[POC] guix: produce a fully -static-pie bitcoind #25573

pull fanquake wants to merge 9 commits into bitcoin:master from fanquake:fully_static_bitcoind changing 5 files +109 −33
  1. fanquake commented at 4:49 pm on July 8, 2022: member

    Use Guix to produce a fully -static-pie bitcoind using GCC 13.3.0 and glibc 2.35. The binary is ~18mb stripped, includes wallet/upnp/natpmp/zmq etc. This is currently done for x86_64-linux-gnu, aarch64-linux-gnu.

    0# file bitcoind
1	ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), static-pie linked, for GNU/Linux 3.2.0, stripped
2
3# ldd bitcoind
4	statically linked

    -static-pie

    Produce a static position independent executable on targets that support it. A static position independent executable is similar to a static executable, but can be loaded at any address without a dynamic linker.

    Using glibc for static builds, would be less of a leap compared to switching to musl libc (POC in #23203).

  2. fanquake added the label Build system on Jul 8, 2022
  3. fanquake marked this as a draft on Jul 8, 2022
  4. DrahtBot commented at 10:29 pm on July 8, 2022: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process. A summary of reviews will appear here.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #30997 (build: Switch to Qt 6 by hebasto)
    • #24123 (guix: Pointer Authentication and Branch Target Identification for aarch64 Linux by fanquake)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  5. fanquake force-pushed on Jul 13, 2022
  6. fanquake commented at 5:46 pm on July 13, 2022: member
    Rebased, and made small changes to fixup the linter and improve the security/symbol checks.
  7. theuni commented at 9:00 pm on July 13, 2022: member

    This is amazing!

    Using glibc for static builds, would be less of a leap compared to switching to musl libc (POC in #23203).

    Hard agree. Static musl builds would be very cool but tricky to audit for parity and thus pretty unlikely to ever become official/supported imo. This is a MUCH more palatable change.

  8. fanquake force-pushed on Jul 14, 2022
  9. fanquake commented at 10:41 am on July 14, 2022: member

    Added an additional patch to disable building various features/libs in GCC that we don’t need. i.e libquadmath, libsanitizer, gcov, libada and native language support. This should speed up compiling GCC, and slightly reduces the size of the pthread patch. I’m not currently disabling these features via the available configure flags, because they get passed through to GMP, which cannot handle them.

    I’ve also updated -flto usage to be -flto=auto, as that seems to now be the preferred invocation, and it mitigates GCC warning output. i.e:

    0lto-wrapper: warning: using serial compilation of 84 LTRANS jobs
1lto-wrapper: note: see the '-flto' option documentation for more information

    I’ve also split the ELF PIE check into it’s own func, so we can special-case x86_64, and re-added the list of allowed ELF libs, but special-cased x86_64 to only pass if the list is empty.

  10. luke-jr commented at 5:00 pm on July 16, 2022: member
    How does this handle resolvers? eg, static glibc 2.33 applications break on systems with glibc 2.34…
  11. DrahtBot added the label Needs rebase on Jul 19, 2022
  12. fanquake force-pushed on Jul 19, 2022
  13. DrahtBot removed the label Needs rebase on Jul 19, 2022
  14. DrahtBot added the label Needs rebase on Jul 30, 2022
  15. Frank-GER commented at 4:47 pm on August 4, 2022: none

    Which OS did you build on?

    On Ubuntu 20.04 after build: file bitcoind bitcoind: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, for GNU/Linux 3.2.0, stripped

    Trying to run it, it crashes after seconds: addcon thread start Loading addresses from DNS seed dnsseed.emzy.de. bitcoind: dl-call-libc-early-init.c:37: _dl_call_libc_early_init: Assertion `sym != NULL’ failed. Aborted (core dumped)

    Any ideas?

  16. fanquake commented at 8:05 am on August 5, 2022: member

    Which OS did you build on?

    The base OS shouldn’t matter, because the build is performed with Guix. However I’ve been performing these builds on Ubuntu 22.04.

    Any ideas?

    How did you actually build bitcoind? Something like HOSTS="x86_64-linux-gnu" ./contrib/guix/guix-build?

