Page MenuHomePhabricator

32-bit OpenJDK on 64-bit Stretch
Closed, WontfixPublic

Description

According to a user report 64-bit OpenJDK requires the clflush instruction to work. clflush is removed to make rowhammer and sidechannel attacks more difficult. Whonix 14 will be 64-bit and so a workaround like running 32bit OpenJDK is needed as a workaround to preserve this protection.

TO-DO: Test instructions forinstalling 32-bit OpenJDK on a 64-bit Debian when an RC image is available.

[0] https://forums.whonix.org/t/64-bit-openjdk-fails-to-run/3514/9

If the following succeeds, change all OpenJDK installation documentation on the wiki to reflect it:

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install openjdk-8-jre-headless:i386
sudo /usr/sbin/update-java-alternatives -s java-1.8.0-openjdk-i386

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jun 26 2017, 6:06 PM

Tested it on Whonix 14. It works after updating the binary paths to use i386.
This is a viable workaround considering Debian won't remove i386 archives. @Patrick How close is this event in your opinion? Do you think this fix is worth keeping over time?

https://serverfault.com/a/835273

sudo /usr/sbin/update-java-alternatives -s java-1.8.0-openjdk-i386

HulaHoop updated the task description. (Show Details)Feb 12 2018, 8:08 AM

This is a viable workaround considering Debian won't remove i386 archives. @Patrick How close is this event in your opinion?

I have no idea.

Do you think this fix is worth keeping over time?

If users asks about it, maybe.

Also not really a Whonix specific issue.

Also not really a Whonix specific issue.

True but if its a hassle I can just white-list clflush again and forget about the whole thing.

I have no idea what's best here.

HulaHoop closed this task as Wontfix.May 16 2018, 2:01 PM

I went ahead and reverted clflush restrictions to open the way for I2P by default without extra fiddling needed.