From df6acd48f8b867fd3472882493b79742f4c2cf2c Mon Sep 17 00:00:00 2001
From: WilburZjh <wilburzjh@gmail.com>
Date: Tue, 24 Oct 2023 12:52:21 -0400
Subject: [PATCH] Enable -XX:[+|-]CRIUSecProvider JVM option

Whenever we are performing a checkpoint
this is typically done by enabling
-XX:+EnableCRIUSupport. It will remove
all the security providers and the
CRIUSecProvider is inserted to the
runtime enviroment. This provides a more
locked down approach to what cryptography
is allowed while taking a checkpoint.

Therefore, this new flag is introduced by
passing it after -XX:+EnableCRIUSupport is
enabled. When this option is used, we no
longer make use of CRIUSecProvider and
instead use normal provider loading to
enable all security algorithms in an out
of the box state. This can allow users to
make use of any algorithms in the various
providers available.
---
 .../internal/criu/InternalCRIUSupport.java    | 22 ++++++++++++++-----
 .../org/eclipse/openj9/criu/CRIUSupport.java  | 11 ++++++++++
 runtime/jcl/common/criu.cpp                   | 13 +++++++++++
 runtime/jcl/exports.cmake                     |  1 +
 runtime/jcl/uma/criu_exports.xml              |  1 +
 runtime/oti/j9nonbuilder.h                    |  2 ++
 runtime/oti/jclprots.h                        |  3 +++
 runtime/oti/jvminit.h                         |  2 ++
 runtime/oti/vm_api.h                          | 11 ++++++++++
 runtime/vm/CRIUHelpers.cpp                    | 12 ++++++++++
 runtime/vm/intfunc.c                          |  1 +
 runtime/vm/jvminit.c                          | 10 +++++++++
 12 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java b/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java
index 4eca4d65ba0..2321ec24354 100644
--- a/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java
+++ b/jcl/src/java.base/share/classes/openj9/internal/criu/InternalCRIUSupport.java
@@ -25,17 +25,15 @@
 /**
  * Internal CRIU Support API
  */
-/*[IF JAVA_SPEC_VERSION >= 17]*/
-@SuppressWarnings({ "deprecation", "removal" })
-/*[ENDIF] JAVA_SPEC_VERSION >= 17 */
 public final class InternalCRIUSupport {
 	private static final boolean criuSupportEnabled = isCRIUSupportEnabledImpl();
 	private static long checkpointRestoreNanoTimeDelta;
 
-	private static native boolean isCRIUSupportEnabledImpl();
-	private static native boolean isCheckpointAllowedImpl();
+	private static native boolean enableCRIUSecProviderImpl();
 	private static native long getCheckpointRestoreNanoTimeDeltaImpl();
 	private static native long getLastRestoreTimeImpl();
+	private static native boolean isCRIUSupportEnabledImpl();
+	private static native boolean isCheckpointAllowedImpl();
 
 	/**
 	 * Retrieve the elapsed time between Checkpoint and Restore.
@@ -70,6 +68,20 @@ public synchronized static boolean isCRIUSupportEnabled() {
 		return criuSupportEnabled;
 	}
 
+	/**
+	 * Checks if CRIU Security provider is enabled
+	 * when CRIU support is enabled.
+	 *
+	 * @return true if enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		boolean isCRIUSecProviderEnabled = false;
+		if (criuSupportEnabled) {
+			isCRIUSecProviderEnabled = enableCRIUSecProviderImpl();
+		}
+		return isCRIUSecProviderEnabled;
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed.
 	 * isCRIUSupportEnabled() is invoked first to check if CRIU support is enabled,
diff --git a/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java b/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java
index 760cd6398c8..b224bc0ac81 100644
--- a/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java
+++ b/jcl/src/openj9.criu/share/classes/org/eclipse/openj9/criu/CRIUSupport.java
@@ -203,6 +203,17 @@ public static boolean isCRIUSupportEnabled() {
 		return (nativeLoaded && InternalCRIUSupport.isCRIUSupportEnabled());
 	}
 
