git: openjdk/leyden: hermetic-java-runtime: Experimental support for creating a hermetic Java executable image using the jlink tool. Currently, it takes a pre-linked static launcher executable and creates the hermetic image in format illustrated below:

duke duke at openjdk.org
Thu Apr 3 18:37:48 UTC 2025 

Changeset: 56a9e591
Branch: hermetic-java-runtime
Author:    Jiangli Zhou <jianglizhou at google.com>
Date:      2025-04-03 11:07:36 +0000
URL:       https://git.openjdk.org/leyden/commit/56a9e591d2afcdee7c4f29861486c49f70ef104d

Experimental support for creating a hermetic Java executable image using the jlink tool. Currently, it takes a pre-linked static launcher executable and creates the hermetic image in format illustrated below:

---------------------
|                   |
|    executable     |
|                   |
---------------------
|                   |
|     jimage        |
|                   |
---------------------
|offset|magic|
--------------

The hermetic Java image starts with the statically linked launcher executable. The jimage (JDK runtime modules image) is after the executable starting at page aligned file offset. The jimage starting offset (8 bytes) is written out after the jimage content. After the 8-byte jimage offset, there is an 8-byte magic number (0xCAFEBABECAFEDADA) at the end of the image, which is used by the runtime to recognize a hermetic image.
With the current experimental change, the hermetic executable image is written out as the `modules` files and other JDK artifacts are still being written as the jlink output. Work needs to be done to write out just the single executable image file.

The current change does not perform native linking yet. I'll work on prototyping that when the static jmod work is in place.

With this experimental change, I'm able to jlink a hermetic image (named as the `modules`) and run that as is. I have tested with jlinking hermetic application image using a simple Hello app, which also works with the current change. Following is a command line example for creating hermetic image (the Hello demo.jmod is copied into the /<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/images/jmods):

/<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/jdk/bin/jlink --hermetic --link-hermetic-image=/<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/images/static-jdk/bin/java -J-Djlink.debug=true --module-path "/<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/images/jmods" --endian little --release-info /<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/jdk/release --order-resources=**module-info.class,@/<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/support/link_opt/classlist,/java.base/java/**,/java.base/jdk/**,/java.base/sun/**,/java.base/com/**,/jdk.localedata/** --dedup-legal-notices=error-if-not-same-content --hermetic-resources /java.base/conf/security/java.security=/java.base/java/security/java.security,/java.logging/conf/logging.properties=/java.logging/java/util/logging/logging.properties,/java.base/conf/net.properties=/java.
 base/sun/net/net.properties,/java.desktop/lib/psfont.properties.ja=/java.desktop/sun/print/psfont.properties.ja,/java.desktop/lib/psfontj2d.properties=/java.desktop/sun/print/psfontj2d.properties,/java.base/lib/security/blocked.certs=/java.base/sun/security/util/blocked.certs,/java.base/lib/security/cacerts=/java.base/sun/security/util/cacerts,/java.base/lib/security/public_suffix_list.dat=/java.base/sun/security/util/public_suffix_list.dat,/java.base/lib/security/default.policy=/java.base/sun/security/provider/default.policy,/java.base/conf/security/java.policy=/java.base/sun/security/provider/java.policy,/java.base/conf/security/policy/limited/default_US_export.policy=/java.base/javax/crypto/limited_default_US_export.policy,/java.base/conf/security/policy/limited/default_local.policy=/java.base/javax/crypto/limited_default_local.policy,/java.base/conf/security/policy/limited/exempt_local.policy=/java.base/javax/crypto/limited_exempt_local.policy,/java.base/conf/security/policy/unl
 imited/default_US_export.policy=/java.base/javax/crypto/unlimited_default_US_export.policy,/java.base/conf/security/policy/unlimited/default_local.policy=/java.base/javax/crypto/unlimited_default_local.policy --generate-jli-classes=@/<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/support/link_opt/default_jli_trace.txt --add-modules demo --keep-packaged-modules /<snip>/jianglizhou/github/hermetic-linking/build/linux-x86_64-server-slowdebug/images/jdk/jmods1 --output demo-image

The single `modules` image is runnable:

$ find .
.
./lib
./lib/modules
$ lib/modules -m demo/demo.Hello
Hi!

! src/java.base/share/native/launcher/main.c
! src/jdk.jlink/share/classes/jdk/tools/jlink/internal/ImageFileCreator.java
! src/jdk.jlink/share/classes/jdk/tools/jlink/internal/JlinkTask.java
+ src/jdk.jlink/share/classes/jdk/tools/jlink/internal/plugins/LinkHermeticImagePlugin.java
! src/jdk.jlink/share/classes/jdk/tools/jlink/resources/plugins.properties
! src/jdk.jlink/share/classes/module-info.java

More information about the leyden-dev mailing list