FIPS library is loaded. Signed-off-by: Jason Katonica --- .../StripNativeDebugSymbolsPlugin.java | 38 +++++++++++++++++-- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/src/jdk.jlink/linux/classes/jdk/tools/jlink/internal/plugins/StripNativeDebugSymbolsPlugin.java b/src/jdk.jlink/linux/classes/jdk/tools/jlink/internal/plugins/StripNativeDebugSymbolsPlugin.java index d2f2307768d..542cd32ff69 100644 --- a/src/jdk.jlink/linux/classes/jdk/tools/jlink/internal/plugins/StripNativeDebugSymbolsPlugin.java +++ b/src/jdk.jlink/linux/classes/jdk/tools/jlink/internal/plugins/StripNativeDebugSymbolsPlugin.java @@ -22,6 +22,11 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ +/* + * =========================================================================== + * (c) Copyright IBM Corp. 2024, 2024 All Rights Reserved + * =========================================================================== + */ package jdk.tools.jlink.internal.plugins; import java.io.InputStream; @@ -104,9 +109,7 @@ public ResourcePool transform(ResourcePool in, ResourcePoolBuilder out) { stripBin); in.transformAndCopy((resource) -> { ResourcePoolEntry res = resource; - if ((resource.type() == ResourcePoolEntry.Type.NATIVE_LIB && - resource.path().endsWith(SHARED_LIBS_EXT)) || - resource.type() == ResourcePoolEntry.Type.NATIVE_CMD) { + if (shouldStrip(resource)) { Optional strippedBin = builder.build(resource); if (strippedBin.isPresent()) { StrippedDebugInfoBinary sb = strippedBin.get(); @@ -131,6 +134,35 @@ public ResourcePool transform(ResourcePool in, ResourcePoolBuilder out) { return out.build(); } + /** + * Method to determine if a particular resource should be stripped. + * + * Particular paths are added here to handle libraries within the openjceplus module. + * The FIPS certified library located in the C/icc directory is sensitive to + * any modifications to the native library. Performing any modifications to the library + * in any way, causes the FIPS library to fail to load due to a self verification check made. + * + * @param resource the resource to examine for stripping eligibility + * @return return true if stripping should be done on a particular resource, false otherwise + */ + private static boolean shouldStrip(ResourcePoolEntry resource) { + switch (resource.type()) { + case NATIVE_CMD: + return true; + case NATIVE_LIB: + String path = resource.path(); + if (path.endsWith(SHARED_LIBS_EXT)) { + if (!(resource.moduleName().equals("openjceplus") && path.contains("/C/icc/"))) { + return true; + } + } + break; + default: + break; + } + return false; + } + private void logError(ResourcePoolEntry resource, String msgKey) { String msg = getMessage(msgKey, NAME,