Mercurial > hg > icedtea11
view INSTALL @ 2681:79947984e110
PR3807: Allow the number of curves supported to be specified
2020-08-19 Andrew John Hughes <gnu_andrew@member.fsf.org>
PR3807: Allow the number of curves supported to be specified
* INSTALL:
Rename --enable-non-nss-curves to --with-curves and
provide additional section documenting its use.
Use "Mercurial" in the description of --with-hg-revision,
rather than the command name, "hg".
* acinclude.m4:
(IT_WITH_CURVES): Renamed from IT_ENABLE_NON_NSS_CURVES.
Allow the curve set to be chosen from 3/nist, 4/nist+ or
all.
* configure.ac: Invoke IT_WITH_CURVES instead of
IT_ENABLE_NON_NSS_CURVES.
* fsg.sh.in:
Use CURVES instead of the obsolete ENABLE_NON_NSS_CURVES.
Apply either the 3 curve or 4 curve patch, depending on the
value of CURVES.
* patches/pr3681.patch: Resurrect the 3 curve version
of the patch from PR3751.
author | Andrew John Hughes <gnu_andrew@member.fsf.org> |
---|---|
date | Mon, 19 Oct 2020 03:02:10 +0100 |
parents | 9d8be6bbedf8 |
children |
line wrap: on
line source
Building IcedTea ================ For convenience we've provided make targets that automatically download, extract and patch the source code from the IcedTea forest (http://hg.openjdk.java.net/icedtea/jdk7/). The build requirements are as follows: A bootstrap JDK, either IcedTea7 or IcedTea8 CUPS libX11 (xproto, libX11, libXext, libXtst, libXi, libXt, libXinerama, libXrender, libXcomposite, libXau, libXdmcp) Freetype2 patch sed tar sha256sum (from coreutils) wget alsa xalan xerces glib2-devel gtk2-devel libXinerama-devel giflib-devel libpng-devel libjpeg-devel >= 6b zlib-devel libffi (for --enable-zero or on archs other than x86/x86_64/sparc) LLVM 2.5 or later (for --enable-shark) systemtap-sdl-devel >= 0.9.5 (Java method tracing requires systemtap >= 0.9.9) See ./configure --help if you need to override the defaults. To bootstrap IcedTea with ecj and a GNU Classpath-based JDK: ./autogen.sh ./configure make To build IcedTea with an older version of IcedTea, use: ./autogen.sh ./configure --disable-bootstrap make The following locations are checked for a JDK: * /usr/lib/jvm/icedtea-8 * /usr/lib/jvm/java-1.8.0-openjdk * /usr/lib/jvm/java-1.8.0-openjdk.x86_64 * /usr/lib64/jvm/java-1.8.0-openjdk * /usr/lib/jvm/java-1.8.0 * /usr/lib/jvm/icedtea-7 * /usr/lib/jvm/icedtea7 * /usr/lib/jvm/java-1.7.0-openjdk * /usr/lib/jvm/java-1.7.0-openjdk.x86_64 * /usr/lib64/jvm/java-1.7.0-openjdk * /usr/lib/jvm/java-1.7.0 in the order given above. If bootstrapping is enabled, the following JDK locations are appended to the above list: * /usr/lib/jvm/cacao Finally, the following generic locations are checked as a last resort: * /usr/lib/jvm/java-openjdk * /usr/lib/jvm/openjdk * /usr/lib/jvm/java-icedtea * /etc/alternatives/java_sdk_openjdk There is currently no install target. IcedTea ends up in openjdk.build when the build completes. Most targets in IcedTea create stamp files in the stamps directory to determine what and when dependencies were compiled. Each target has a corresponding clean-x target which removes the output and the stamp file, allowing it to be rebuilt. For example, stamps/rt.stamp (alias rt) builds the bootstrap classes needed in the bootstrap build and clean-rt removes the classes and the stamp file. Build Modification Options ========================== The build process may be modified by passing the following options to configure: * --prefix: The final install location of the j2sdk-image. * --disable-docs: Don't build the Javadoc documentation. * --disable-bootstrap: Perform a quick (no bootstrap) build using an installed copy of IcedTea6 or IcedTea7. If a directory is not specified, a check against the list presented above is performed. * --enable-warnings: Produce warnings from the Java compiler during the build. * --with-openjdk-src-dir: Copy the specified OpenJDK tree, rather than downloading and extracting a tarball. * --disable-optimizations: Build with -O0. * --enable-hg: Checkout the OpenJDK tree from Mercurial, rather than downloading and extracting a tarball. * --enable-system-lcms: Build using the system installation of LCMS2, not the version in-tree. * --with-gcj: Compile ecj to native code with gcj prior to building. * --with-parallel-jobs: Run the specified number of parallel jobs when building HotSpot and the JDK. If this option is passed without an argument, the number of online processors plus one is used. * --with-pkgversion=PKG: Include the specified distro package information in the output of java -version. * --with-jdk-home: Use the specified JDK to bootstrap. If this option is not specified, a check against the list presented above is performed. * --with-java: Specify the location of a 'java' binary. By default, the path is checked for gij and java. * --with-ecj: Specify the location of a 'ecj' binary. By default, the path is checked for ecj, ecj-3.1, ecj-3.2 