Enable -XX:[+|-]CRIUSecProvider JVM option

WilburZjh · WilburZjh · commit df6acd48f8b8 · 2023-11-21T09:53:43.000-05:00
Whenever we are performing a checkpoint
this is typically done by enabling
-XX:+EnableCRIUSupport. It will remove
all the security providers and the
CRIUSecProvider is inserted to the
runtime enviroment. This provides a more
locked down approach to what cryptography
is allowed while taking a checkpoint.

Therefore, this new flag is introduced by
passing it after -XX:+EnableCRIUSupport is
enabled. When this option is used, we no
longer make use of CRIUSecProvider and
instead use normal provider loading to
enable all security algorithms in an out
of the box state. This can allow users to
make use of any algorithms in the various
providers available.
diff --git a/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java b/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java
@@ -25,17 +25,15 @@
 /**
  * Internal CRIU Support API
  */
-/*[IF JAVA_SPEC_VERSION >= 17]*/
-@SuppressWarnings({ "deprecation", "removal" })
-/*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public final class InternalCRIUSupport {
 	private static final boolean criuSupportEnabled = isCRIUSupportEnabledImpl();
 	private static long checkpointRestoreNanoTimeDelta;
 
-	private static native boolean isCRIUSupportEnabledImpl();
-	private static native boolean isCheckpointAllowedImpl();
+	private static native boolean enableCRIUSecProviderImpl();
 	private static native long getCheckpointRestoreNanoTimeDeltaImpl();
 	private static native long getLastRestoreTimeImpl();
+	private static native boolean isCRIUSupportEnabledImpl();
+	private static native boolean isCheckpointAllowedImpl();
 
 	/**
 	 * Retrieve the elapsed time between Checkpoint and Restore.
@@ -70,6 +68,20 @@ public synchronized static boolean isCRIUSupportEnabled() {
 		return criuSupportEnabled;
 	}
 
+	/**
+	 * Checks if CRIU Security provider is enabled
+	 * when CRIU support is enabled.
+	 *
+	 * @return true if enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		boolean isCRIUSecProviderEnabled = false;
+		if (criuSupportEnabled) {
+			isCRIUSecProviderEnabled = enableCRIUSecProviderImpl();
+		}
+		return isCRIUSecProviderEnabled;
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed.
 	 * isCRIUSupportEnabled() is invoked first to check if CRIU support is enabled,
diff --git a/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java b/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java
@@ -203,6 +203,17 @@ public static boolean isCRIUSupportEnabled() {
 		return (nativeLoaded && InternalCRIUSupport.isCRIUSupportEnabled());
 	}
 
+	/**
+	 * Checks if the CRIUSecProvider is enabled when CRIU
+	 * checkpoints are allowed (checks whether -XX:-CRIUSecProvider
+	 * has been specified).
+	 *
+	 * @return true if CRIUSecProvider is enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		return InternalCRIUSupport.enableCRIUSecProvider();
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed. With -XX:+CRIURestoreNonPortableMode enabled
 	 * (default policy) only a single checkpoint is allowed.
diff --git a/runtime/jcl/common/criu.cpp b/runtime/jcl/common/criu.cpp
@@ -71,5 +71,18 @@ Java_openj9_internal_criu_InternalCRIUSupport_isCRIUSupportEnabledImpl(JNIEnv *e
 
 	return res;
 }
+
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused)
+{
+	J9VMThread *currentThread = (J9VMThread *)env;
+	jboolean res = JNI_FALSE;
+
+	if (currentThread->javaVM->internalVMFunctions->enableCRIUSecProvider(currentThread)) {
+		res = JNI_TRUE;
+	}
+
+	return res;
+}
 #endif /* defined(J9VM_OPT_CRIU_SUPPORT) */
 }
diff --git a/runtime/jcl/exports.cmake b/runtime/jcl/exports.cmake
@@ -670,6 +670,7 @@ endif()
 # J9VM_OPT_CRIU_SUPPORT
 if(J9VM_OPT_CRIU_SUPPORT)
 	omr_add_exports(jclse
+		Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl
diff --git a/runtime/jcl/uma/criu_exports.xml b/runtime/jcl/uma/criu_exports.xml
@@ -20,6 +20,7 @@ OpenJDK Assembly Exception [2].
 SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
 -->
 <exports group="criu">
+	<export name="Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl" />
diff --git a/runtime/oti/j9nonbuilder.h b/runtime/oti/j9nonbuilder.h
@@ -4205,6 +4205,7 @@ typedef struct J9DelayedLockingOpertionsRecord {
 #define J9VM_CRIU_IS_JDWP_ENABLED 0x8
 #define J9VM_CRIU_IS_THROW_ON_DELAYED_CHECKPOINT_ENABLED 0x10
 #define J9VM_CRIU_IS_PORTABLE_JVM_RESTORE_MODE 0x20
+#define J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER 0x40
 
 typedef struct J9CRIUCheckpointState {
 	U_32 flags;
@@ -5025,6 +5026,7 @@ typedef struct J9InternalVMFunctions {
 	BOOLEAN (*jvmRestoreHooks)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled_VM)(struct J9JavaVM *vm);
+	BOOLEAN (*enableCRIUSecProvider)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCheckpointAllowed)(struct J9VMThread *currentThread);
 	BOOLEAN (*isNonPortableRestoreMode)(struct J9VMThread *currentThread);
 	BOOLEAN (*isJVMInPortableRestoreMode)(struct J9VMThread *currentThread);
diff --git a/runtime/oti/jclprots.h b/runtime/oti/jclprots.h
@@ -1292,6 +1292,9 @@ Java_jdk_internal_misc_ScopedMemoryAccess_closeScope0(JNIEnv *env, jobject insta
 
