Thanks for the heads up. The only choices I see is removing the clflush from the blacklist - which makes rowhammer attacks easier or installing 32 bit binaries.
@Patrick is there a way to keep all binaries except the kernel 32 bit by default?
Actually it was a lot simpler than it looks since we aren’t cross-building. @jes Please try these steps and let us know if they work for you (I assume you are running Whonix 14 test builds on Stretch - please check openjdk version number)
With recent interest in java programs like I2P, I wonder if I should revert clflush restrictions to make things easier by default? (used by rowhammer and side-chanel attacks)
Technically i386 openjdk is a good workaround but it depends on how long we expect Debian to carry ths arch.
If you think its worth keeping this restriction around make a note on phabricator to test it out and document it.