  17. fanquake force-pushed on Aug 5, 2022
  18. fanquake commented at 8:39 am on August 5, 2022: member
    Rebased on master. Added a commit to use LIEF master, which reduces the number of changes in our scripts, as support for -static-pie ELF binaries has been added: https://github.com/lief-project/LIEF/issues/747. Will switch to a new release when one is available.
  19. DrahtBot removed the label Needs rebase on Aug 5, 2022
  20. Frank-GER commented at 5:12 pm on August 5, 2022: none

    How did you actually build bitcoind? Something like HOSTS=“x86_64-linux-gnu” ./contrib/guix/guix-build?

    Yes, that’s what I used to build it. https://github.com/fanquake/bitcoin/commits/fully_static_bitcoind produces the exact same problem when building on Ubuntu 20.04

  21. fanquake commented at 5:32 pm on August 5, 2022: member

    https://github.com/fanquake/bitcoin/commits/fully_static_bitcoind produces the exact same problem when building on Ubuntu 20.04

    I have just re-tested building the changes here (ef0edd55f3bc1e3f229134ec7ecac632de52eea7), and this produces a -static-pie binary as expected:

    0guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), static-pie linked, for GNU/Linux 3.2.0, with debug_info, not stripped

    It’s not clear to me that you are actually running a Guix build.

  22. Frank-GER commented at 6:22 pm on August 5, 2022: none

    the build I was testing: ~/bitcoin/guix-build-caa066465973/distsrc-caa066465973-x86_64-linux-gnu/src$ file bitcoind bitcoind: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, for GNU/Linux 3.2.0, with debug_info, not stripped

    just building again, fresh cloned with commit ef0edd5 export HOSTS=‘x86_64-linux-gnu’ ./contrib/guix/guix-build

    $ file guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, for GNU/Linux 3.2.0, with debug_info, not stripped

    $ ldd ./guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind statically linked

    $ ./bitcoind … 2022-08-05T19:10:46Z init message: Starting network threads… 2022-08-05T19:10:46Z net thread start 2022-08-05T19:10:46Z dnsseed thread start 2022-08-05T19:10:46Z Loading addresses from DNS seed seed.bitcoinstats.com. 2022-08-05T19:10:46Z opencon thread start 2022-08-05T19:10:46Z msghand thread start 2022-08-05T19:10:46Z addcon thread start 2022-08-05T19:10:46Z init message: Done loading bitcoind: dl-call-libc-early-init.c:37: _dl_call_libc_early_init: Assertion `sym != NULL’ failed. Aborted (core dumped)

    build and run on Ubuntu 20.04 there is no other bitcoind on that OS

  23. Frank-GER commented at 2:27 pm on August 8, 2022: none

    building the same on Ubuntu 22.04: file guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), static-pie linked, for GNU/Linux 3.2.0, with debug_info, not stripped

    ldd guix-build-ef0edd55f3bc/distsrc-ef0edd55f3bc-x86_64-linux-gnu/src/bitcoind statically linked

    Running it on Ubuntu22 it works.

    Taking this bitcoind to Ubuntu 20 it shows: file ./bitcoind ./bitcoind: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, for GNU/Linux 3.2.0, with debug_info, not stripped

    and crashes with the above mentioned message: bitcoind: dl-call-libc-early-init.c:37: _dl_call_libc_early_init: Assertion `sym != NULL’ failed. Aborted (core dumped)

    Checksums are the same for both builds (on Ubuntu 20 and 22) Ubuntu 20 sees it as dynamic linked, Ubuntu 22 as static-pie linked. On Ubuntu 20 it crashes, on Ubuntu 22 it works.

    Same bitcoind on Debian 10: file ./bitcoind ./bitcoind: ELF 64-bit LSB shared object, x86-64, version 1 (GNU/Linux), dynamically linked, for GNU/Linux 3.2.0, with debug_info, not stripped ldd ./bitcoind statically linked Gets past that point where it crashes on Ubuntu 20 and starts syncing

