guix: build GCC with --enable-standard-branch-protection

fanquake commented at 5:47 pm on March 21, 2024: member

This is one change extracted from #24123 (which now produces fully BTI & PAC enabled bins), which will mean that everything in depends, for Guix builds, is compiled using -mbranch-protection=standard.

Turning this on by default, is similar to what we already do with --enable-default-ssp, --enable-default-pie etc.

See: https://gcc.gnu.org/install/specific.html#aarch64-x-x

To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the --enable-standard-branch-protection option.

This is equivalent to having -mbranch-protection=standard during compilation. This can be explicitly disabled during compilation by passing the -mbranch-protection=none option which turns off all types of branch protections.

guix: build GCC with --enable-standard-branch-protection

To enable Branch Target Identification Mechanism and Return
Address Signing by default at configure time use the
`--enable-standard-branch-protection` option.

This is equivalent to having `-mbranch-protection=standard` during
compilation. This can be explicitly disabled during compilation
by passing the `-mbranch-protection=none` option which turns off
all types of branch protections.

See:
https://gcc.gnu.org/install/specific.html#aarch64-x-x

7850c5fe20

DrahtBot commented at 5:47 pm on March 21, 2024: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	TheCharlatan

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

#25573 ([POC] guix: produce a fully -static-pie bitcoind by fanquake)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

DrahtBot added the label Build system on Mar 21, 2024

fanquake removed the label Build system on Mar 21, 2024

fanquake added the label DrahtBot Guix build requested on Mar 21, 2024

DrahtBot commented at 9:47 am on March 22, 2024: contributor

Guix builds (on x86_64)

File	commit 71b63195b30b2fa0dff20ebb262ce7566dd5d673(master)	commit 6fc349bf24583fef1ffb9608b5da23fae939f3f3(master and this pull)
SHA256SUMS.part	`1cdc22a31854ed81...`	`7085b6c234b38b1d...`
*-aarch64-linux-gnu-debug.tar.gz	`54dd76b28f491aa8...`	`2bed271c8a747be8...`
*-aarch64-linux-gnu.tar.gz	`13d4fa3736a4837d...`	`e7c6b4939a79e83f...`
*-arm-linux-gnueabihf-debug.tar.gz	`e2a6c55998b503ab...`	`06bf4956de1c32b3...`
*-arm-linux-gnueabihf.tar.gz	`caf877e6db3ec059...`	`af509dcce588145c...`
*-arm64-apple-darwin-unsigned.tar.gz	`139218bb905ae7b6...`	`4dcd142abd2c59a2...`
*-arm64-apple-darwin-unsigned.zip	`7c09957bf597e302...`	`6181b7c0af3c213b...`
*-arm64-apple-darwin.tar.gz	`96fce3c0cc471909...`	`7255822618b591ed...`
*-powerpc64-linux-gnu-debug.tar.gz	`428f95cf25bc5755...`	`3c23f4e94a20d28a...`
*-powerpc64-linux-gnu.tar.gz	`4454c9f9a063cb61...`	`f88a5035a8e99ad3...`
*-riscv64-linux-gnu-debug.tar.gz	`1e1bac4314f8a994...`	`55a17e7e5bde03ed...`
*-riscv64-linux-gnu.tar.gz	`875c78e9e639f0d1...`	`c4c057f6e9d817a0...`
*-x86_64-apple-darwin-unsigned.tar.gz	`cb9f2e783524199b...`	`3d33f1bc936d1d45...`
*-x86_64-apple-darwin-unsigned.zip	`153d949b0b0a67c2...`	`77e9db1ce1ad5373...`
*-x86_64-apple-darwin.tar.gz	`9cb4429dc3da2d07...`	`77d6cb8d124ddbc7...`
*-x86_64-linux-gnu-debug.tar.gz	`d1724213872f8312...`	`387cd105335fe32f...`
*-x86_64-linux-gnu.tar.gz	`3d4c9539b9d228bf...`	`adbac5634d2a98ac...`
*.tar.gz	`5300e8d2c2b06535...`	`1c6ea57a7f246446...`
guix_build.log	`a83f0a774d5bb17e...`	`50629320ecf0b723...`
guix_build.log.diff		`0b946269098d5eb3...`

