Skip to content

Guix: enable toolchain hardening by default #25484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 30, 2022
Merged

Guix: enable toolchain hardening by default #25484

merged 3 commits into from
Jul 30, 2022

Conversation

fanquake
Copy link
Member

@fanquake fanquake commented Jun 27, 2022
edited
Loading

The GCC (10.3.0) and glibcs (2.24 and 2.27) we build both support configuration option for turning on hardening features by default.

For example, our GCC provides --enable-default-pie:

Turn on -fPIE and -pie by default.

--enable-default-ssp:

Turn on -fstack-protector-strong by default.

and --enable-cet options:

Enable building target run-time libraries with control-flow instrumentation, see -fcf-protection option.

It also provides --enable-standard-branch-protection, but we don't do that here, because we don't support building with it yet (#24123).

You could verify the that the on-by-default pie flags are working by Guix building master + this change:

--- a/configure.ac
+++ b/configure.ac
@@ -971,7 +971,6 @@ if test "$use_hardening" != "no"; then
   AX_CHECK_LINK_FLAG([-Wl,-z,relro], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-z,relro"], [], [$LDFLAG_WERROR])
   AX_CHECK_LINK_FLAG([-Wl,-z,now], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-z,now"], [], [$LDFLAG_WERROR])
   AX_CHECK_LINK_FLAG([-Wl,-z,separate-code], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-z,separate-code"], [], [$LDFLAG_WERROR])
-  AX_CHECK_LINK_FLAG([-fPIE -pie], [PIE_FLAGS="-fPIE"; HARDENED_LDFLAGS="$HARDENED_LDFLAGS -pie"], [], [$CXXFLAG_WERROR])

and verifying that the PIE security checks fail. Then, build this PR branch, + the same change, and checking that they still pass.

A similar thing can be done with the stack-protector, i.e perform a Guix build, and observe the security checks failing after applying this diff to master:

--- a/configure.ac
+++ b/configure.ac
@@ -936,8 +936,6 @@ dnl -fstack-reuse=none for all gcc builds. (Only gcc understands this flag)
 AX_CHECK_COMPILE_FLAG([-fstack-reuse=none], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-reuse=none"])
 if test "$use_hardening" != "no"; then
   use_hardening=yes
-  AX_CHECK_COMPILE_FLAG([-Wstack-protector], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -Wstack-protector"])
-  AX_CHECK_COMPILE_FLAG([-fstack-protector-all], [HARDENED_CXXFLAGS="$HARDENED_CXXFLAGS -fstack-protector-all"])

Then check that a build doesn't fail when building this PR + that change. Although it should be noted that the security checks will pass for this + that change, even though the GCC option is for stack-protector-strong, rather than stack-protector-all. This is because our stack protector check is currently just for the presencse of the canary, and not a check that every function is instrumented.

For glibc, we enable --enable-stack-protector=all (RISC-V only):

Compile the C library and all other parts of the glibc package using the GCC -fstack-protector, -fstack-protector-strong or -fstack-protector-all options to detect stack overruns. Only the dynamic linker and a small number of routines called directly from assembler are excluded from this protection.

and --enable-bind-now:

Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times.

You could check that the stack-protector option is being used for the RISC-V builds, by comparing the contents of a function that comes from glibc, i.e atexit, in a build of master:

riscv64-linux-gnu/src/bitcoind:     file format elf64-littleriscv

00000000007aa078 <atexit>:
  7aa078:	003a5617          	auipc	a2,0x3a5
  7aa07c:	f8863603          	ld	a2,-120(a2) # b4f000 <__dso_handle>
  7aa080:	4581                	li	a1,0
  7aa082:	ff8b3317          	auipc	t1,0xff8b3
  7aa086:	41e30067          	jr	1054(t1) # 5d4a0 <__cxa_atexit@plt>

vs this PR:

riscv64-linux-gnu/src/bitcoind:     file format elf64-littleriscv

00000000007aa078 <atexit>:
  7aa078:	003aa797          	auipc	a5,0x3aa
  7aa07c:	3c87b783          	ld	a5,968(a5) # b54440 <__stack_chk_guard@GLIBC_2.27>
  7aa080:	6398                	ld	a4,0(a5)
  7aa082:	1101                	addi	sp,sp,-32
  7aa084:	ec06                	sd	ra,24(sp)
  7aa086:	e43a                	sd	a4,8(sp)
  7aa088:	6722                	ld	a4,8(sp)
  7aa08a:	639c                	ld	a5,0(a5)
  7aa08c:	00f71d63          	bne	a4,a5,7aa0a6 <atexit+0x2e>
  7aa090:	60e2                	ld	ra,24(sp)
  7aa092:	003a5617          	auipc	a2,0x3a5
  7aa096:	f6e63603          	ld	a2,-146(a2) # b4f000 <__dso_handle>
  7aa09a:	4581                	li	a1,0
  7aa09c:	6105                	addi	sp,sp,32
  7aa09e:	ff8b3317          	auipc	t1,0xff8b3
  7aa0a2:	40230067          	jr	1026(t1) # 5d4a0 <__cxa_atexit@plt>
  7aa0a6:	ff8b3097          	auipc	ra,0xff8b3
  7aa0aa:	2ba080e7          	jalr	698(ra) # 5d360 <__stack_chk_fail@plt>

Note that none of the above means we would actually remove the use of hardening flags from our configure.

Guix Build (x86_64):