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 /* criu.cpp */
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused);
+
 jlong JNICALL
 Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl(JNIEnv *env, jclass unused);
 
diff --git a/runtime/oti/jvminit.h b/runtime/oti/jvminit.h
@@ -424,6 +424,8 @@ enum INIT_STAGE {
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 #define VMOPT_XXENABLECRIU "-XX:+EnableCRIUSupport"
 #define VMOPT_XXDISABLECRIU "-XX:-EnableCRIUSupport"
+#define VMOPT_XXENABLECRIUSECPROVIDER "-XX:+CRIUSecProvider"
+#define VMOPT_XXDISABLECRIUSECPROVIDER "-XX:-CRIUSecProvider"
 #define VMOPT_XXENABLECRIUNONPORTABLEMODE "-XX:+CRIURestoreNonPortableMode"
 #define VMOPT_XXDISABLECRIUNONPORTABLEMODE "-XX:-CRIURestoreNonPortableMode"
 #define VMOPT_XXENABLEJVMRESTOREPORTABLEMODE "-XX:+JVMPortableRestoreMode"
diff --git a/runtime/oti/vm_api.h b/runtime/oti/vm_api.h
@@ -517,6 +517,17 @@ isCRIUSupportEnabled(J9VMThread *currentThread);
 BOOLEAN
 isCRIUSupportEnabled_VM(J9JavaVM *vm);
 
+/**
+ * @brief Checks if the CRIU security provider is enabled when CRIU
+ * checkpoints are allowed. By default it is enabled, it can be disabled with
+ * -XX:-CRIUSecProvider.
+ *
+ * @param currentThread vmthread token
+ * @return TRUE if enabled, FALSE otherwise
+ */
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread);
+
 /**
  * @brief Queries if checkpointing is permitted. Note, when
  * -XX:+CRIURestoreNonPortableMode option is specified checkpointing
diff --git a/runtime/vm/CRIUHelpers.cpp b/runtime/vm/CRIUHelpers.cpp
@@ -128,6 +128,18 @@ isCheckpointAllowed(J9VMThread *currentThread)
 	return result;
 }
 
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread)
+{
+	BOOLEAN result = FALSE;
+
+	if (isCRIUSupportEnabled(currentThread)) {
+		result = J9_ARE_ANY_BITS_SET(currentThread->javaVM->checkpointState.flags, J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER);
+	}
+
+	return result;
+}
+
 BOOLEAN
 isNonPortableRestoreMode(J9VMThread *currentThread)
 {
diff --git a/runtime/vm/intfunc.c b/runtime/vm/intfunc.c
@@ -409,6 +409,7 @@ J9InternalVMFunctions J9InternalFunctions = {
 	jvmRestoreHooks,
 	isCRIUSupportEnabled,
 	isCRIUSupportEnabled_VM,
+	enableCRIUSecProvider,
 	isCheckpointAllowed,
 	isNonPortableRestoreMode,
 	isJVMInPortableRestoreMode,
diff --git a/runtime/vm/jvminit.c b/runtime/vm/jvminit.c
@@ -3885,6 +3885,16 @@ processVMArgsFromFirstToLast(J9JavaVM * vm)
 		}
 	}
 
+	{
+		IDATA enableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUSECPROVIDER, NULL);
+		IDATA disableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUSECPROVIDER, NULL);
+		if (enableCRIUSecProvider >= disableCRIUSecProvider) {
+			if (J9_ARE_ANY_BITS_SET(vm->checkpointState.flags, J9VM_CRIU_IS_CHECKPOINT_ENABLED)) {
+				vm->checkpointState.flags |= J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER;
+			}
+		}
+	}
+
 	{
 		IDATA enableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUNONPORTABLEMODE, NULL);
 		IDATA disableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUNONPORTABLEMODE, NULL);

Original file line number	Diff line number	Diff line change
`@@ -3885,6 +3885,16 @@ processVMArgsFromFirstToLast(J9JavaVM * vm)`
`3885`	`3885`	`}`
`3886`	`3886`	`}`
`3887`	`3887`
	`3888`	`+ {`
	`3889`	`+ IDATA enableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUSECPROVIDER, NULL);`
	`3890`	`+ IDATA disableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUSECPROVIDER, NULL);`
	`3891`	`+ if (enableCRIUSecProvider >= disableCRIUSecProvider) {`
	`3892`	`+ if (J9_ARE_ANY_BITS_SET(vm->checkpointState.flags, J9VM_CRIU_IS_CHECKPOINT_ENABLED)) {`
	`3893`	`+ vm->checkpointState.flags \|= J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER;`
	`3894`	`+ }`
	`3895`	`+ }`
	`3896`	`+ }`
	`3897`	`+`
`3888`	`3898`	`{`
`3889`	`3899`	`IDATA enableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUNONPORTABLEMODE, NULL);`
`3890`	`3900`	`IDATA disableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUNONPORTABLEMODE, NULL);`