-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
8270199: Most SA tests are skipped on macosx-aarch64 because all executables are signed #6906
Conversation
👋 Welcome back cjplummer! A progress list of the required criteria for merging this PR into |
@plummercj The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
/label remove core-libs |
@plummercj |
@plummercj |
@plummercj This pull request has been inactive for more than 8 weeks and will be automatically closed if another 8 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
Webrevs
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Chris,
Seems fine. My only query/concern here is how reliable/stable this codesign verbose output is?
Thanks,
David
test/lib-test/jdk/test/lib/TestMutuallyExclusivePlatformPredicates.java
Outdated
Show resolved
Hide resolved
@plummercj This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be:
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 141 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
Hard to say, but this seems like the best solution at the moment. We can always adapt/adjust if needed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay. If the verbose output changes then we won't match and so will assume not-hardened and so proceed with the test. If then test then fails because the runtime actually was hardened then we will see in the log (hopefully) that the output was not as expected.
Thanks,
David
I could use one more review for this PR. Thanks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. No problem with dealing with future codesign output changes as they happen, or handling more flags in future, above the cases recognised here.
Kevin and David, thanks for the reviews! |
/integrate |
Going to push as commit 16e0ad0.
Your commit was automatically rebased without conflicts. |
@plummercj Pushed as commit 16e0ad0. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
For any SA test that attaches to an OSX process (this would be all SA tests except for those that test core file support), there is a check to make sure that the target jvm process is not a signed binary. If it is, SkippedException is thrown, and the test passes without doing anything. This is all we can do since being signed implied being notarized, and debuggers cannot attach to a notarized binary.
I noticed that on macosx-aarch64, all our SA tests that attach to a process were being skipped because the binary was signed, even for debug builds. It turns out that for macosx-aarch64, the linker always ads what is known as ad-hoc signing. You can find some info on ad-hoc signing here:
https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/
The tests use the codesign tool to determine if the binary is signed. Normally the check just relies on getting an error code of 1 when not signed, but since all binaries are now signed on macosx-aarch64, we need to modify the check to ignore ad-hoc signing.
Using "codesign --display" on an an ad-hoc signed binary shows some output that is of interest:
bash-3.2$ codesign --display --verbose=4 a.out
CodeDirectory v=20400 size=254 flags=0x20002(adhoc,linker-signed) hashes=5+0 location=embedded
Looking for flags=0x20002(adhoc,linker-signed) will tell us if the binary is adhoc signed, which means we can assume that the SA tests can still be run against it.
Looking for flags=0x10000(runtime) will tell us that the binary is hardened. These are binaries that we cannot use with SA.
If the binary is not signed at all, which should only happen on macosx-x64, codesign will print the message "code object is not signed at all". We can also run SA against these binaries.
Due to fixing the issue, we now have to problem list a few more core file tests on macosx-aarch64 due to 8269982. This issue was not noticed in the past because the tests were not being run. This was due to most of our macosx-aarch64 machines not being capable of producing a core file. Without this fix the test assumes it couldn't produce the core file because the binary was signed. With this fix it, for binaries that are not hardened the test will fail if it does not produce a core file.
Progress
Issue
Reviewers
Reviewing
Using
git
Checkout this PR locally:
$ git fetch https://git.openjdk.java.net/jdk pull/6906/head:pull/6906
$ git checkout pull/6906
Update a local copy of the PR:
$ git checkout pull/6906
$ git pull https://git.openjdk.java.net/jdk pull/6906/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 6906
View PR using the GUI difftool:
$ git pr show -t 6906
Using diff file
Download this PR as a diff file:
https://git.openjdk.java.net/jdk/pull/6906.diff