DrahtBot removed the label DrahtBot Guix build requested on Mar 22, 2024

DrahtBot added the label Build system on Mar 22, 2024

luke-jr commented at 3:18 am on March 23, 2024: member

Should we be doing something equivalent for aarch64 macOS?

luke-jr referenced this in commit 6a8fa8f26c on Mar 23, 2024

fanquake commented at 11:03 am on March 25, 2024: member

Should we be doing something equivalent for aarch64 macOS?

At some point, yes, however LLVM doesn’t currently expose an option. The only similar option they have is CLANG_DEFAULT_PIE_ON_LINUX (which now defaults to ON in any case). I’ll investigate other ways of doing this.

TheCharlatan approved

TheCharlatan commented at 12:30 pm on March 26, 2024: contributor

ACK 7850c5fe20a034438e00f6c12ce51efc6af3a1aa

Guix builds (x86_64):

 0d3ad84d8d57c54a75bfc884556c923349d39e310f1a542372b4f1c020c9d3c88  guix-build-7850c5fe20a0/output/aarch64-linux-gnu/SHA256SUMS.part
 149023f19ee8328b04ecdc5441bf9a5d65d18817424e106b39a7d9eb7b0c35253  guix-build-7850c5fe20a0/output/aarch64-linux-gnu/bitcoin-7850c5fe20a0-aarch64-linux-gnu-debug.tar.gz
 220e183a31709df55d0e1566d80819927552e3a0a6d8c6007e0c1b270d4830312  guix-build-7850c5fe20a0/output/aarch64-linux-gnu/bitcoin-7850c5fe20a0-aarch64-linux-gnu.tar.gz
 3057f307e8c491f4bd4ca2f6de53a4414f89d39e26ce2214a112c470e91bff0e6  guix-build-7850c5fe20a0/output/arm-linux-gnueabihf/SHA256SUMS.part
 4cd1c78b5949da16f66555ec2e839f885ad762656da3cd0d307697215c66a435e  guix-build-7850c5fe20a0/output/arm-linux-gnueabihf/bitcoin-7850c5fe20a0-arm-linux-gnueabihf-debug.tar.gz
 50086ea9df1d980ebe66244ac1d942f8325bea3d7fb55faae98b00f35bd1fc002  guix-build-7850c5fe20a0/output/arm-linux-gnueabihf/bitcoin-7850c5fe20a0-arm-linux-gnueabihf.tar.gz
 6b371b725f2db198460dd261282e547fd804ae1ec97fd15ea6e695034e6dc35d8  guix-build-7850c5fe20a0/output/arm64-apple-darwin/SHA256SUMS.part
 73e5c032eb8570fa88e418b11df763ce0dd65ff10e8bc97a676d08236457335c6  guix-build-7850c5fe20a0/output/arm64-apple-darwin/bitcoin-7850c5fe20a0-arm64-apple-darwin-unsigned.tar.gz
 8d19c1bd5a28f36e73f04dc8df2d5645839065346a067eb38a636e66b89c78f57  guix-build-7850c5fe20a0/output/arm64-apple-darwin/bitcoin-7850c5fe20a0-arm64-apple-darwin-unsigned.zip
 9d18cf0a8fd66f091cdd99d7383bc87e52840c7488b02f45bcb422bb6bb5d31b2  guix-build-7850c5fe20a0/output/arm64-apple-darwin/bitcoin-7850c5fe20a0-arm64-apple-darwin.tar.gz
103433ae9ccc2b0d60877eca95348119cc0c56a87a9cc8b787add3088f74da1170  guix-build-7850c5fe20a0/output/dist-archive/bitcoin-7850c5fe20a0.tar.gz
113f53dd696a7328c8d5e28d5a704667606429e1f54ff1c3e22b3a391adf1f7552  guix-build-7850c5fe20a0/output/powerpc64-linux-gnu/SHA256SUMS.part
12efb5d16266dc64e93f6a9836bb5d2136a8c7ac95c724fadca2aa2c91f21b5199  guix-build-7850c5fe20a0/output/powerpc64-linux-gnu/bitcoin-7850c5fe20a0-powerpc64-linux-gnu-debug.tar.gz