  24. fanquake force-pushed on Aug 24, 2022
  25. fanquake commented at 3:34 pm on August 24, 2022: member
    Pushed a number of changes, and rebased on master. Switched from glibc 2.35 to 2.36. Added infra for aarch64 -static-pie builds. More fine-grained / logical commits. Updated to the latest version of LIEF (master).
  26. fanquake force-pushed on Sep 5, 2022
  27. fanquake force-pushed on Sep 7, 2022
  28. DrahtBot added the label Needs rebase on Sep 13, 2022
  29. fanquake force-pushed on Sep 13, 2022
  30. fanquake removed the label Needs rebase on Sep 13, 2022
  31. fanquake force-pushed on Jan 13, 2023
  32. fanquake force-pushed on Jan 25, 2023
  33. DrahtBot added the label Needs rebase on Feb 17, 2023
  34. fanquake force-pushed on Feb 17, 2023
  35. fanquake force-pushed on Feb 17, 2023
  36. fanquake commented at 11:22 am on February 17, 2023: member
    Rebased past #27029.
  37. DrahtBot removed the label Needs rebase on Feb 17, 2023
  38. DrahtBot added the label Needs rebase on Mar 27, 2023
  39. fanquake force-pushed on Mar 27, 2023
  40. DrahtBot removed the label Needs rebase on Mar 27, 2023
  41. fanquake force-pushed on May 22, 2023
  42. DrahtBot added the label CI failed on May 30, 2023
  43. DrahtBot removed the label CI failed on May 31, 2023
  44. DrahtBot added the label Needs rebase on Jun 28, 2023
  45. fanquake force-pushed on Jun 30, 2023
  46. DrahtBot removed the label Needs rebase on Jun 30, 2023
  47. fanquake renamed this:
    [POC] guix: produce a fully -static-pie x86_64 bitcoind using GCC and glibc
    [POC] guix: produce a fully `-static-pie` bitcoind
    on Jul 27, 2023
  48. DrahtBot added the label Needs rebase on Aug 22, 2023
  49. fanquake force-pushed on Aug 23, 2023
  50. DrahtBot removed the label Needs rebase on Aug 23, 2023
  51. DrahtBot added the label CI failed on Aug 23, 2023
  52. DrahtBot added the label Needs rebase on Aug 24, 2023
  53. fanquake force-pushed on Aug 24, 2023
  54. DrahtBot removed the label Needs rebase on Aug 24, 2023
  55. DrahtBot removed the label CI failed on Aug 24, 2023
  56. fanquake force-pushed on Aug 26, 2023
  57. fanquake force-pushed on Aug 27, 2023
  58. fanquake force-pushed on Sep 8, 2023
  59. DrahtBot added the label Needs rebase on Nov 13, 2023
  60. fanquake force-pushed on Nov 13, 2023
  61. DrahtBot removed the label Needs rebase on Nov 13, 2023
  62. fanquake commented at 3:37 pm on November 27, 2023: member
    GCC now has -static-pie for RISC-V: https://gcc.gnu.org/pipermail/gcc-patches/2023-October/632219.html. Looks like support in glibc will also be available soon: https://sourceware.org/pipermail/libc-alpha/2023-October/152132.html.
  63. DrahtBot added the label CI failed on Jan 14, 2024
  64. fanquake commented at 9:57 am on January 15, 2024: member

    Looks like support in glibc will also be available soon: https://sourceware.org/pipermail/libc-alpha/2023-October/152132.html.

    This has now landed: https://sourceware.org/git/?p=glibc.git;a=commit;h=e0590f41fe1e7a54169e8f8828efe62b5064139e.

  65. DrahtBot added the label Needs rebase on Jan 16, 2024
  66. fanquake force-pushed on Jan 16, 2024
  67. DrahtBot removed the label Needs rebase on Jan 16, 2024
  68. DrahtBot removed the label CI failed on Jan 16, 2024
  69. fanquake force-pushed on Feb 16, 2024
  70. DrahtBot added the label CI failed on Feb 28, 2024
  71. DrahtBot removed the label CI failed on Mar 4, 2024
  72. DrahtBot added the label Needs rebase on Mar 14, 2024
  73. fanquake force-pushed on Mar 15, 2024
  74. fanquake commented at 5:17 pm on March 15, 2024: member
    Rebased. Simplified somewhat. Switched to GCC 13.2.0 and glibc 2.39.
  75. DrahtBot removed the label Needs rebase on Mar 15, 2024
  76. DrahtBot added the label Needs rebase on Mar 26, 2024
  77. fanquake force-pushed on Mar 26, 2024
  78. DrahtBot removed the label Needs rebase on Mar 26, 2024
  79. fanquake force-pushed on Apr 15, 2024
  80. DrahtBot added the label Needs rebase on Apr 17, 2024
  81. fanquake force-pushed on May 2, 2024
  82. DrahtBot removed the label Needs rebase on May 2, 2024
  83. DrahtBot commented at 5:22 am on May 2, 2024: contributor

    🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

    Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    Leave a comment here, if you need help tracking down a confusing failure.

