guix: patch NSIS to remove .reloc sections from installer stubs #25788

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:fixup_windows_installer_force_aslr changing 2 files +32 −1
  1. fanquake commented at 5:48 pm on August 5, 2022: member

    With the release of binutils/ld 2.36, ld swapped to much improved default settings when producing windows binaries with mingw-w64. One of these changes was to stop stripping the .reloc section from binaries, which is required for working ASLR.

    When we switched to using a newer Guix time-machine in #23778, we begun using binutils 2.37 to produce releases. Since then, our windows installer (produced with makensis) has not functioned correctly when run on a Windows system with the “Force randomization for images (Mandatory ASLR)” option enabled. Note that all of our other release binaries, which all contain .reloc sections, function fine under the same option, so it cannot be just the presence of a .reloc section that is the issue.

    The root cause of the problem is that when we compile NSIS (makensis), a number of exe installer stubs are produced at the same time, for use later when makensis is actually run. Given the new linker defaults, the stubs will contain .reloc sections, when previously they would not. It seems that, in combination with how makensis mutates the stub when it actually builds the installer, causes the problem.

    According to upstream, https://sourceforge.net/p/nsis/bugs/1131/#abb6:

    Looks like the problem is the very existance of the .reloc section. It’s not supposed to be there, and makensis doesn’t handle it.

    The most recent .reloc related upstream activity is in https://sourceforge.net/p/nsis/bugs/1283/, where the conclusion again seemed to be that .relo sections are not wanted, but there hasn’t been any further follow up.

    For now, restore pre-binutils-2.36 behaviour, by passing -Wl,--disable-reloc-section to the linker when building the installer stubs, which fixes the produced installer. The underlying issue can be further investigated in future.

    .reloc section stripping is something we’ve accounted for previously, see #18702, and related upstream discussion is in this thread: https://sourceware.org/bugzilla/show_bug.cgi?id=19011.

    Fixes #25726.

    Guix Build (x86_64):

    07e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
1c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
2b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
3341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
41d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
528c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip

    Guix Build (arm64):

    07e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
1c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
2b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
3341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
41d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
528c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip
  2. guix: patch NSIS to remove .reloc sections from install stubs 
    With the release of binutils/ld 2.36, ld swapped to much improved
default settings when producing windows binaries with mingw-w64. One of
these changes was to stop stripping the .reloc section from binaries,
which is required for working ASLR.

.reloc section stripping is something we've accounted for previously,
see #18702. The related upstream discussion is in this thread:
https://sourceware.org/bugzilla/show_bug.cgi?id=19011.

When we switched to using a newer Guix time-machine in #23778, we begun
using binutils 2.37 to produce releases. Since then, our windows
installer (produced with makensis) has not functioned correctly when run on
a Windows system with the "Force randomization for images (Mandatory ASLR)"
option enabled. Note that all of our other release binaries, which all
contain .reloc sections, function fine under the same option, so it
cannot be just the presence of a .reloc section that is the issue.

For now, restore makensis to it's pre-binutils-2.36 behaviour, which
fixes the produced installer. The underlying issue can be further
investigated in future.
    7a0b129c41
  3. fanquake added the label Windows on Aug 5, 2022
  4. fanquake added the label Build system on Aug 5, 2022
  5. fanquake added the label DrahtBot Guix build requested on Aug 5, 2022
  6. hebasto commented at 6:13 pm on August 5, 2022: member

    Concept ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7.

    Tested on Windows 11 Pro 21H2 with the “Force randomization for images (Mandatory ASLR)” option being set to “On by default”.

    I can run bitcoin-7a0b129c41d9-win64-setup-unsigned.exe successfully.

    Guix builds on x86_64:

    07e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
1c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
2b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
3341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
41d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
528c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip
  7. hebasto commented at 6:23 pm on August 5, 2022: member

    When we switched to using a newer Guix time-machine in #23778, we begun using binutils 2.37 to produce releases.

    To be precise, binutils version has been changed from 2.34 to 2.37.

    UPDATE: And the --enable-reloc-section option was available in binutils 2.34. The --disable-reloc-section has been added in binutils 2.36.

  8. achow101 commented at 6:50 pm on August 5, 2022: member

    ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7

    Tested on Win 10 with Forced ALSR enabled. Works as expected.

    It would be nice if our installer had functioning ASLR, but I agree that the existing issues and guidance seems to indicate that nsis installers should not have .reloc sections.

    guix build x86_64:

    07e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
1c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
2b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
3341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
41d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
528c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip
  9. hebasto approved
  10. hebasto commented at 7:14 pm on August 5, 2022: member

    ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7

    For anyone who wants to test the Windows installer without building it themselves, the built artifacts are available here.

  11. jarolrod commented at 7:25 pm on August 5, 2022: member

    ACK 7a0b129c41d9fefdbc20d6d04983dd87bb8379e7

    guix hashes:

    x86:

    0$ env HOSTS='x86_64-w64-mingw32' ./contrib/guix/guix-build 
1$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
2
37e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
4c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
5b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
6341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
71d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
828c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip

    arm64:

    0$ env HOSTS='x86_64-w64-mingw32' ./contrib/guix/guix-build 
1$ find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
2
37e0723388913ac1ec9f650b943c6b23351ba0cd921c0ec830abf16b16724d503  guix-build-7a0b129c41d9/output/dist-archive/bitcoin-7a0b129c41d9.tar.gz
4c3bb9c68895ffafa2900b0d18c1268e299d012a7dc70593f20f9900cf116eb05  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/SHA256SUMS.part
5b57aa99c242b0aae64653c64ada38f6d3f0cbd902bbc096d3dc529fdcf87d681  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-debug.zip
6341d99afc9961299883be6cd9666e8bc0f3f6296cff758719a32d27419acad36  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-setup-unsigned.exe
71d9ef48d3c9ed93a925962356b41cdaeb9d09fd758de193cd4d5f4d1ec6791eb  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64-unsigned.tar.gz
828c81d99a9a4bd6648449393f91db213369e958add579ba9e9a1721540d2c4f7  guix-build-7a0b129c41d9/output/x86_64-w64-mingw32/bitcoin-7a0b129c41d9-win64.zip
  12. achow101 merged this on Aug 5, 2022
  13. achow101 closed this on Aug 5, 2022
  14. fanquake deleted the branch on Aug 5, 2022
  15. sidhujag referenced this in commit ee02c42137 on Aug 6, 2022
  16. MarcoFalke removed the label DrahtBot Guix build requested on Aug 6, 2022
  17. MarcoFalke added the label Needs backport (23.x) on Aug 6, 2022
  18. fanquake referenced this in commit fc77b2a41d on Aug 7, 2022
  19. fanquake removed the label Needs backport (23.x) on Aug 7, 2022
  20. fanquake commented at 1:18 pm on August 7, 2022: member
    Backported in #25799.
  21. achow101 referenced this in commit 313ea18e5e on Aug 9, 2022
  22. bitcoin locked this on Aug 9, 2023


fanquake hebasto achow101 jarolrod

Labels
Windows Build system

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-29 01:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me