and ecj-3.3. * --with-javac: Specify the location of a 'javac' binary. By default, the path is checked for javac. * --with-jar: Specify the location of a 'jar' binary. By default, the path is checked for gjar and jar. * --with-javah: Specify the location of a 'javah' binary. By default, the path is checked for gjavah and javah. * --with-rmic: Specify the location of a 'rmic' binary. By default, the path is checked for grmic and rmic. * --with-native2ascii: Specify the location of a 'native2ascii' binary. By default, ${SYSTEM_JDK_DIR}/bin/native2ascii is used. If this is absent, then the path is checked for native2ascii and gnative2ascii. * --with-ecj-jar: Specify the location of an ecj JAR file. By default, the following paths are checked: - /usr/share/java/eclipse-ecj.jar - /usr/share/java/ecj.jar - /usr/share/eclipse-ecj-3.{2,3,4,5}/lib/ecj.jar * --with-openjdk-src-zip: Specify the location of the OpenJDK tarball to avoid downloading. * --with-openjdk-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-openjdk-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-openjdk-checksum doesn't check the tarball specified by --with-openjdk-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-hotspot-src-zip: Specify the location of the HotSpot tarball to avoid downloading. * --with-hotspot-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-hotspot-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-hotspot-checksum doesn't check the tarball specified by --with-hotspot-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-corba-src-zip: Specify the location of the CORBA tarball to avoid downloading. * --with-corba-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-corba-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-corba-checksum doesn't check the tarball specified by --with-corba-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-jaxp-src-zip: Specify the location of the JAXP tarball to avoid downloading. * --with-jaxp-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-jaxp-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-jaxp-checksum doesn't check the tarball specified by --with-jaxp-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-jaxws-src-zip: Specify the location of the JAXWS tarball to avoid downloading. * --with-jaxws-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-jaxws-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-jaxws-checksum doesn't check the tarball specified by --with-jaxws-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-jdk-src-zip: Specify the location of the JDK tarball to avoid downloading. * --with-jdk-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-jdk-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-jdk-checksum doesn't check the tarball specified by --with-jdk-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-langtools-src-zip: Specify the location of the langtools tarball to avoid downloading. * --with-langtools-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-langtools-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-langtools-checksum doesn't check the tarball specified by --with-langtools-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-nashorn-src-zip: Specify the location of the Nashorn tarball to avoid downloading. * --with-nashorn-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-nashorn-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-nashorn-checksum doesn't check the tarball specified by --with-nashorn-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-alt-jar: Use the specified jar binary in the second stage rather than the one just built. * --with-cacao-home: Specify the location of an installed CACAO to use rather than downloading and building one. * --with-cacao-src-zip: Specify the location of a CACAO tarball to avoid downloading. * --with-cacao-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-cacao-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-cacao-checksum doesn't check the tarball specified by --with-cacao-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-cacao-src-dir: Specify the location of a CACAO source tree to avoid downloading. * --with-jamvm-src-zip: Specify the location of a JamVM tarball to avoid downloading. * --with-jamvm-checksum: Specify a SHA256 checksum for the supplied source zip. Alternatively, --with-jamvm-checksum without an argument (the default) uses the expected upstream SHA256 checksum, while --without-jamvm-checksum doesn't check the tarball specified by --with-jamvm-src-zip at all. This option allows a locally modified version of the source tarball to be used instead of the standard versions. * --with-hg-revision: Specify a Mercurial revision to use (as opposed to tip) with the --enable-hg option. * --with-llvm-config: Specify the location of the llvm-config binary. * --with-version-suffix: Appends the given text to the JDK