    Debug: https://github.com/bitcoin/bitcoin/runs/24492691529

  84. DrahtBot added the label CI failed on May 2, 2024
  85. DrahtBot added the label Needs rebase on Jun 8, 2024
  86. fanquake force-pushed on Jul 1, 2024
  87. fanquake force-pushed on Jul 1, 2024
  88. DrahtBot removed the label Needs rebase on Jul 1, 2024
  89. DrahtBot removed the label CI failed on Jul 1, 2024
  90. DrahtBot added the label CI failed on Jul 15, 2024
  91. DrahtBot removed the label CI failed on Jul 20, 2024
  92. fanquake force-pushed on Jul 25, 2024
  93. DrahtBot added the label Needs rebase on Aug 28, 2024
  94. fanquake force-pushed on Aug 28, 2024
  95. DrahtBot removed the label Needs rebase on Aug 28, 2024
  96. guix: use glibc 2.33 
    glibc 2.32 was the first to ship with support for branch protection when
compiled with a compatible compiler.

glibc 2.32 release notes: https://lwn.net/Articles/828210/

* AArch64 now supports standard branch protection security hardening
  in glibc when it is built with a GCC that is configured with
  --enable-standard-branch-protection (or if -mbranch-protection=standard
  flag is passed when building both GCC target libraries and glibc,
  in either case a custom GCC is needed).  This includes branch target
  identification (BTI) and pointer authentication for return addresses
  (PAC-RET).  They require armv8.5-a and armv8.3-a architecture
  extensions respectively for the protection to be effective,
  otherwise the used instructions are nops.  User code can use PAC-RET
  without libc support, but BTI requires a libc that is built with BTI
  support, otherwise runtime objects linked into user code will not be
  BTI compatible.

`__libc_single_threaded` added as it is now exported from at least
`bitcoin-wallet` and `test_bitcoin`.
    c3017e3765
  97. [WIP] guix: update to bfdde6980834fe462b370ddb1ca0e42b22632090 
    Currently, this causes atleast the riscv64 build to fail. glibc fails to
build with the new binutils (2.41).

Package updates:
file 5.44 -> 5.45
(base) glibc 2.35 -> 2.39
grep 3.8 -> 3.11
diffutils 3.8 -> 3.10
gawk 5.2.1 -> 5.3.0
gzip 1.12 -> 1.13
xz 5.2.8 -> 5.4.5
make 4.3 -> 4.4.1
binutils 2.38 -> 2.41
linux-headers 6.1.106 -> 6.1.109

CMake-3.30 becomes available.
    e0059b4386
  98. guix: build glibc with --enable-static-pie 
    > These static PIE executables are like static executables but can be
> loaded at any address and provide additional security hardening benefits
> at the cost of some memory and performance.  When the library is built with
> --enable-static-pic the resulting libc.a is usable with GCC 8 and above to
> create static PIE executables using the GCC option '-static-pie'. This
> feature is currently supported on i386, x86_64 and x32 with binutils
> 2.29 or later, and on aarch64 with binutils 2.30 or later.

Note that from glibc 2.35 onwards, this option is replaced with a
`--disable-*` variant, as glibc starts defaulting to this behaviour.

Note that is also does not give us `-static-pie` release binaries, that
requires further changes.
    efcbcdd9a2
  99. guix: build glibc with --enable-static-nss 577dfae058
  100. guix: build depends without Qt 
    Don't bother with anything static with Qt.
    2abaac9d86
  101. [nomerge] disable test security check 
    For now, as these will need an overhaul to work with static builds.
    dd4ff4c50e
  102. guix: build x86_64-linux bitcoind fully statically 
    -static-pie
Produce a static position independent executable on targets that support it.
A static position independent executable is similar to a static executable,
but can be loaded at any address without a dynamic linker.

See https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html
    448a5921cf
  103. guix: build aarch64-linux bitcoind fully statically 
    -static-pie
Produce a static position independent executable on targets that support it.
A static position independent executable is similar to a static executable,
but can be loaded at any address without a dynamic linker.

See https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html
    60289cd0b7
  104. fanquake force-pushed on Sep 19, 2024
  105. guix: add fortified glibc 2.40 58f0bd0648


fanquake DrahtBot theuni luke-jr Frank-GER

Labels
Build system

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-11-23 15:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me