13be36c1593528fe1223f70adea4c63da4b87084b7dcdbcdd914aaacec172d6ef3  guix-build-7850c5fe20a0/output/powerpc64-linux-gnu/bitcoin-7850c5fe20a0-powerpc64-linux-gnu.tar.gz
14a778522de796682ca256475114e2afc70a47b9976507c2a77e09734f5378d6de  guix-build-7850c5fe20a0/output/riscv64-linux-gnu/SHA256SUMS.part
15e05b8e6a95be43797cbc333ae625328a145ddaa7d6e5d851c05a04b481b22274  guix-build-7850c5fe20a0/output/riscv64-linux-gnu/bitcoin-7850c5fe20a0-riscv64-linux-gnu-debug.tar.gz
161a231d05c0c298db6c97f603a9da8f8c12b48bc02ad443d54d4b51ff74cbaf4d  guix-build-7850c5fe20a0/output/riscv64-linux-gnu/bitcoin-7850c5fe20a0-riscv64-linux-gnu.tar.gz
17756724554699940152c59884dc578f2fcf631e4912cdf31cde71efe2699fa7f4  guix-build-7850c5fe20a0/output/x86_64-apple-darwin/SHA256SUMS.part
1890ab8c1909e82777b3650f1cd700fb4e04605b153917096ca5392b13092ce647  guix-build-7850c5fe20a0/output/x86_64-apple-darwin/bitcoin-7850c5fe20a0-x86_64-apple-darwin-unsigned.tar.gz
190329d6eaa17aeb75f7d298df296c291a3b7bc82681885e741dc25dde0cb5a02d  guix-build-7850c5fe20a0/output/x86_64-apple-darwin/bitcoin-7850c5fe20a0-x86_64-apple-darwin-unsigned.zip
2051d37083936ec39eb087fd1f9c2584dbf9fc43041210b02e9b0ecb73850e8056  guix-build-7850c5fe20a0/output/x86_64-apple-darwin/bitcoin-7850c5fe20a0-x86_64-apple-darwin.tar.gz
2178828fd43e435ebe9259bc7e02069183b38d3697fff52243241223d01956faf3  guix-build-7850c5fe20a0/output/x86_64-linux-gnu/SHA256SUMS.part
221fc1697ba9cba113b808201392f8341e5b1b74e16d3a5e3cf769df193ccebc38  guix-build-7850c5fe20a0/output/x86_64-linux-gnu/bitcoin-7850c5fe20a0-x86_64-linux-gnu-debug.tar.gz
235d6cb51e3f4a04b919f8f63d83bbf344e6ec9f79ed4d5dde28ff3f79e94ffc35  guix-build-7850c5fe20a0/output/x86_64-linux-gnu/bitcoin-7850c5fe20a0-x86_64-linux-gnu.tar.gz
240d8641977c211df7d37e218858045aa92a51721b2094559594ff2b66088abd83  guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/SHA256SUMS.part
2552afe467be4bdbfa514000a1c1e0310a10c506841b624621a069d146c7636611  guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64-debug.zip
26e4eacaa80ec45c2bc60d5ae854088e82201823d7c7f62d8e79524e5527a5ba9b  guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64-setup-unsigned.exe
27985ee4d1a876b5127841beafa3f73c93cf8ae5b3cab45f334e3c097b68823e98  guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64-unsigned.tar.gz
286d6772a2f4fb35b21610b4ecd0a29f8b0395ebfe059e4216546aa8859d801535  guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64.zip

fanquake merged this on Mar 26, 2024

fanquake closed this on Mar 26, 2024

fanquake deleted the branch on Mar 26, 2024

guix: build GCC with –enable-standard-branch-protection #29695

Code Coverage

Reviews

Conflicts

Guix builds (on x86_64)