8de8ceac0f34729f17c64cd3b788d8e73e8a29cf51ec88ae33e04b1002f07162  guix-build-c99a1ecc52d8/output/aarch64-linux-gnu/SHA256SUMS.part
d638d329d2d23324aa8cb491b5fa9cfc59e7998cc95f6c47540ae34767316764  guix-build-c99a1ecc52d8/output/aarch64-linux-gnu/bitcoin-c99a1ecc52d8-aarch64-linux-gnu-debug.tar.gz
ce57cfd97109e2cebc91936653e291073230e9da1197d60edd6703c2c8e4961a  guix-build-c99a1ecc52d8/output/aarch64-linux-gnu/bitcoin-c99a1ecc52d8-aarch64-linux-gnu.tar.gz
917770f42ca696048c11ce3e7a100b9cc59cbe482878bccf11c1d84e327e61a7  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/SHA256SUMS.part
a5e6ea54cb58941b2dceaa036495c65d83e3ae65b806af7124718df428206b38  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf-debug.tar.gz
c035aa6599aeab74445bcf15966886fafb1e4397d6f4e66e4e5ff05770f3af94  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf.tar.gz
a48654be85a540b393fefa87f75f10fcb1652cfb824eb5cb32da9aeffdbe9843  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/SHA256SUMS.part
8cf48b00d6cbe7bc203043dde34ca51a82e25bc3b4e91802730209a90637a8ed  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.dmg
6ff1c1f0fbf64303421f71a91c14020554ab96673f2461aae80ef2249a846ebd  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.tar.gz
0df1d3d95759b26a9cc448dba29291c5d940e9faf9a79c7658775285498809eb  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin.tar.gz
3556666828f68205b8b82771a7046e10e10cf31bd894c6ed389bbaa2397b917c  guix-build-c99a1ecc52d8/output/dist-archive/bitcoin-c99a1ecc52d8.tar.gz
970390a724f2b9e40731942a427a5893a489fdac9c970a5a2f52cd684c4e2bcb  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/SHA256SUMS.part
c281257c8f9466aca2d68971ff8cd219288f62a601396d4f8f1497a4404fac11  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu-debug.tar.gz
79e68965a50907f4c3382143f7c58dd71b927f87fe80a62c06b434232d764b93  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu.tar.gz
b65be16861b1d11225f5497c58adbc585bb1b192096018f006ae11c851235d65  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/SHA256SUMS.part
5edb31e2d6702ab3e24189db1a1151bb40dc009a2d6f196eca19124947400a24  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu-debug.tar.gz
d6e0414082f91a443bcfee9647f8cf9ad09d13fdf6acd6070866505b420db8eb  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu.tar.gz
89edc84604ea960dff7598999cabb14e2dbd7d585021acfd3065e0e8ebb77786  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/SHA256SUMS.part
091d582c7797792ab62653e61aa2192db768fb624615a2393284d7fad2a643bd  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu-debug.tar.gz
fcc20f8f7e2889f544e10d77e714496fd44e3dfdb2d1919b12ec5d41aeb9a8ac  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu.tar.gz
4b736dbfca1c0eb37390d791a9cdfe12aa3111f65a0c92775cd68044696f5b17  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/SHA256SUMS.part
dc51605e5c0f25e25aa1672471c2096e2c95f59d9c7adbee81714ad33da559a0  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.dmg
96a7b7b0144049215a4e51a01c4c90dcbf8469590a380fe2b1faca652f80c545  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.tar.gz
8d0a9e33e02db7c234d3cff2cf8489a93ae83a0efb9c02dd0a4a43b1615d5f75  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin.tar.gz
60e21c7d8eb8422bf3280d63fca7e3983b8d62949b46f582e483bfadf42d9838  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/SHA256SUMS.part
93cce61cbd237e8d63a7b60fd7c0611834d2587899f241c80ad3e7c31ce9f5c6  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu-debug.tar.gz
86e6d35ced80385dbebc9d0b4e443a86d9b5dfecff4928fccb4331fc37b7c8bc  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu.tar.gz
cdf1045063b8ad18735d623fa45867a3b6fbcabefac6ef763ad4d04e956ef2b7  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/SHA256SUMS.part
e032c517396d818f2a5f7a2f8453966de37a1734f2f2d95ad0e39358647f5068  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-debug.zip
b09cc098672215e810b4a11df0ebce760f716546d76745367898bb1850a6a8b4  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-setup-unsigned.exe
a27108b306be7099a426bf2e02009b7271c8c04394bf5c5aa4f592b69be77fb5  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-unsigned.tar.gz
a682fe68b09de24e1bdef49836d4fc5080e779fac66a73c9dcafb8fc6126af3a  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64.zip

Guix Build (arm64):

917770f42ca696048c11ce3e7a100b9cc59cbe482878bccf11c1d84e327e61a7  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/SHA256SUMS.part
a5e6ea54cb58941b2dceaa036495c65d83e3ae65b806af7124718df428206b38  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf-debug.tar.gz
c035aa6599aeab74445bcf15966886fafb1e4397d6f4e66e4e5ff05770f3af94  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf.tar.gz
1a306a6dc68183f210aa56c6eb07785654e1c2e21ac9e2bd866d8fdec34a527c  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/SHA256SUMS.part
7da1d43adabf4725b6244df9625b683f47669949ffbcf37184619e431151138f  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.dmg
ac38ae4188927e2e0b0d3bdaae9d314424e4f7e3ab2a90c6cbedc8a985ae237e  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.tar.gz
1b1653f3b3dff1bf5737223a4e5c2b674b700baba4ef594e3c7a040b5e81f3f6  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin.tar.gz
3556666828f68205b8b82771a7046e10e10cf31bd894c6ed389bbaa2397b917c  guix-build-c99a1ecc52d8/output/dist-archive/bitcoin-c99a1ecc52d8.tar.gz
970390a724f2b9e40731942a427a5893a489fdac9c970a5a2f52cd684c4e2bcb  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/SHA256SUMS.part
c281257c8f9466aca2d68971ff8cd219288f62a601396d4f8f1497a4404fac11  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu-debug.tar.gz
79e68965a50907f4c3382143f7c58dd71b927f87fe80a62c06b434232d764b93  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu.tar.gz
b65be16861b1d11225f5497c58adbc585bb1b192096018f006ae11c851235d65  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/SHA256SUMS.part
5edb31e2d6702ab3e24189db1a1151bb40dc009a2d6f196eca19124947400a24  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu-debug.tar.gz
d6e0414082f91a443bcfee9647f8cf9ad09d13fdf6acd6070866505b420db8eb  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu.tar.gz
89edc84604ea960dff7598999cabb14e2dbd7d585021acfd3065e0e8ebb77786  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/SHA256SUMS.part
091d582c7797792ab62653e61aa2192db768fb624615a2393284d7fad2a643bd  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu-debug.tar.gz
fcc20f8f7e2889f544e10d77e714496fd44e3dfdb2d1919b12ec5d41aeb9a8ac  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu.tar.gz
4b736dbfca1c0eb37390d791a9cdfe12aa3111f65a0c92775cd68044696f5b17  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/SHA256SUMS.part
dc51605e5c0f25e25aa1672471c2096e2c95f59d9c7adbee81714ad33da559a0  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.dmg
96a7b7b0144049215a4e51a01c4c90dcbf8469590a380fe2b1faca652f80c545  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.tar.gz
8d0a9e33e02db7c234d3cff2cf8489a93ae83a0efb9c02dd0a4a43b1615d5f75  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin.tar.gz
60e21c7d8eb8422bf3280d63fca7e3983b8d62949b46f582e483bfadf42d9838  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/SHA256SUMS.part
93cce61cbd237e8d63a7b60fd7c0611834d2587899f241c80ad3e7c31ce9f5c6  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu-debug.tar.gz
86e6d35ced80385dbebc9d0b4e443a86d9b5dfecff4928fccb4331fc37b7c8bc  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu.tar.gz
cdf1045063b8ad18735d623fa45867a3b6fbcabefac6ef763ad4d04e956ef2b7  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/SHA256SUMS.part
e032c517396d818f2a5f7a2f8453966de37a1734f2f2d95ad0e39358647f5068  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-debug.zip
b09cc098672215e810b4a11df0ebce760f716546d76745367898bb1850a6a8b4  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-setup-unsigned.exe
a27108b306be7099a426bf2e02009b7271c8c04394bf5c5aa4f592b69be77fb5  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-unsigned.tar.gz
a682fe68b09de24e1bdef49836d4fc5080e779fac66a73c9dcafb8fc6126af3a  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64.zip

@DrahtBot
Copy link
Contributor

DrahtBot commented Jun 27, 2022
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #25573 ([POC] guix: produce a fully -static-pie x86_64 bitcoind using GCC and glibc by fanquake)
  • #24123 ([POC] build: enable Pointer Authentication and Branch Target Identification for aarch64 (Linux) by fanquake)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

This was referenced Jun 27, 2022
Merged
Closed
Draft
@jarolrod
Copy link
Member

jarolrod commented Jun 28, 2022
edited
Loading

GUIX hashes

x86:

