From 3897a131d022c29301809c3d6edfcb46e100dc21 Mon Sep 17 00:00:00 2001 From: fanquake Date: Tue, 21 Jun 2022 20:09:47 +0100 Subject: [PATCH 1/3] guix: enable SSP for RISC-V glibc (2.27) Pass `--enable-stack-protector=all` when building the glibc used for the RISC-V toolchain, to enable stack smashing protection on all functions, in the glibc code. --- contrib/guix/manifest.scm | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index 7471f08a2b..cd69f9bf0e 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -520,6 +520,9 @@ inspecting signatures in Mach-O binaries.") (define (make-glibc-without-werror glibc) (package-with-extra-configure-variable glibc "enable_werror" "no")) +(define (make-glibc-with-stack-protector glibc) + (package-with-extra-configure-variable glibc "--enable-stack-protector" "all")) + (define-public glibc-2.24 (package (inherit glibc-2.31) @@ -607,7 +610,7 @@ inspecting signatures in Mach-O binaries.") ((string-contains target "-linux-") (list (cond ((string-contains target "riscv64-") (make-bitcoin-cross-toolchain target - #:base-libc (make-glibc-without-werror glibc-2.27/bitcoin-patched))) + #:base-libc (make-glibc-with-stack-protector (make-glibc-without-werror glibc-2.27/bitcoin-patched)))) (else (make-bitcoin-cross-toolchain target))))) ((string-contains target "darwin") From aa87879a7707d24931132c23eb94461f9f86240b Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 27 Jun 2022 11:25:07 +0100 Subject: [PATCH 2/3] guix: pass enable-bind-now to glibc Both glibcs we build support `--enable-bind-now`: Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times. See: https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html --- contrib/guix/manifest.scm | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index cd69f9bf0e..1f3ab9ae65 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -136,7 +136,7 @@ chain for " target " development.")) #:key (base-gcc-for-libc base-gcc) (base-kernel-headers base-linux-kernel-headers) - (base-libc (make-glibc-without-werror glibc-2.24)) + (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24))) (base-gcc (make-gcc-rpath-link base-gcc))) "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values desirable for building Bitcoin Core release binaries." @@ -523,6 +523,9 @@ inspecting signatures in Mach-O binaries.") (define (make-glibc-with-stack-protector glibc) (package-with-extra-configure-variable glibc "--enable-stack-protector" "all")) +(define (make-glibc-with-bind-now glibc) + (package-with-extra-configure-variable glibc "--enable-bind-now" "yes")) + (define-public glibc-2.24 (package (inherit glibc-2.31) @@ -610,7 +613,8 @@ inspecting signatures in Mach-O binaries.") ((string-contains target "-linux-") (list (cond ((string-contains target "riscv64-") (make-bitcoin-cross-toolchain target - #:base-libc (make-glibc-with-stack-protector (make-glibc-without-werror glibc-2.27/bitcoin-patched)))) + #:base-libc (make-glibc-with-stack-protector + (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.27/bitcoin-patched))))) (else (make-bitcoin-cross-toolchain target))))) ((string-contains target "darwin") From c99a1ecc52d8594b9dac4266770d8156693f35e3 Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 20 Jun 2022 15:30:19 +0100 Subject: [PATCH 3/3] guix: enable hardening options in GCC Build Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html --- contrib/guix/manifest.scm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index 1f3ab9ae65..f93d6e26e8 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -132,12 +132,19 @@ chain for " target " development.")) (define base-gcc gcc-10) (define base-linux-kernel-headers linux-libre-headers-5.15) +;; https://gcc.gnu.org/install/configure.html +(define (hardened-gcc gcc) + (package-with-extra-configure-variable ( + package-with-extra-configure-variable gcc + "--enable-default-ssp" "yes") + "--enable-default-pie" "yes")) + (define* (make-bitcoin-cross-toolchain target #:key (base-gcc-for-libc base-gcc) (base-kernel-headers base-linux-kernel-headers) (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24))) - (base-gcc (make-gcc-rpath-link base-gcc))) + (base-gcc (make-gcc-rpath-link (hardened-gcc base-gcc)))) "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values desirable for building Bitcoin Core release binaries." (make-cross-toolchain target