phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-04-29 14:59:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

build: Drop option for disabling hardening

Browse source 
Building unhardened executables is not a supported use case that should
be maintained and those that want unhardened executables can still
override them by appending disable flags.

For example:

cmake -B build -DAPPEND_CPPFLAGS='-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=0 -fno-stack-protector -fcf-protection=none -fno-stack-clash-protection' -DAPPEND_LDFLAGS='-Wl,-z,lazy -Wl,-z,norelro -Wl,-z,noseparate-code'
This commit is contained in:
David Gumberg 2025-03-14 10:35:17 -07:00
parent f57db75e91
commit 00ba3ba303
2 changed files with 59 additions and 64 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

122
CMakeLists.txt
View file

@ -128,7 +128,6 @@ if(WITH_BDB)
endif()
cmake_dependent_option(BUILD_WALLET_TOOL "Build bitcoin-wallet tool." ${BUILD_TESTS} "ENABLE_WALLET" OFF)
option(ENABLE_HARDENING "Attempt to harden the resulting executables." ON)
option(REDUCE_EXPORTS "Attempt to reduce exported symbols in the resulting executables." OFF)
option(WERROR "Treat compiler warnings as errors." OFF)
option(WITH_CCACHE "Attempt to use ccache for compiling." ON)
@ -481,75 +480,73 @@ try_append_cxx_flags("-fmacro-prefix-map=A=B" TARGET core_interface SKIP_LINK
# -fstack-reuse=none for all gcc builds. (Only gcc understands this flag).
try_append_cxx_flags("-fstack-reuse=none" TARGET core_interface)
if(ENABLE_HARDENING)
add_library(hardening_interface INTERFACE)
target_link_libraries(core_interface INTERFACE hardening_interface)
if(MSVC)
try_append_linker_flag("/DYNAMICBASE" TARGET hardening_interface)
try_append_linker_flag("/HIGHENTROPYVA" TARGET hardening_interface)
try_append_linker_flag("/NXCOMPAT" TARGET hardening_interface)
else()
add_library(hardening_interface INTERFACE)
target_link_libraries(core_interface INTERFACE hardening_interface)
if(MSVC)
try_append_linker_flag("/DYNAMICBASE" TARGET hardening_interface)
try_append_linker_flag("/HIGHENTROPYVA" TARGET hardening_interface)
try_append_linker_flag("/NXCOMPAT" TARGET hardening_interface)
else()
# _FORTIFY_SOURCE requires that there is some level of optimization,
# otherwise it does nothing and just creates a compiler warning.
try_append_cxx_flags("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
RESULT_VAR cxx_supports_fortify_source
SOURCE "int main() {
# if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0
#error
#endif
}"
# _FORTIFY_SOURCE requires that there is some level of optimization,
# otherwise it does nothing and just creates a compiler warning.
try_append_cxx_flags("-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"
RESULT_VAR cxx_supports_fortify_source
SOURCE "int main() {
# if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0
#error
#endif
}"
)
if(cxx_supports_fortify_source)
target_compile_options(hardening_interface INTERFACE
-U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=3
)
if(cxx_supports_fortify_source)
target_compile_options(hardening_interface INTERFACE
-U_FORTIFY_SOURCE
-D_FORTIFY_SOURCE=3
)
endif()
unset(cxx_supports_fortify_source)
endif()
unset(cxx_supports_fortify_source)
try_append_cxx_flags("-Wstack-protector" TARGET hardening_interface SKIP_LINK)
try_append_cxx_flags("-fstack-protector-all" TARGET hardening_interface)
try_append_cxx_flags("-fcf-protection=full" TARGET hardening_interface)
try_append_cxx_flags("-Wstack-protector" TARGET hardening_interface SKIP_LINK)
try_append_cxx_flags("-fstack-protector-all" TARGET hardening_interface)
try_append_cxx_flags("-fcf-protection=full" TARGET hardening_interface)
if(MINGW)
# stack-clash-protection is a no-op for Windows.
# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 for more details.
else()
try_append_cxx_flags("-fstack-clash-protection" TARGET hardening_interface)
endif()
