guix: enable hardening options in GCC Build

Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html
2025-02-08 10:31:50 -05:00 · 2022-06-20 15:30:19 +01:00 · 2022-06-20 15:30:19 +01:00 · c99a1ecc52
commit c99a1ecc52
parent aa87879a77
1 changed files with 8 additions and 1 deletions
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@ -132,12 +132,19 @@ chain for " target " development."))
 (define base-gcc gcc-10)
 (define base-linux-kernel-headers linux-libre-headers-5.15)

+;; https://gcc.gnu.org/install/configure.html
+(define (hardened-gcc gcc)
+  (package-with-extra-configure-variable (
+    package-with-extra-configure-variable gcc
+    "--enable-default-ssp" "yes")
+    "--enable-default-pie" "yes"))
+
 (define* (make-bitcoin-cross-toolchain target
                                       #:key
                                       (base-gcc-for-libc base-gcc)
                                       (base-kernel-headers base-linux-kernel-headers)
                                       (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24)))
-                                       (base-gcc (make-gcc-rpath-link base-gcc)))
+                                       (base-gcc (make-gcc-rpath-link (hardened-gcc base-gcc))))
  "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
 desirable for building Bitcoin Core release binaries."
  (make-cross-toolchain target