version output. * --with-cacerts-file: Specify the location of a cacerts file, defaulting to ${SYSTEM_JDK_DIR}/jre/lib/security/cacerts Other options may be supplied which enable or disable new features. These are documented fully in the relevant section below. * --disable-tests: Disable the running of all JTReg tests. * --disable-hotspot-tests: Disable the running of the HotSpot JTReg suite. * --disable-langtools-tests: Disable the running of the langtools JTReg suite. * --disable-jdk-tests: Disable the running of the jdk JTreg suite. * --disable-systemtap-tests: Disable the running of the SystemTap test suite. * --disable-xrender: Don't include the XRender pipeline. * --enable-systemtap: Include support for tracing using systemtap. * --enable-nss: Enable the NSS security provider. * --enable-cacao: Replace HotSpot with the CACAO VM. * --enable-jamvm: Replace HotSpot with JamVM. * --enable-shark: Build the Shark LLVM-based JIT. * --enable-zero: Build the zero assembler port on x86/x86_64/sparc platforms. * --with-hotspot-build: The HotSpot to use, defaulting to 'original' i.e. hs14 as bundled with OpenJDK. * --with-additional-vms=vm-list: Additional VMs to build using the system described below. * --with-curves: Define the number of curves to support for elliptic curve cryptography Testing ======= IcedTea7 includes support for running the test suite included with OpenJDK, using the in-tree copy of JTReg. Invoking 'make check' will cause the HotSpot, JDK and langtools test suites to be run. The individual test suites may be run using the check-hotspot, check-jdk and check-langtools targets respectively. The --disable-tests option can be used to turn off all tests, and the --disable-{hotspot,langtools,jdk}-tests options can be used to turn off individual suites. This is useful when using 'make distcheck' as a way of avoiding running the extensive JDK test suite which takes several hours. Xrender Support =============== IcedTea7 includes support for an Xrender-based rendering pipeline developed by Clemens Eisserer (http://linuxhippy.blogspot.com/). This is compiled by default, and can be disabled using --disable-xrender. To actually use the pipeline, the sun.java2d.xrender property needs to be set to true, e.g. by passing the -Dsun.java2d.xrender=True option to java. SystemTap ========= IcedTea7 includes work to allow the existing DTrace probes included in OpenJDK to be used with SystemTap. This requires version 0.9.5 or later (0.9.9 or later if you want Java method tracing). The tapset needs to know the final install location of the JDK, so the --with-abs-install-dir option should also be used to specify this. If not set, it defaults to the in-tree location of openjdk.build/j2sdk-image and requires manual changes to tapset/hotspot.stp to work from elsewhere. For example, if you plan to install the resulting build in /usr/lib/jvm/java-1.6.0-openjdk, then you should specify --with-abs-install-dir=/usr/lib/jvm/java-1.6.0-openjdk. The NSS PKCS11 Security Provider and Elliptic Curve Cryptography ================================================================ OpenJDK includes an NSS-based security provider in the form of sun.security.pkcs11.SunPKCS11. However, as this needs to know the location of the NSS installation it should use, it is not enabled in normal OpenJDK builds. As IcedTea can detect NSS using configure, it can simplify the process of enabling this provider by generating a configuration file for the NSS provider. If --enable-nss is specified, this configuration will be turned on in lib/security/java.security. This can also be done manually at a later date. The PKCS11 option was originally added as it was the only way that elliptic curve cryptography support could be provided. From OpenJDK 7 onwards, there is another provider, SunEC, which uses the in-tree SunEC native library. This is enabled by default, so there is no longer a need to enable the SunPKCS11 provider simply to obtain elliptic curve cryptography support. CACAO ===== IcedTea7 can use CACAO as the virtual machine, as opposed to HotSpot. One advantage of this is that CACAO has a JIT implementation for more platforms than HotSpot, including ppc, ppc64, arm and mips. When --enable-cacao is specified, CACAO will be downloaded and built, followed by the JDK portion of OpenJDK resulting in a CACAO+OpenJDK image in openjdk.build/j2sdk-image. The --with-cacao-home option can be used to specify the use of an existing CACAO install instead, and --with-cacao-src-zip/dir options exist to allow the use of a pre-downloaded zip or source tree respectively. JamVM ===== IcedTea6 can use JamVM as the virtual machine, as opposed to HotSpot. When --enable-jamvm is specified, JamVM will be downloaded and built, followed by the JDK portion of OpenJDK resulting in a JamVM+OpenJDK image in openjdk.build/j2sdk-image. The --with-jamvm-src-zip option exists to