the 64 bit version of openjdk8 fails to run using the latest custom workstation libvirt xml settings. (Debian Stretch)
I’ve found that removing “feature policy=‘disable’ name=‘clflush’/” to enable clflush fixes the problem.
Anyway to get 64bit openjdk working without re-enabling clflush? If no, what are the security risks of re-enabling clflush on the custom workstation?
What arch is the Whonix version you’re running? Only the upcoming Whonix 14 switches to 64bit.
You will never need to change the instructions blacklist. clflush makes many sidechannel attacks easier so no.
Attempting to install/run 64 bit openjdk with clflush blacklisted results in this error, might cause problems when Whonix switches to 64bit:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# Internal Error (vm_version_x86.cpp:455), pid=8945, tid=0x00007f4bd433a700
# guarantee(_cpuid_info.std_cpuid1_edx.bits.clflush != 0) failed: clflush is not supported
#
# JRE version: (8.0_121-b13) (build )
Thanks for the heads up. The only choices I see is removing the clflush from the blacklist - which makes rowhammer attacks easier or installing 32 bit binaries.
@Patrick is there a way to keep all binaries except the kernel 32 bit by default?
HulaHoop:
@Patrick is there a way to keep all binaries except the kernel 32 bit by default?
Please kindly rephrase the question, I don’t understand.
Rephrase: How can a 32 bit version of OpenJDK be installed on a 64 bit Debian?
I will document it on the I2P and Freenet pages and possibly as a general note to let users know about it.
@jes does everything else (like Python) work OK on 64 bit builds besides this?
HulaHoop:
Rephrase: How can a 32 bit version of OpenJDK be installed on a 64 bit Debian?
I am not sure that is possible. Does it work out of the box?
If not it may work in combination with Debian Multiarch. Figuring that
out would be rather time consuming for me.
Actually it was a lot simpler than it looks since we aren’t cross-building. @jes Please try these steps and let us know if they work for you (I assume you are running Whonix 14 test builds on Stretch - please check openjdk version number)
sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install openjdk-8-jre-headless:i386
With recent interest in java programs like I2P, I wonder if I should revert clflush restrictions to make things easier by default? (used by rowhammer and side-chanel attacks)
Technically i386 openjdk is a good workaround but it depends on how long we expect Debian to carry ths arch.
If you think its worth keeping this restriction around make a note on phabricator to test it out and document it.
Probably more important to defend rowhammer and have docs on how to disable it to use java applications. But since it’s KVM only, it’s up to you.