$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum

8de8ceac0f34729f17c64cd3b788d8e73e8a29cf51ec88ae33e04b1002f07162  guix-build-c99a1ecc52d8/output/aarch64-linux-gnu/SHA256SUMS.part
d638d329d2d23324aa8cb491b5fa9cfc59e7998cc95f6c47540ae34767316764  guix-build-c99a1ecc52d8/output/aarch64-linux-gnu/bitcoin-c99a1ecc52d8-aarch64-linux-gnu-debug.tar.gz
ce57cfd97109e2cebc91936653e291073230e9da1197d60edd6703c2c8e4961a  guix-build-c99a1ecc52d8/output/aarch64-linux-gnu/bitcoin-c99a1ecc52d8-aarch64-linux-gnu.tar.gz
917770f42ca696048c11ce3e7a100b9cc59cbe482878bccf11c1d84e327e61a7  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/SHA256SUMS.part
a5e6ea54cb58941b2dceaa036495c65d83e3ae65b806af7124718df428206b38  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf-debug.tar.gz
c035aa6599aeab74445bcf15966886fafb1e4397d6f4e66e4e5ff05770f3af94  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf.tar.gz
a48654be85a540b393fefa87f75f10fcb1652cfb824eb5cb32da9aeffdbe9843  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/SHA256SUMS.part
8cf48b00d6cbe7bc203043dde34ca51a82e25bc3b4e91802730209a90637a8ed  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.dmg
6ff1c1f0fbf64303421f71a91c14020554ab96673f2461aae80ef2249a846ebd  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.tar.gz
0df1d3d95759b26a9cc448dba29291c5d940e9faf9a79c7658775285498809eb  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin.tar.gz
3556666828f68205b8b82771a7046e10e10cf31bd894c6ed389bbaa2397b917c  guix-build-c99a1ecc52d8/output/dist-archive/bitcoin-c99a1ecc52d8.tar.gz
970390a724f2b9e40731942a427a5893a489fdac9c970a5a2f52cd684c4e2bcb  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/SHA256SUMS.part
c281257c8f9466aca2d68971ff8cd219288f62a601396d4f8f1497a4404fac11  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu-debug.tar.gz
79e68965a50907f4c3382143f7c58dd71b927f87fe80a62c06b434232d764b93  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu.tar.gz
b65be16861b1d11225f5497c58adbc585bb1b192096018f006ae11c851235d65  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/SHA256SUMS.part
5edb31e2d6702ab3e24189db1a1151bb40dc009a2d6f196eca19124947400a24  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu-debug.tar.gz
d6e0414082f91a443bcfee9647f8cf9ad09d13fdf6acd6070866505b420db8eb  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu.tar.gz
89edc84604ea960dff7598999cabb14e2dbd7d585021acfd3065e0e8ebb77786  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/SHA256SUMS.part
091d582c7797792ab62653e61aa2192db768fb624615a2393284d7fad2a643bd  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu-debug.tar.gz
fcc20f8f7e2889f544e10d77e714496fd44e3dfdb2d1919b12ec5d41aeb9a8ac  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu.tar.gz
4b736dbfca1c0eb37390d791a9cdfe12aa3111f65a0c92775cd68044696f5b17  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/SHA256SUMS.part
dc51605e5c0f25e25aa1672471c2096e2c95f59d9c7adbee81714ad33da559a0  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.dmg
96a7b7b0144049215a4e51a01c4c90dcbf8469590a380fe2b1faca652f80c545  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.tar.gz
8d0a9e33e02db7c234d3cff2cf8489a93ae83a0efb9c02dd0a4a43b1615d5f75  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin.tar.gz
60e21c7d8eb8422bf3280d63fca7e3983b8d62949b46f582e483bfadf42d9838  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/SHA256SUMS.part
93cce61cbd237e8d63a7b60fd7c0611834d2587899f241c80ad3e7c31ce9f5c6  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu-debug.tar.gz
86e6d35ced80385dbebc9d0b4e443a86d9b5dfecff4928fccb4331fc37b7c8bc  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu.tar.gz
cdf1045063b8ad18735d623fa45867a3b6fbcabefac6ef763ad4d04e956ef2b7  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/SHA256SUMS.part
e032c517396d818f2a5f7a2f8453966de37a1734f2f2d95ad0e39358647f5068  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-debug.zip
b09cc098672215e810b4a11df0ebce760f716546d76745367898bb1850a6a8b4  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-setup-unsigned.exe
a27108b306be7099a426bf2e02009b7271c8c04394bf5c5aa4f592b69be77fb5  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-unsigned.tar.gz
a682fe68b09de24e1bdef49836d4fc5080e779fac66a73c9dcafb8fc6126af3a  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64.zip

arm64:

$ env HOSTS='arm-linux-gnueabihf arm64-apple-darwin powerpc64-linux-gnu powerpc64le-linux-gnu riscv64-linux-gnu x86_64-apple-darwin x86_64-linux-gnu x86_64-w64-mingw32' ./contrib/guix/guix-build
$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum

917770f42ca696048c11ce3e7a100b9cc59cbe482878bccf11c1d84e327e61a7  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/SHA256SUMS.part
a5e6ea54cb58941b2dceaa036495c65d83e3ae65b806af7124718df428206b38  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf-debug.tar.gz
c035aa6599aeab74445bcf15966886fafb1e4397d6f4e66e4e5ff05770f3af94  guix-build-c99a1ecc52d8/output/arm-linux-gnueabihf/bitcoin-c99a1ecc52d8-arm-linux-gnueabihf.tar.gz
1a306a6dc68183f210aa56c6eb07785654e1c2e21ac9e2bd866d8fdec34a527c  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/SHA256SUMS.part
7da1d43adabf4725b6244df9625b683f47669949ffbcf37184619e431151138f  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.dmg
ac38ae4188927e2e0b0d3bdaae9d314424e4f7e3ab2a90c6cbedc8a985ae237e  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin-unsigned.tar.gz
1b1653f3b3dff1bf5737223a4e5c2b674b700baba4ef594e3c7a040b5e81f3f6  guix-build-c99a1ecc52d8/output/arm64-apple-darwin/bitcoin-c99a1ecc52d8-arm64-apple-darwin.tar.gz
3556666828f68205b8b82771a7046e10e10cf31bd894c6ed389bbaa2397b917c  guix-build-c99a1ecc52d8/output/dist-archive/bitcoin-c99a1ecc52d8.tar.gz
970390a724f2b9e40731942a427a5893a489fdac9c970a5a2f52cd684c4e2bcb  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/SHA256SUMS.part
c281257c8f9466aca2d68971ff8cd219288f62a601396d4f8f1497a4404fac11  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu-debug.tar.gz
79e68965a50907f4c3382143f7c58dd71b927f87fe80a62c06b434232d764b93  guix-build-c99a1ecc52d8/output/powerpc64-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64-linux-gnu.tar.gz
b65be16861b1d11225f5497c58adbc585bb1b192096018f006ae11c851235d65  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/SHA256SUMS.part
5edb31e2d6702ab3e24189db1a1151bb40dc009a2d6f196eca19124947400a24  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu-debug.tar.gz
d6e0414082f91a443bcfee9647f8cf9ad09d13fdf6acd6070866505b420db8eb  guix-build-c99a1ecc52d8/output/powerpc64le-linux-gnu/bitcoin-c99a1ecc52d8-powerpc64le-linux-gnu.tar.gz
89edc84604ea960dff7598999cabb14e2dbd7d585021acfd3065e0e8ebb77786  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/SHA256SUMS.part
091d582c7797792ab62653e61aa2192db768fb624615a2393284d7fad2a643bd  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu-debug.tar.gz
fcc20f8f7e2889f544e10d77e714496fd44e3dfdb2d1919b12ec5d41aeb9a8ac  guix-build-c99a1ecc52d8/output/riscv64-linux-gnu/bitcoin-c99a1ecc52d8-riscv64-linux-gnu.tar.gz
4b736dbfca1c0eb37390d791a9cdfe12aa3111f65a0c92775cd68044696f5b17  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/SHA256SUMS.part
dc51605e5c0f25e25aa1672471c2096e2c95f59d9c7adbee81714ad33da559a0  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.dmg
96a7b7b0144049215a4e51a01c4c90dcbf8469590a380fe2b1faca652f80c545  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin-unsigned.tar.gz
8d0a9e33e02db7c234d3cff2cf8489a93ae83a0efb9c02dd0a4a43b1615d5f75  guix-build-c99a1ecc52d8/output/x86_64-apple-darwin/bitcoin-c99a1ecc52d8-x86_64-apple-darwin.tar.gz
60e21c7d8eb8422bf3280d63fca7e3983b8d62949b46f582e483bfadf42d9838  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/SHA256SUMS.part
93cce61cbd237e8d63a7b60fd7c0611834d2587899f241c80ad3e7c31ce9f5c6  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu-debug.tar.gz
86e6d35ced80385dbebc9d0b4e443a86d9b5dfecff4928fccb4331fc37b7c8bc  guix-build-c99a1ecc52d8/output/x86_64-linux-gnu/bitcoin-c99a1ecc52d8-x86_64-linux-gnu.tar.gz
cdf1045063b8ad18735d623fa45867a3b6fbcabefac6ef763ad4d04e956ef2b7  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/SHA256SUMS.part
e032c517396d818f2a5f7a2f8453966de37a1734f2f2d95ad0e39358647f5068  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-debug.zip
b09cc098672215e810b4a11df0ebce760f716546d76745367898bb1850a6a8b4  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-setup-unsigned.exe
a27108b306be7099a426bf2e02009b7271c8c04394bf5c5aa4f592b69be77fb5  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64-unsigned.tar.gz
a682fe68b09de24e1bdef49836d4fc5080e779fac66a73c9dcafb8fc6126af3a  guix-build-c99a1ecc52d8/output/x86_64-w64-mingw32/bitcoin-c99a1ecc52d8-win64.zip

@hebasto
Copy link
Member

hebasto commented Jun 28, 2022

Guix builds on x86_64:

$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
cfc47615d8e310f76e867c17ea263e4510d12226085442efe3f98dea3a002adb  guix-build-189045e34b1d/output/aarch64-linux-gnu/SHA256SUMS.part
2c6dbdb3d8e91ac2bc98c96c102b3c76f6a36bccf762fc26a62ed2cf57a63e8f  guix-build-189045e34b1d/output/aarch64-linux-gnu/bitcoin-189045e34b1d-aarch64-linux-gnu-debug.tar.gz
6cd624eb658db9a27d6503efea8e592557c1a0abe5463af905da416c12912ee8  guix-build-189045e34b1d/output/aarch64-linux-gnu/bitcoin-189045e34b1d-aarch64-linux-gnu.tar.gz
45c7361159f6de00c147bf4ed179d8bc877278a07ce29eca7b9150f2139f9dc7  guix-build-189045e34b1d/output/arm-linux-gnueabihf/SHA256SUMS.part
a2cad7e2414aa817de9d0c66b63dbb58f00135bb3afa120160b7366e219067e8  guix-build-189045e34b1d/output/arm-linux-gnueabihf/bitcoin-189045e34b1d-arm-linux-gnueabihf-debug.tar.gz
239f41d9be7f3ed9bec62fc33a1f98348260874dc04b2bdfebf3ca1459687cf4  guix-build-189045e34b1d/output/arm-linux-gnueabihf/bitcoin-189045e34b1d-arm-linux-gnueabihf.tar.gz
f1968b115cf7d195900f439d4d27d1b0e0ef534b9573429c6aff75671b7c5899  guix-build-189045e34b1d/output/arm64-apple-darwin/SHA256SUMS.part
ebc97bb522aba146d84bdf560c8b6180b4d75fee4b634ec5b013f5a803959be5  guix-build-189045e34b1d/output/arm64-apple-darwin/bitcoin-189045e34b1d-arm64-apple-darwin-unsigned.dmg
25976f5ba935672919ef6096a60e8c8941a81a4c14aa4e022e9a4027793f5bcf  guix-build-189045e34b1d/output/arm64-apple-darwin/bitcoin-189045e34b1d-arm64-apple-darwin-unsigned.tar.gz
d3ce7eb40ae280e1aad204be1c742430670947c17b2e9e68f33368d15a32d07f  guix-build-189045e34b1d/output/arm64-apple-darwin/bitcoin-189045e34b1d-arm64-apple-darwin.tar.gz
dca866ae54fec9ecfa1bf26d136f6e2dc5ff1697588336f46e38c264e42ca74f  guix-build-189045e34b1d/output/dist-archive/bitcoin-189045e34b1d.tar.gz
dfd313d056626c38f1de0afd71fbbeca8e92da6979322d0800206767d6af1051  guix-build-189045e34b1d/output/powerpc64-linux-gnu/SHA256SUMS.part
e376b42964f0ddc76e40e336ddd383a9cb49b62f5a9702dc1270e1270c697a2e  guix-build-189045e34b1d/output/powerpc64-linux-gnu/bitcoin-189045e34b1d-powerpc64-linux-gnu-debug.tar.gz
c3ce025e0e4ad2d87d9d45a0a2d4a6dee4458b11e3e6dd605110aa8b568f3606  guix-build-189045e34b1d/output/powerpc64-linux-gnu/bitcoin-189045e34b1d-powerpc64-linux-gnu.tar.gz
049508c870319b2486c535a772c7031d526f6fed797d76d0e8a89f20cd6209ed  guix-build-189045e34b1d/output/powerpc64le-linux-gnu/SHA256SUMS.part
e8ea96b13d59aa36240fe3db74bb03508832d0b69ad931541352e14ca53916c6  guix-build-189045e34b1d/output/powerpc64le-linux-gnu/bitcoin-189045e34b1d-powerpc64le-linux-gnu-debug.tar.gz
127cd17dac34f61961a8478873d0f68774698868902e5ba2762f55ca21801ba0  guix-build-189045e34b1d/output/powerpc64le-linux-gnu/bitcoin-189045e34b1d-powerpc64le-linux-gnu.tar.gz
2a6bd0ea4e72b8b09528e0a3871181fb2e0a825a20f7852f0d8afe674d5bb726  guix-build-189045e34b1d/output/riscv64-linux-gnu/SHA256SUMS.part
d2142e44b07d3c54583d62db4b249a04817df322ebd9a5e6173ea9a6d7682f70  guix-build-189045e34b1d/output/riscv64-linux-gnu/bitcoin-189045e34b1d-riscv64-linux-gnu-debug.tar.gz
089598ff876a4fc4e674876f48ade77254c6179c58ca879dd6dcd1dd7704f0fd  guix-build-189045e34b1d/output/riscv64-linux-gnu/bitcoin-189045e34b1d-riscv64-linux-gnu.tar.gz
5436aac4c39dfa6e8c1e2cd58fa80fbf132ea96fb802d6587060b866dc4d7a44  guix-build-189045e34b1d/output/x86_64-apple-darwin/SHA256SUMS.part
533d2c132c44ef1753ccd24db9e5d84e87544744529100547dcc58c26e3df2a7  guix-build-189045e34b1d/output/x86_64-apple-darwin/bitcoin-189045e34b1d-x86_64-apple-darwin-unsigned.dmg
b1b4fbba8859535cdff100d5a2fc9e38fd015f962ba6e7c2b81fe098715e63f1  guix-build-189045e34b1d/output/x86_64-apple-darwin/bitcoin-189045e34b1d-x86_64-apple-darwin-unsigned.tar.gz
3420fd1926957dc88744bf69b9f97c22e28e118bd4f77c7585dbc3c5c66c43d9  guix-build-189045e34b1d/output/x86_64-apple-darwin/bitcoin-189045e34b1d-x86_64-apple-darwin.tar.gz
2904c29f2f3ed31774b539bf82812b53e7e92585daa830b32ac592688bfa78d5  guix-build-189045e34b1d/output/x86_64-linux-gnu/SHA256SUMS.part
29b651047ba9e8a0b217f2ac00d60281846fc3fe0aa052b78f8d41449d1f61b9  guix-build-189045e34b1d/output/x86_64-linux-gnu/bitcoin-189045e34b1d-x86_64-linux-gnu-debug.tar.gz
15e57c7563d1488c3951c214ee1e73c3fbeca5eff4cbe6047c1b7d74f503ab4d  guix-build-189045e34b1d/output/x86_64-linux-gnu/bitcoin-189045e34b1d-x86_64-linux-gnu.tar.gz
e1c9d6a32570d69950f96c1e9dcd2bbb6940591105e82fb0848d5ff3f159be7a  guix-build-189045e34b1d/output/x86_64-w64-mingw32/SHA256SUMS.part
6c48dea1fa5d38e993eb23bc00479950fa8659096c12cd8e2f112fb403a44b70  guix-build-189045e34b1d/output/x86_64-w64-mingw32/bitcoin-189045e34b1d-win64-debug.zip
a0414b5b5baa14aecd310f9dc4995ddfec616baf583eceae5ba1970e00b23776  guix-build-189045e34b1d/output/x86_64-w64-mingw32/bitcoin-189045e34b1d-win64-setup-unsigned.exe
ade5c49bfbc3725742bad7d2988a3a7f667c430c5e22e1c3a4dacaca828e0ed0  guix-build-189045e34b1d/output/x86_64-w64-mingw32/bitcoin-189045e34b1d-win64-unsigned.tar.gz
5eb5e59a3f1c4b1c62311f2510d4f67e6595ce7efac7a49dcdfc5292af8f0e75  guix-build-189045e34b1d/output/x86_64-w64-mingw32/bitcoin-189045e34b1d-win64.zip