+	/**
+	 * Checks if the CRIUSecProvider is enabled when CRIU
+	 * checkpoints are allowed (checks whether -XX:-CRIUSecProvider
+	 * has been specified).
+	 *
+	 * @return true if CRIUSecProvider is enabled, otherwise false
+	 */
+	public static boolean enableCRIUSecProvider() {
+		return InternalCRIUSupport.enableCRIUSecProvider();
+	}
+
 	/**
 	 * Queries if CRIU Checkpoint is allowed. With -XX:+CRIURestoreNonPortableMode enabled
 	 * (default policy) only a single checkpoint is allowed.
diff --git a/runtime/jcl/common/criu.cpp b/runtime/jcl/common/criu.cpp
index a534c3697da..db220697338 100644
--- a/runtime/jcl/common/criu.cpp
+++ b/runtime/jcl/common/criu.cpp
@@ -71,5 +71,18 @@ Java_openj9_internal_criu_InternalCRIUSupport_isCRIUSupportEnabledImpl(JNIEnv *e
 
 	return res;
 }
+
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused)
+{
+	J9VMThread *currentThread = (J9VMThread *)env;
+	jboolean res = JNI_FALSE;
+
+	if (currentThread->javaVM->internalVMFunctions->enableCRIUSecProvider(currentThread)) {
+		res = JNI_TRUE;
+	}
+
+	return res;
+}
 #endif /* defined(J9VM_OPT_CRIU_SUPPORT) */
 }
diff --git a/runtime/jcl/exports.cmake b/runtime/jcl/exports.cmake
index e4ea8131e9e..fd880fb10bb 100644
--- a/runtime/jcl/exports.cmake
+++ b/runtime/jcl/exports.cmake
@@ -670,6 +670,7 @@ endif()
 # J9VM_OPT_CRIU_SUPPORT
 if(J9VM_OPT_CRIU_SUPPORT)
 	omr_add_exports(jclse
+		Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl
 		Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl
diff --git a/runtime/jcl/uma/criu_exports.xml b/runtime/jcl/uma/criu_exports.xml
index 811d99b6c41..b09ddbbf3b6 100644
--- a/runtime/jcl/uma/criu_exports.xml
+++ b/runtime/jcl/uma/criu_exports.xml
@@ -20,6 +20,7 @@ OpenJDK Assembly Exception [2].
 SPDX-License-Identifier: EPL-2.0 OR Apache-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0 OR GPL-2.0-only WITH OpenJDK-assembly-exception-1.0
 -->
 <exports group="criu">
+	<export name="Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_getLastRestoreTimeImpl" />
 	<export name="Java_openj9_internal_criu_InternalCRIUSupport_isCheckpointAllowedImpl" />
diff --git a/runtime/oti/j9nonbuilder.h b/runtime/oti/j9nonbuilder.h
index 9cc165fd758..58d4919d115 100644
--- a/runtime/oti/j9nonbuilder.h
+++ b/runtime/oti/j9nonbuilder.h
@@ -4205,6 +4205,7 @@ typedef struct J9DelayedLockingOpertionsRecord {
 #define J9VM_CRIU_IS_JDWP_ENABLED 0x8
 #define J9VM_CRIU_IS_THROW_ON_DELAYED_CHECKPOINT_ENABLED 0x10
 #define J9VM_CRIU_IS_PORTABLE_JVM_RESTORE_MODE 0x20
+#define J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER 0x40
 
 typedef struct J9CRIUCheckpointState {
 	U_32 flags;
@@ -5025,6 +5026,7 @@ typedef struct J9InternalVMFunctions {
 	BOOLEAN (*jvmRestoreHooks)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCRIUSupportEnabled_VM)(struct J9JavaVM *vm);
+	BOOLEAN (*enableCRIUSecProvider)(struct J9VMThread *currentThread);
 	BOOLEAN (*isCheckpointAllowed)(struct J9VMThread *currentThread);
 	BOOLEAN (*isNonPortableRestoreMode)(struct J9VMThread *currentThread);
 	BOOLEAN (*isJVMInPortableRestoreMode)(struct J9VMThread *currentThread);
diff --git a/runtime/oti/jclprots.h b/runtime/oti/jclprots.h
index c2fa51ecc46..669aa7e83d7 100644
--- a/runtime/oti/jclprots.h
+++ b/runtime/oti/jclprots.h
@@ -1292,6 +1292,9 @@ Java_jdk_internal_misc_ScopedMemoryAccess_closeScope0(JNIEnv *env, jobject insta
 
