From c99a1ecc52d8594b9dac4266770d8156693f35e3 Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 20 Jun 2022 15:30:19 +0100 Subject: [PATCH] guix: enable hardening options in GCC Build Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html --- contrib/guix/manifest.scm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index 1f3ab9ae65..f93d6e26e8 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -132,12 +132,19 @@ chain for " target " development.")) (define base-gcc gcc-10) (define base-linux-kernel-headers linux-libre-headers-5.15) +;; https://gcc.gnu.org/install/configure.html +(define (hardened-gcc gcc) + (package-with-extra-configure-variable ( + package-with-extra-configure-variable gcc + "--enable-default-ssp" "yes") + "--enable-default-pie" "yes")) + (define* (make-bitcoin-cross-toolchain target #:key (base-gcc-for-libc base-gcc) (base-kernel-headers base-linux-kernel-headers) (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24))) - (base-gcc (make-gcc-rpath-link base-gcc))) + (base-gcc (make-gcc-rpath-link (hardened-gcc base-gcc)))) "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values desirable for building Bitcoin Core release binaries." (make-cross-toolchain target