@laanwj
Copy link
Member

laanwj commented Jun 28, 2022

Concept ACK on enabling hardening in the toolchain and libc where possible. This is no substitute for doing so in bitcoin's build itself (because it's still important when building manually), but is a good way for defense in depth. It also makes sure all dependencies are built with hardening.

@DrahtBot
Copy link
Contributor

Guix builds

File commit 2111f32
(master)		 commit 54ae901
(master and this pull)
SHA256SUMS.part 6b6d88ae06d04799... f87fd6aa69fe4432...
*-aarch64-linux-gnu-debug.tar.gz f29aebd0a6dc0fc0... f697da297cfd3a84...
*-aarch64-linux-gnu.tar.gz f36ee5b656153652... f10a1b679002fc43...
*-arm-linux-gnueabihf-debug.tar.gz a9e0853cb53ed4d3... 1607ec3aa1b09ceb...
*-arm-linux-gnueabihf.tar.gz e492eb474249ba99... de5ace9e1bccb8bb...
*-arm64-apple-darwin-unsigned.dmg e5e481bed928b9a6... 498ec30bcd340427...
*-arm64-apple-darwin-unsigned.tar.gz 18ee3cf458d26010... cac8305c2e778417...
*-arm64-apple-darwin.tar.gz 27863b5f4e2b8c6a... d52527de3be3e2b8...
*-powerpc64-linux-gnu-debug.tar.gz 650e507a2adcaf86... 211d9179e057da24...
*-powerpc64-linux-gnu.tar.gz bff9c32db364fe99... 3c6661dd41cbe395...
*-powerpc64le-linux-gnu-debug.tar.gz c6a92ba8062e3b06... 1258ffdf19d265ec...
*-powerpc64le-linux-gnu.tar.gz 94910b6977c11829... 054457a51458deee...
*-riscv64-linux-gnu-debug.tar.gz 65bfcdd28d25bd3c... 8bb92cff7691226c...
*-riscv64-linux-gnu.tar.gz 8cea54e73460fc8e... ecf97d69de22a072...
*-win64-debug.zip 14b962b6f54a1935... fd30f7f53c6863c0...
*-win64-setup-unsigned.exe 05761e6d60e6297d... bbc6d45724370a19...
*-win64-unsigned.tar.gz 9acd95477005eed2... 7d27ec8c242f5302...
*-win64.zip fb3305e6ef089ee9... 460e06934be6f06d...
*-x86_64-apple-darwin-unsigned.dmg f7a9132173d15b26... 154306a947d2b312...
*-x86_64-apple-darwin-unsigned.tar.gz a7a44e66c9463128... 9bc9d54a74dafaf9...
*-x86_64-apple-darwin.tar.gz fa31ba0530be56b2... 3e39cd1d9ddaf3d1...
*-x86_64-linux-gnu-debug.tar.gz 9c7e46d4c7c3deee... 0436dba5bfaeaec0...
*-x86_64-linux-gnu.tar.gz 2dd2f6d3d32ff8cb... 4edbc4fbb1ff863c...
*.tar.gz 67733080b97377a4... fdb4b15cdd87afa0...
guix_build.log cc5c7529de008059... d39b3fb37ef08b58...
guix_build.log.diff db77dc9a1e56a2ca...