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 /* criu.cpp */
+jboolean JNICALL
+Java_openj9_internal_criu_InternalCRIUSupport_enableCRIUSecProviderImpl(JNIEnv *env, jclass unused);
+
 jlong JNICALL
 Java_openj9_internal_criu_InternalCRIUSupport_getCheckpointRestoreNanoTimeDeltaImpl(JNIEnv *env, jclass unused);
 
diff --git a/runtime/oti/jvminit.h b/runtime/oti/jvminit.h
index c365b3dd75f..1d2d3eddb82 100644
--- a/runtime/oti/jvminit.h
+++ b/runtime/oti/jvminit.h
@@ -424,6 +424,8 @@ enum INIT_STAGE {
 #if defined(J9VM_OPT_CRIU_SUPPORT)
 #define VMOPT_XXENABLECRIU "-XX:+EnableCRIUSupport"
 #define VMOPT_XXDISABLECRIU "-XX:-EnableCRIUSupport"
+#define VMOPT_XXENABLECRIUSECPROVIDER "-XX:+CRIUSecProvider"
+#define VMOPT_XXDISABLECRIUSECPROVIDER "-XX:-CRIUSecProvider"
 #define VMOPT_XXENABLECRIUNONPORTABLEMODE "-XX:+CRIURestoreNonPortableMode"
 #define VMOPT_XXDISABLECRIUNONPORTABLEMODE "-XX:-CRIURestoreNonPortableMode"
 #define VMOPT_XXENABLEJVMRESTOREPORTABLEMODE "-XX:+JVMPortableRestoreMode"
diff --git a/runtime/oti/vm_api.h b/runtime/oti/vm_api.h
index 189afae7142..e12c77edbe6 100644
--- a/runtime/oti/vm_api.h
+++ b/runtime/oti/vm_api.h
@@ -517,6 +517,17 @@ isCRIUSupportEnabled(J9VMThread *currentThread);
 BOOLEAN
 isCRIUSupportEnabled_VM(J9JavaVM *vm);
 
+/**
+ * @brief Checks if the CRIU security provider is enabled when CRIU
+ * checkpoints are allowed. By default it is enabled, it can be disabled with
+ * -XX:-CRIUSecProvider.
+ *
+ * @param currentThread vmthread token
+ * @return TRUE if enabled, FALSE otherwise
+ */
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread);
+
 /**
  * @brief Queries if checkpointing is permitted. Note, when
  * -XX:+CRIURestoreNonPortableMode option is specified checkpointing
diff --git a/runtime/vm/CRIUHelpers.cpp b/runtime/vm/CRIUHelpers.cpp
index 8add440abdc..35686a0ebac 100644
--- a/runtime/vm/CRIUHelpers.cpp
+++ b/runtime/vm/CRIUHelpers.cpp
@@ -128,6 +128,18 @@ isCheckpointAllowed(J9VMThread *currentThread)
 	return result;
 }
 
+BOOLEAN
+enableCRIUSecProvider(J9VMThread *currentThread)
+{
+	BOOLEAN result = FALSE;
+
+	if (isCRIUSupportEnabled(currentThread)) {
+		result = J9_ARE_ANY_BITS_SET(currentThread->javaVM->checkpointState.flags, J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER);
+	}
+
+	return result;
+}
+
 BOOLEAN
 isNonPortableRestoreMode(J9VMThread *currentThread)
 {
diff --git a/runtime/vm/intfunc.c b/runtime/vm/intfunc.c
index 0575aa8b5d2..4026b89c1d9 100644
--- a/runtime/vm/intfunc.c
+++ b/runtime/vm/intfunc.c
@@ -409,6 +409,7 @@ J9InternalVMFunctions J9InternalFunctions = {
 	jvmRestoreHooks,
 	isCRIUSupportEnabled,
 	isCRIUSupportEnabled_VM,
+	enableCRIUSecProvider,
 	isCheckpointAllowed,
 	isNonPortableRestoreMode,
 	isJVMInPortableRestoreMode,
diff --git a/runtime/vm/jvminit.c b/runtime/vm/jvminit.c
index ce08e211ce3..2d7660e5231 100644
--- a/runtime/vm/jvminit.c
+++ b/runtime/vm/jvminit.c
@@ -3885,6 +3885,16 @@ processVMArgsFromFirstToLast(J9JavaVM * vm)
 		}
 	}
 
+	{
+		IDATA enableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUSECPROVIDER, NULL);
+		IDATA disableCRIUSecProvider = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUSECPROVIDER, NULL);
+		if (enableCRIUSecProvider >= disableCRIUSecProvider) {
+			if (J9_ARE_ANY_BITS_SET(vm->checkpointState.flags, J9VM_CRIU_IS_CHECKPOINT_ENABLED)) {
+				vm->checkpointState.flags |= J9VM_CRIU_ENABLE_CRIU_SEC_PROVIDER;
+			}
+		}
+	}
+
 	{
 		IDATA enableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXENABLECRIUNONPORTABLEMODE, NULL);
 		IDATA disableCRIUNonPortableMode = FIND_AND_CONSUME_VMARG(EXACT_MATCH, VMOPT_XXDISABLECRIUNONPORTABLEMODE, NULL);