guix: build GCC with --enable-standard-branch-protection #29695
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
Should we be doing something equivalent for aarch64 macOS? |
luke-jr
pushed a commit
to bitcoinknots/bitcoin
that referenced
this pull request
Mar 23, 2024
To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x Github-Pull: bitcoin#29695 Rebased-From: 7850c5f
At some point, yes, however LLVM doesn't currently expose an option. The only similar option they have is |
TheCharlatan
approved these changes
Mar 26, 2024
There was a problem hiding this comment.
ACK 7850c5f
Guix builds (x86_64):
d3ad84d8d57c54a75bfc884556c923349d39e310f1a542372b4f1c020c9d3c88 guix-build-7850c5fe20a0/output/aarch64-linux-gnu/SHA256SUMS.part
49023f19ee8328b04ecdc5441bf9a5d65d18817424e106b39a7d9eb7b0c35253 guix-build-7850c5fe20a0/output/aarch64-linux-gnu/bitcoin-7850c5fe20a0-aarch64-linux-gnu-debug.tar.gz
20e183a31709df55d0e1566d80819927552e3a0a6d8c6007e0c1b270d4830312 guix-build-7850c5fe20a0/output/aarch64-linux-gnu/bitcoin-7850c5fe20a0-aarch64-linux-gnu.tar.gz
057f307e8c491f4bd4ca2f6de53a4414f89d39e26ce2214a112c470e91bff0e6 guix-build-7850c5fe20a0/output/arm-linux-gnueabihf/SHA256SUMS.part
cd1c78b5949da16f66555ec2e839f885ad762656da3cd0d307697215c66a435e guix-build-7850c5fe20a0/output/arm-linux-gnueabihf/bitcoin-7850c5fe20a0-arm-linux-gnueabihf-debug.tar.gz
0086ea9df1d980ebe66244ac1d942f8325bea3d7fb55faae98b00f35bd1fc002 guix-build-7850c5fe20a0/output/arm-linux-gnueabihf/bitcoin-7850c5fe20a0-arm-linux-gnueabihf.tar.gz
b371b725f2db198460dd261282e547fd804ae1ec97fd15ea6e695034e6dc35d8 guix-build-7850c5fe20a0/output/arm64-apple-darwin/SHA256SUMS.part
3e5c032eb8570fa88e418b11df763ce0dd65ff10e8bc97a676d08236457335c6 guix-build-7850c5fe20a0/output/arm64-apple-darwin/bitcoin-7850c5fe20a0-arm64-apple-darwin-unsigned.tar.gz
d19c1bd5a28f36e73f04dc8df2d5645839065346a067eb38a636e66b89c78f57 guix-build-7850c5fe20a0/output/arm64-apple-darwin/bitcoin-7850c5fe20a0-arm64-apple-darwin-unsigned.zip
d18cf0a8fd66f091cdd99d7383bc87e52840c7488b02f45bcb422bb6bb5d31b2 guix-build-7850c5fe20a0/output/arm64-apple-darwin/bitcoin-7850c5fe20a0-arm64-apple-darwin.tar.gz
3433ae9ccc2b0d60877eca95348119cc0c56a87a9cc8b787add3088f74da1170 guix-build-7850c5fe20a0/output/dist-archive/bitcoin-7850c5fe20a0.tar.gz
3f53dd696a7328c8d5e28d5a704667606429e1f54ff1c3e22b3a391adf1f7552 guix-build-7850c5fe20a0/output/powerpc64-linux-gnu/SHA256SUMS.part
efb5d16266dc64e93f6a9836bb5d2136a8c7ac95c724fadca2aa2c91f21b5199 guix-build-7850c5fe20a0/output/powerpc64-linux-gnu/bitcoin-7850c5fe20a0-powerpc64-linux-gnu-debug.tar.gz
be36c1593528fe1223f70adea4c63da4b87084b7dcdbcdd914aaacec172d6ef3 guix-build-7850c5fe20a0/output/powerpc64-linux-gnu/bitcoin-7850c5fe20a0-powerpc64-linux-gnu.tar.gz
a778522de796682ca256475114e2afc70a47b9976507c2a77e09734f5378d6de guix-build-7850c5fe20a0/output/riscv64-linux-gnu/SHA256SUMS.part
e05b8e6a95be43797cbc333ae625328a145ddaa7d6e5d851c05a04b481b22274 guix-build-7850c5fe20a0/output/riscv64-linux-gnu/bitcoin-7850c5fe20a0-riscv64-linux-gnu-debug.tar.gz
1a231d05c0c298db6c97f603a9da8f8c12b48bc02ad443d54d4b51ff74cbaf4d guix-build-7850c5fe20a0/output/riscv64-linux-gnu/bitcoin-7850c5fe20a0-riscv64-linux-gnu.tar.gz
756724554699940152c59884dc578f2fcf631e4912cdf31cde71efe2699fa7f4 guix-build-7850c5fe20a0/output/x86_64-apple-darwin/SHA256SUMS.part
90ab8c1909e82777b3650f1cd700fb4e04605b153917096ca5392b13092ce647 guix-build-7850c5fe20a0/output/x86_64-apple-darwin/bitcoin-7850c5fe20a0-x86_64-apple-darwin-unsigned.tar.gz
0329d6eaa17aeb75f7d298df296c291a3b7bc82681885e741dc25dde0cb5a02d guix-build-7850c5fe20a0/output/x86_64-apple-darwin/bitcoin-7850c5fe20a0-x86_64-apple-darwin-unsigned.zip
51d37083936ec39eb087fd1f9c2584dbf9fc43041210b02e9b0ecb73850e8056 guix-build-7850c5fe20a0/output/x86_64-apple-darwin/bitcoin-7850c5fe20a0-x86_64-apple-darwin.tar.gz
78828fd43e435ebe9259bc7e02069183b38d3697fff52243241223d01956faf3 guix-build-7850c5fe20a0/output/x86_64-linux-gnu/SHA256SUMS.part