@fanquake fanquake force-pushed the guix_toolchain_hardening branch from 189045e to 0fe3917 Compare June 29, 2022 10:43
@hebasto
Copy link
Member

hebasto commented Jun 30, 2022

Guix builds on x86_64:

$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
884c9c9ae0b0dc214a49e65d5d000137d5387ec409eb723e91905422083e5363  guix-build-0fe391736b7a/output/aarch64-linux-gnu/SHA256SUMS.part
758f17be002cfa907f3832bfb2af0b4694f22a0daeefdf71ca51fd82416bcfa6  guix-build-0fe391736b7a/output/aarch64-linux-gnu/bitcoin-0fe391736b7a-aarch64-linux-gnu-debug.tar.gz
a40102e9893848461ce82420a398553f70f12b63a4b32cbabf3e69ee0d4c79d2  guix-build-0fe391736b7a/output/aarch64-linux-gnu/bitcoin-0fe391736b7a-aarch64-linux-gnu.tar.gz
404ce7f37b603c2076fc52527b6e1781e2bd6f43ff3bf2c3f7d5bf26075f2bfb  guix-build-0fe391736b7a/output/arm-linux-gnueabihf/SHA256SUMS.part
09eb9dc0947ce913be951c36f606b64622a3521aac064f6b8b3f4a5c24fa8c86  guix-build-0fe391736b7a/output/arm-linux-gnueabihf/bitcoin-0fe391736b7a-arm-linux-gnueabihf-debug.tar.gz
6bc244f72cd5c8b361602e878dc78944c9a35a2666cba6db4fa3c34e09c31d6d  guix-build-0fe391736b7a/output/arm-linux-gnueabihf/bitcoin-0fe391736b7a-arm-linux-gnueabihf.tar.gz
2e27706ccea308312906276be29db642744874eaa83f3858f6806604254eb09e  guix-build-0fe391736b7a/output/arm64-apple-darwin/SHA256SUMS.part
4205e54af806c6defa34afe7eac296a4e258d7d8634fa7f4e36830a567aaf24c  guix-build-0fe391736b7a/output/arm64-apple-darwin/bitcoin-0fe391736b7a-arm64-apple-darwin-unsigned.dmg
4038aa34120901d309a7b67fe5086d1eb8c1ebd26291802e82459f9576996f9c  guix-build-0fe391736b7a/output/arm64-apple-darwin/bitcoin-0fe391736b7a-arm64-apple-darwin-unsigned.tar.gz
1fced2d3ebd5a76239e83cb291fd144849cabd14a9a9591afaeacff7ecc3472b  guix-build-0fe391736b7a/output/arm64-apple-darwin/bitcoin-0fe391736b7a-arm64-apple-darwin.tar.gz
a213fef4fede1b1d803ebc3812d8812d31bbb42b30d41d9c138ca3aa295c292d  guix-build-0fe391736b7a/output/dist-archive/bitcoin-0fe391736b7a.tar.gz
3c8481f36e0c0aeef8386bef0e908e851bbae44f827961d62d00b1306b9224bd  guix-build-0fe391736b7a/output/powerpc64-linux-gnu/SHA256SUMS.part
f3db030e641b93b91c3ef14eb01eb5882abc55fac0ea30a30253a259dcd43ff3  guix-build-0fe391736b7a/output/powerpc64-linux-gnu/bitcoin-0fe391736b7a-powerpc64-linux-gnu-debug.tar.gz
112c0acf7de22354ebe61097a404e54a1e0e7a135deca881d89c0c7fbd721a0e  guix-build-0fe391736b7a/output/powerpc64-linux-gnu/bitcoin-0fe391736b7a-powerpc64-linux-gnu.tar.gz
bb4300faf6cb077c2945555db32f5b4fda45f30e567888ba7422d0ff69754c93  guix-build-0fe391736b7a/output/powerpc64le-linux-gnu/SHA256SUMS.part
8190d871c452274ec2c0f93000f4fbfd948a687e96e59d8259d9163eee3b67f7  guix-build-0fe391736b7a/output/powerpc64le-linux-gnu/bitcoin-0fe391736b7a-powerpc64le-linux-gnu-debug.tar.gz
cf8c72403ef736a8f038f3b81b86ba6cee7bdd833f7a0fb237c37887305159e2  guix-build-0fe391736b7a/output/powerpc64le-linux-gnu/bitcoin-0fe391736b7a-powerpc64le-linux-gnu.tar.gz
9b29da599b7186aa1c31b77d24756a328ad0504740a445d46da71f8521a36a8c  guix-build-0fe391736b7a/output/riscv64-linux-gnu/SHA256SUMS.part
145adf8f7071c83f79767a5f56017615dc11576cc663302292561f43927f2867  guix-build-0fe391736b7a/output/riscv64-linux-gnu/bitcoin-0fe391736b7a-riscv64-linux-gnu-debug.tar.gz
c1902a800178798333daf39f3115ac122d01b9c916cbaaa483eade61030b9144  guix-build-0fe391736b7a/output/riscv64-linux-gnu/bitcoin-0fe391736b7a-riscv64-linux-gnu.tar.gz
cc80ece1a91c921e0e56b7fdecf4899109f674dcb5a506dc72739942eda53efb  guix-build-0fe391736b7a/output/x86_64-apple-darwin/SHA256SUMS.part
26f732866531d2a12b3f1a198f38db1b65826d80d64cbe10d55080946a2290fb  guix-build-0fe391736b7a/output/x86_64-apple-darwin/bitcoin-0fe391736b7a-x86_64-apple-darwin-unsigned.dmg
efb00bed76403f3b5208f40fd27f53f6e37a49fb8ad13ce5060a560ad22c722b  guix-build-0fe391736b7a/output/x86_64-apple-darwin/bitcoin-0fe391736b7a-x86_64-apple-darwin-unsigned.tar.gz
5714b9de37857b682e9909078cac76d410db14d226901e39144b30ec4c900200  guix-build-0fe391736b7a/output/x86_64-apple-darwin/bitcoin-0fe391736b7a-x86_64-apple-darwin.tar.gz
fe96584f0f1dbb8fa543d01f5945417797c431e32fac14556f6c54cb583fc69a  guix-build-0fe391736b7a/output/x86_64-linux-gnu/SHA256SUMS.part
f0de7e2d212bc46c8dd5ed9aa46b0ce6845eef0a03a55b3270fd09dd13871922  guix-build-0fe391736b7a/output/x86_64-linux-gnu/bitcoin-0fe391736b7a-x86_64-linux-gnu-debug.tar.gz
95895058ac48cfd6e06f837d5c18a4f9edeaa672772fbefbd6b0bccd003ba06e  guix-build-0fe391736b7a/output/x86_64-linux-gnu/bitcoin-0fe391736b7a-x86_64-linux-gnu.tar.gz
1240448c8bc0d27102daefe9995e9ff3261c818c4acea935e78bc43901741bd7  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/SHA256SUMS.part
42fe418e85db542d4e899c48d37305a9f3ff4cdcf35a73e43195ce88d2339e28  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64-debug.zip
002903664b3d313f7d3e371b0fcea294d4c4915a7097e8ea9aacf2bd4cf44634  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64-setup-unsigned.exe
d4d86dad7d5af60e388a9f4e3976eb16ef1fcb6f487c52cc690322029526007c  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64-unsigned.tar.gz
20728029b07d3292fe1d9bbb56a7be117cd727428a0470dd55d82cc018db3dde  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64.zip

@hebasto
Copy link
Member

hebasto commented Jul 1, 2022

Guix builds on arm64:

# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
b044f6101f75078aecf13dfdc15897287ac014a0824f5368c378deeec2f38544  guix-build-0fe391736b7a/output/arm-linux-gnueabihf/SHA256SUMS.part
0f04334056ae8f22416fa310fd935889085ac9cfc16da7023acf21a626cc1ad7  guix-build-0fe391736b7a/output/arm-linux-gnueabihf/bitcoin-0fe391736b7a-arm-linux-gnueabihf-debug.tar.gz
0bded62506246a493c6b741bc3c893b0c1ac79f46f087a89f8c8c9fefa1dddc5  guix-build-0fe391736b7a/output/arm-linux-gnueabihf/bitcoin-0fe391736b7a-arm-linux-gnueabihf.tar.gz
3bb677f4f3110e8a339b276d5b4b2cf2e5849302ace09c4ee7b435ab05fa19dd  guix-build-0fe391736b7a/output/arm64-apple-darwin/SHA256SUMS.part
6bb01c4df38f25db9d1a1e0115386d0d460aa5f48a5808a530b0468135e7a050  guix-build-0fe391736b7a/output/arm64-apple-darwin/bitcoin-0fe391736b7a-arm64-apple-darwin-unsigned.dmg
92748be9fd297fdac84c4b7cdf94c53ddfb6b181efae0bdaac6756c6736bd101  guix-build-0fe391736b7a/output/arm64-apple-darwin/bitcoin-0fe391736b7a-arm64-apple-darwin-unsigned.tar.gz
5473c27c223d7a8efc62fff50cd4c489d9a3a76f38ece72fff3ad2baf8edaf25  guix-build-0fe391736b7a/output/arm64-apple-darwin/bitcoin-0fe391736b7a-arm64-apple-darwin.tar.gz
a213fef4fede1b1d803ebc3812d8812d31bbb42b30d41d9c138ca3aa295c292d  guix-build-0fe391736b7a/output/dist-archive/bitcoin-0fe391736b7a.tar.gz
c2a96346c9ab605ec5bad2aa26e8cfe7cbcc1acd1e345791b8e150de5573d1ab  guix-build-0fe391736b7a/output/powerpc64-linux-gnu/SHA256SUMS.part
d99814e4970a8d7d37a7d40465ac4eef6a5ebb2f03ec4d271f0fd99c6e2d1faa  guix-build-0fe391736b7a/output/powerpc64-linux-gnu/bitcoin-0fe391736b7a-powerpc64-linux-gnu-debug.tar.gz
ed66dff700f9c2fbf680f7eb77140fe5cd0879446c7a307a92e56c3efbfd01e9  guix-build-0fe391736b7a/output/powerpc64-linux-gnu/bitcoin-0fe391736b7a-powerpc64-linux-gnu.tar.gz
511e512cbe313043daa677bdce0b96920a6120666dcd5192734bc99eec88feb6  guix-build-0fe391736b7a/output/powerpc64le-linux-gnu/SHA256SUMS.part
a094163d8324e8d921ed4c2db689e6116bf2cf96b4a53b7e3981001aa28272c3  guix-build-0fe391736b7a/output/powerpc64le-linux-gnu/bitcoin-0fe391736b7a-powerpc64le-linux-gnu-debug.tar.gz
79df5e214cd7675290fe1111840be20af2591e15c842b81294c839be9d7b7df0  guix-build-0fe391736b7a/output/powerpc64le-linux-gnu/bitcoin-0fe391736b7a-powerpc64le-linux-gnu.tar.gz
d1a1012ede01d6b5c3d3fe3ce638e5142b913de546d27ea44d7b40276482d1cb  guix-build-0fe391736b7a/output/riscv64-linux-gnu/SHA256SUMS.part
5c319a6af935e734d217f4323423570ede0bd531bfdcbc0222986ff1602b5045  guix-build-0fe391736b7a/output/riscv64-linux-gnu/bitcoin-0fe391736b7a-riscv64-linux-gnu-debug.tar.gz
e174047bb10997783cae63b34186303027afeab00854c7ffbfc85f2656570534  guix-build-0fe391736b7a/output/riscv64-linux-gnu/bitcoin-0fe391736b7a-riscv64-linux-gnu.tar.gz
cc80ece1a91c921e0e56b7fdecf4899109f674dcb5a506dc72739942eda53efb  guix-build-0fe391736b7a/output/x86_64-apple-darwin/SHA256SUMS.part
26f732866531d2a12b3f1a198f38db1b65826d80d64cbe10d55080946a2290fb  guix-build-0fe391736b7a/output/x86_64-apple-darwin/bitcoin-0fe391736b7a-x86_64-apple-darwin-unsigned.dmg
efb00bed76403f3b5208f40fd27f53f6e37a49fb8ad13ce5060a560ad22c722b  guix-build-0fe391736b7a/output/x86_64-apple-darwin/bitcoin-0fe391736b7a-x86_64-apple-darwin-unsigned.tar.gz
5714b9de37857b682e9909078cac76d410db14d226901e39144b30ec4c900200  guix-build-0fe391736b7a/output/x86_64-apple-darwin/bitcoin-0fe391736b7a-x86_64-apple-darwin.tar.gz
ce6f385cb037349e5bca5be43d6969ab0ff57bf8e9c219a72648a46f45a908a9  guix-build-0fe391736b7a/output/x86_64-linux-gnu/SHA256SUMS.part
3a35961a8e1fbeb656da7d8f20ecf6465b10d7c021993e62f2f9b5cce2279199  guix-build-0fe391736b7a/output/x86_64-linux-gnu/bitcoin-0fe391736b7a-x86_64-linux-gnu-debug.tar.gz
055143cab92e45220f7d1f47557ef0bac440819aa14d5a0b20c938f2b02bccfc  guix-build-0fe391736b7a/output/x86_64-linux-gnu/bitcoin-0fe391736b7a-x86_64-linux-gnu.tar.gz
df5bf9af787b596acc312daf956288d7b28729d94252ac4cff6d3899597fb233  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/SHA256SUMS.part
a563c5ab7a1968266c0329199bb5b36eb41ab7d7d28edb64f10c53408ab78dff  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64-debug.zip
002903664b3d313f7d3e371b0fcea294d4c4915a7097e8ea9aacf2bd4cf44634  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64-setup-unsigned.exe
d4d86dad7d5af60e388a9f4e3976eb16ef1fcb6f487c52cc690322029526007c  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64-unsigned.tar.gz
64bdcd052c10f78b8d59ee257293d783c917d71376a0623e53c2248c9f888bca  guix-build-0fe391736b7a/output/x86_64-w64-mingw32/bitcoin-0fe391736b7a-win64.zip

@luke-jr
Copy link
Member

luke-jr commented Jul 5, 2022

The GCC (10.3.0) and glibcs (2.24 and 2.27) we build both support configuration option for turning on hardening features by default.

But in #25437, you said the minimum was glibc 2.25...? Confused.

@fanquake
Copy link
Member Author

fanquake commented Jul 6, 2022

But in #25437, you said the minimum was glibc 2.25...? Confused.

I said 2.25 was the minimum for using --enable-stack-protector. Which we are not using, with glibc 2.24, in this PR.

@theuni
Copy link
Member

theuni commented Jul 7, 2022

Concept ACK

@fanquake fanquake mentioned this pull request Jul 8, 2022
Draft
@dongcarl
Copy link
Contributor

Concept ACK

Was able to find --enable-stack-protector=all and --enable-bind-now in gentoo's configs: https://github.com/gentoo/gentoo/blob/9fe8087634d878eeed259019bf6f3eb19ef209b8/eclass/toolchain-glibc.eclass#L789

https://github.com/gentoo/gentoo/blob/9fe8087634d878eeed259019bf6f3eb19ef209b8/eclass/toolchain-glibc.eclass#L848

The gentoo repo serve as a good resource for evaluating future build changes like this along with debian's salsa.