allow the use of a pre-downloaded zip. Zero & Shark ============ IcedTea7 includes a zero assembler port of HotSpot, which avoids architecture-specific code as much as possible, allowing an interpreter to be built and run on most platforms (albeit very slowly). As HotSpot only includes JITs for x86, x86_64 and SPARC, the zero assembler port is automatically enabled on all other architectures. On x86, x86_64 and SPARC, it may be built using --enable-zero. To overcome the performance issues inherent in zero, a LLVM-based JIT called Shark has been developed. This performs Just-In-Time compilation on any architecture supported by LLVM. To enable it, pass the option --enable-shark to configure. Please note that Shark is still in development and builds are still likely to fail at present. Support for Different Versions of HotSpot ========================================= IcedTea allows the version of HotSpot provided with the upstream build drop to be replaced with another. Support for this is provided by the --with-hotspot-build option which causes IcedTea to probe the hotspot.map file for an entry with the given build name. The hotspot.map file maps the name to a changeset from a given repository URL. During the build, it downloads HotSpot from ${URL}/archive/${CHANGESET}.tar.gz and the resulting file is verified using the MD5 sum stored in hotspot.map. New build selections may be provided by providing further mappings in the hotspot.map file. The name can be anything e.g. 'shiny_new_hotspot'. This is simply used to map the argument to --with-hotspot-build to the values in the file and to apply appropriate patches (see patches/hotspot, $HSBUILD is available in Makefile.am for obtaining the build name). The special value 'original' is used for patches/hotspot/original to denote those for the upstream HotSpot; this value does not appear in hotspot.map. The changeset and URL should refer to a valid HotSpot tree when used as above. The required values can be obtained from a local checkout or by using the web interface. The simplest way to calculate the MD5 sum is to download the tarball and then run the 'md5sum' application on it. The resulting value should be added to hotspot.map. As with the OpenJDK build tarballs, the location of an alternate zip can be specified using --with-hotspot-src-zip. This skips the download stage and just verifies that the zip's MD5 sum matches that of the requested build. Currently, IcedTea7 only supports the 'original' HotSpot provided as part of the upstream IcedTea forest. Building Additional Virtual Machines ==================================== Although IcedTea can be built multiple times to use a different virtual machine, additional VMs can be built without building the other components multiple times. On architectures where hotspot is available, use --with-additional-vms=cacao,zero (or shark instead of zero) on architectures where only zero (or shark) is available, use --with-additional-vms=cacao to build the additional VMs. It's not possible to build cacao as the default VM, and zero as additional VM. To build zero as the default VM and shark as an additional VM, use --enable-zero --with-additional-vms=shark The additional VMs are available by calling the java with the option `-cacao', `-zero' or `-shark', or by calling the java tools with `-J-<vm name>'. If the build was configured with '--enable-shark', use `-Xint' to just use the zero VM. Please note that using this feature does not do as extensive testing of the VM as would enabling it in the default full bootstrap mode, which compiles IcedTea and then recompiles it using the just-built image. Elliptic Curve Cryptography Support =================================== As some distributors may not wish to include the full set of elliptic curves supported by OpenJDK, we currently provide two reduced sets of curves, available via the --with-curves option: 1. NIST This includes the three NIST curves, NIST P-{256,384,521} For this, specify --with-curves=nist or --with-curves=3. 2. NIST+ This includes the three curves from option one, along with secp256k1. For this, specify --with-curves=nist+ or --with-curves=4 3. All curves Leave the OpenJDK sources as is and provide all curves. For this, specify --with-curves=all or simply --with-curves. The current default is option 2 (NIST+), as used in the Fedora and Red Hat Enterprise Linux OpenJDK packages. For compatibility with the old --enable-non-nss-curves option, --with-curves or --with-curves=yes will be interpreted like --enable-non-nss-curves as desiring all curves (option three). Similarly, --without-curves will be interpreted as --disable-non-nss-curves would, providing the default set. We currently don't support the more obvious interpretation of --without-curves in supporting no elliptic curve cryptography, as this would severely hampered real world usage of the resulting JDK.