if(MINGW)
# stack-clash-protection is a no-op for Windows.
# See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 for more details.
else()
try_append_cxx_flags("-fstack-clash-protection" TARGET hardening_interface)
endif()
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
try_append_cxx_flags("-mbranch-protection=bti" TARGET hardening_interface SKIP_LINK)
else()
try_append_cxx_flags("-mbranch-protection=standard" TARGET hardening_interface SKIP_LINK)
endif()
endif()
try_append_linker_flag("-Wl,--enable-reloc-section" TARGET hardening_interface)
try_append_linker_flag("-Wl,--dynamicbase" TARGET hardening_interface)
try_append_linker_flag("-Wl,--nxcompat" TARGET hardening_interface)
try_append_linker_flag("-Wl,--high-entropy-va" TARGET hardening_interface)
try_append_linker_flag("-Wl,-z,relro" TARGET hardening_interface)
try_append_linker_flag("-Wl,-z,now" TARGET hardening_interface)
# TODO: This can be dropped once Bitcoin Core no longer supports
# NetBSD 10.0 or if upstream fix is backported.
# NetBSD's dynamic linker ld.elf_so < 11.0 supports exactly 2
# `PT_LOAD` segments and binaries linked with `-z separate-code`
# have 4 `PT_LOAD` segments.
# Relevant discussions:
# - https://github.com/bitcoin/bitcoin/pull/28724#issuecomment-2589347934
# - https://mail-index.netbsd.org/tech-userlevel/2023/01/05/msg013666.html
if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD" AND CMAKE_SYSTEM_VERSION VERSION_LESS 11.0)
try_append_linker_flag("-Wl,-z,noseparate-code" TARGET hardening_interface)
else()
try_append_linker_flag("-Wl,-z,separate-code" TARGET hardening_interface)
endif()
if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
try_append_linker_flag("-Wl,-fixup_chains" TARGET hardening_interface)
try_append_cxx_flags("-mbranch-protection=bti" TARGET hardening_interface SKIP_LINK)
else()
try_append_cxx_flags("-mbranch-protection=standard" TARGET hardening_interface SKIP_LINK)
endif()
endif()
try_append_linker_flag("-Wl,--enable-reloc-section" TARGET hardening_interface)
try_append_linker_flag("-Wl,--dynamicbase" TARGET hardening_interface)
try_append_linker_flag("-Wl,--nxcompat" TARGET hardening_interface)
try_append_linker_flag("-Wl,--high-entropy-va" TARGET hardening_interface)
try_append_linker_flag("-Wl,-z,relro" TARGET hardening_interface)
try_append_linker_flag("-Wl,-z,now" TARGET hardening_interface)
# TODO: This can be dropped once Bitcoin Core no longer supports
# NetBSD 10.0 or if upstream fix is backported.
# NetBSD's dynamic linker ld.elf_so < 11.0 supports exactly 2
# `PT_LOAD` segments and binaries linked with `-z separate-code`
# have 4 `PT_LOAD` segments.
# Relevant discussions:
# - https://github.com/bitcoin/bitcoin/pull/28724#issuecomment-2589347934
# - https://mail-index.netbsd.org/tech-userlevel/2023/01/05/msg013666.html
if(CMAKE_SYSTEM_NAME STREQUAL "NetBSD" AND CMAKE_SYSTEM_VERSION VERSION_LESS 11.0)
try_append_linker_flag("-Wl,-z,noseparate-code" TARGET hardening_interface)
else()
try_append_linker_flag("-Wl,-z,separate-code" TARGET hardening_interface)
endif()
if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
try_append_linker_flag("-Wl,-fixup_chains" TARGET hardening_interface)
endif()
endif()
if(REDUCE_EXPORTS)
@ -684,7 +681,6 @@ message("Cross compiling ....................... ${cross_status}")
message("C++ compiler .......................... ${CMAKE_CXX_COMPILER_ID} ${CMAKE_CXX_COMPILER_VERSION}, ${CMAKE_CXX_COMPILER}")
include(FlagsSummary)
flags_summary()
message("Attempt to harden executables ......... ${ENABLE_HARDENING}")
message("Treat compiler warnings as errors ..... ${WERROR}")
message("Use ccache for compiling .............. ${WITH_CCACHE}")
message("\n")

1
CMakePresets.json
View file

@ -77,7 +77,6 @@
"BUILD_UTIL_CHAINSTATE": "ON",
"BUILD_WALLET_TOOL": "ON",
"ENABLE_EXTERNAL_SIGNER": "ON",
"ENABLE_HARDENING": "ON",
"ENABLE_WALLET": "ON",
"WARN_INCOMPATIBLE_BDB": "OFF",
"WITH_BDB": "ON",