@DrahtBot DrahtBot mentioned this pull request Jul 19, 2022
Merged
@fanquake fanquake force-pushed the guix_toolchain_hardening branch from 0fe3917 to d340fc6 Compare July 19, 2022 17:13
@fanquake
Copy link
Member Author

Rebased for #25639. Updated builds in description.

@DrahtBot
Copy link
Contributor

Guix builds

File commit d1e4265
(master)		 commit e8a27af
(master and this pull)
SHA256SUMS.part 8e5ea9fd6444ce59... 816c7d99732d8dae...
*-aarch64-linux-gnu-debug.tar.gz 50cfddba4f8f7f4c... 83771276c1401bb7...
*-aarch64-linux-gnu.tar.gz d38da8f51bc2fba7... ec63b312b0c35b86...
*-arm-linux-gnueabihf-debug.tar.gz 31661110b6a95a26... fba421ef075c930c...
*-arm-linux-gnueabihf.tar.gz 3ec9c6638710e863... d813f94198ffcb67...
*-arm64-apple-darwin-unsigned.dmg f483e4fd1a543216... acc77ae7f1e4d1ac...
*-arm64-apple-darwin-unsigned.tar.gz 2f9373633ba249c4... cd9f39a4d75feab1...
*-arm64-apple-darwin.tar.gz efc980eabb42c674... d0d028975db5ca98...
*-powerpc64-linux-gnu-debug.tar.gz f6d65e7afe3e94f0... f8dd288b4622eaf5...
*-powerpc64-linux-gnu.tar.gz 8f698cb48b872b9e... 0bb7729ff8b31c87...
*-powerpc64le-linux-gnu-debug.tar.gz 6485d86010c9504f... 1707cfe5eec9e394...
*-powerpc64le-linux-gnu.tar.gz da064bd68c44fcce... bc65cd877fea1a87...
*-riscv64-linux-gnu-debug.tar.gz a039daaf5cdffcad... ca17d9ebef855b51...
*-riscv64-linux-gnu.tar.gz a689c50b125147da... 1442bec62f547c0e...
*-win64-debug.zip 7e2b6adde59b99a1... 21ce5d04063dbde9...
*-win64-setup-unsigned.exe edf3222bc6441028... 4631556b7bd99b41...
*-win64-unsigned.tar.gz 996af79f1ddbb4bc... 27b68b5bd364291f...
*-win64.zip 6483f3cc4f0516bf... 12c8dc89472bf492...
*-x86_64-apple-darwin-unsigned.dmg 2d1fa357f7ca4667... 05884b593f3a0677...
*-x86_64-apple-darwin-unsigned.tar.gz 8c8fb06c86aa57b6... 5f9807399774d46b...
*-x86_64-apple-darwin.tar.gz dce517bd800d7150... 578a30fdf99699fc...
*-x86_64-linux-gnu-debug.tar.gz a935341aed8b1e21... 881ce49837618035...
*-x86_64-linux-gnu.tar.gz da3ecbd2887fce7a... ddf49622deab6de6...
*.tar.gz 9d3e14e65162f284... 62cad125171e4693...
guix_build.log fdf15d3848265400... aa12000bee940995...
guix_build.log.diff 6f129dcd19220221...

@fanquake fanquake requested review from dongcarl, hebasto and theuni July 27, 2022 15:38
kwvg added a commit to kwvg/dash that referenced this pull request May 13, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
476c9d4
kwvg added a commit to kwvg/dash that referenced this pull request May 13, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
b0b7fe0
kwvg added a commit to kwvg/dash that referenced this pull request May 13, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
8fe29b3
kwvg added a commit to kwvg/dash that referenced this pull request May 19, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
9e287f8
kwvg added a commit to kwvg/dash that referenced this pull request May 31, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
279de80
kwvg added a commit to kwvg/dash that referenced this pull request May 31, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
9f7ae38
kwvg added a commit to kwvg/dash that referenced this pull request Jun 3, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
ba287d9
kwvg added a commit to kwvg/dash that referenced this pull request Jun 6, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
733f8c5
kwvg added a commit to kwvg/dash that referenced this pull request Jun 7, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
2efc165
kwvg added a commit to kwvg/dash that referenced this pull request Jun 8, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
eea03d2
kwvg added a commit to kwvg/dash that referenced this pull request Jun 10, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
a16f6c6
kwvg added a commit to kwvg/dash that referenced this pull request Jun 11, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
4dfb302
kwvg added a commit to kwvg/dash that referenced this pull request Jun 11, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
bf30c17
kwvg added a commit to kwvg/dash that referenced this pull request Jun 11, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
46847a5
kwvg added a commit to kwvg/dash that referenced this pull request Jun 19, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
2dd90be
kwvg added a commit to kwvg/dash that referenced this pull request Jun 20, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
8ebc073
kwvg added a commit to kwvg/dash that referenced this pull request Jun 20, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
290ca63
kwvg added a commit to kwvg/dash that referenced this pull request Jun 20, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
87a382c
kwvg added a commit to kwvg/dash that referenced this pull request Jun 20, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
d74d98e
kwvg added a commit to kwvg/dash that referenced this pull request Jun 21, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
992b3de
kwvg added a commit to kwvg/dash that referenced this pull request Jun 22, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
8e9152b
kwvg added a commit to kwvg/dash that referenced this pull request Jun 25, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
5e9badb
kwvg added a commit to kwvg/dash that referenced this pull request Jun 25, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
867ebda
kwvg added a commit to kwvg/dash that referenced this pull request Jun 27, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
53779d0
kwvg added a commit to kwvg/dash that referenced this pull request Jun 27, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
0e0c52b
kwvg added a commit to kwvg/dash that referenced this pull request Jun 28, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
60b8ea3
kwvg added a commit to kwvg/dash that referenced this pull request Jun 28, 2023
@kwvg
merge bitcoin#25484: enable toolchain hardening by default
2e3568c
PastaPastaPasta pushed a commit to kwvg/dash that referenced this pull request Jun 29, 2023
@kwvg @PastaPastaPasta
merge bitcoin#25484: enable toolchain hardening by default
205aa83
PastaPastaPasta added a commit to dashpay/dash that referenced this pull request Jun 29, 2023
@PastaPastaPasta
Merge pull request #5426 from kittywhiskers/guix_p3
bfb3f4b 
backport: merge bitcoin#25643, bitcoin#23583, bitcoin#23618, bitcoin#23603, bitcoin#23817, bitcoin#24520, bitcoin#24508, bitcoin#25639, bitcoin#26018, bitcoin#25437, bitcoin#25484, bitcoin#23585, bitcoin#24549, bitcoin#24733, bitcoin#21991, bitcoin#22526, bitcoin#25633, bitcoin#24597, bitcoin#24955, bitcoin#25099, bitcoin#24552, bitcoin#21851, bitcoin#25389, bitcoin#25357, partial bitcoin#22318 (guix backports: part 3)
@bitcoin bitcoin locked and limited conversation to collaborators Jul 30, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hebasto hebasto hebasto approved these changes

@dongcarl dongcarl Awaiting requested review from dongcarl

@theuni theuni Awaiting requested review from theuni

Assignees
No one assigned
Labels
Build system
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@fanquake @DrahtBot @jarolrod @hebasto @laanwj @luke-jr @theuni @dongcarl