1fc1697ba9cba113b808201392f8341e5b1b74e16d3a5e3cf769df193ccebc38 guix-build-7850c5fe20a0/output/x86_64-linux-gnu/bitcoin-7850c5fe20a0-x86_64-linux-gnu-debug.tar.gz
5d6cb51e3f4a04b919f8f63d83bbf344e6ec9f79ed4d5dde28ff3f79e94ffc35 guix-build-7850c5fe20a0/output/x86_64-linux-gnu/bitcoin-7850c5fe20a0-x86_64-linux-gnu.tar.gz
0d8641977c211df7d37e218858045aa92a51721b2094559594ff2b66088abd83 guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/SHA256SUMS.part
52afe467be4bdbfa514000a1c1e0310a10c506841b624621a069d146c7636611 guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64-debug.zip
e4eacaa80ec45c2bc60d5ae854088e82201823d7c7f62d8e79524e5527a5ba9b guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64-setup-unsigned.exe
985ee4d1a876b5127841beafa3f73c93cf8ae5b3cab45f334e3c097b68823e98 guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64-unsigned.tar.gz
6d6772a2f4fb35b21610b4ecd0a29f8b0395ebfe059e4216546aa8859d801535 guix-build-7850c5fe20a0/output/x86_64-w64-mingw32/bitcoin-7850c5fe20a0-win64.zip
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 11, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Jul 11, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Aug 9, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Aug 20, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
hebasto
pushed a commit
to hebasto/bitcoin
that referenced
this pull request
Aug 21, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Aug 28, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Aug 30, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Aug 30, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Sep 3, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Sep 13, 2024
Similar to bitcoin#29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: > Enable building target run-time libraries with control-flow instrumentation, > see `-fcf-protection option`. When --enable-cet is specified target > libraries are configured to add `-fcf-protection` and, if needed, > other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target > binutils supports Intel CET instructions and disabled otherwise. > In this case, the target libraries are configured to get additional > `-fcf-protection` option.
fanquake
added a commit
that referenced
this pull request
Sep 17, 2024
89bf11b guix: build Linux GCC with --enable-cet (fanquake) Pull request description: Similar to #29695, and in the same vein of explicitly configuring hardening options in our release toolchain. See https://gcc.gnu.org/install/configure.html: >` --enable-cet` > Enable building target run-time libraries with control-flow instrumentation, see `-fcf-protection option`. When --enable-cet is specified target libraries are configured to add `-fcf-protection` and, if needed, other target specific options to a set of building options. > `--enable-cet=auto` is default. CET is enabled on Linux/x86 if target binutils supports Intel CET instructions and disabled otherwise. In this case, the target libraries are configured to get additional `-fcf-protection` option. ACKs for top commit: TheCharlatan: ACK 89bf11b Tree-SHA512: 772d8529713a31e5db42be4e053582bb9ba6f26079ae136c6bf8303c4992a90d61159dbb0fde7a4b4cb7b4bf5024d5397a78004e6188b36e1c36dd5e5cdc49ad
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Nov 4, 2024
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Nov 5, 2024
kwvg
added a commit
to kwvg/dash
that referenced
this pull request
Nov 10, 2024
PastaPastaPasta
added a commit
to dashpay/dash
that referenced
this pull request
Nov 12, 2024
, bitcoin#28786, bitcoin#29078, bitcoin#27897, bitcoin#29651, bitcoin#29695, bitcoin#29673, bitcoin#29828, bitcoin#29846, bitcoin#30231, bitcoin#30438, partial bitcoin#30511 (guix backports: part 5) 91b7ef8 merge bitcoin#30438: build Linux GCC with --enable-cet (Kittywhiskers Van Gogh) cfc6cba partial bitcoin#30511: GCC 12 consolidation (Kittywhiskers Van Gogh) 06f5431 merge bitcoin#30231: bump time-machine to f0bb724211872cd6158fce6162e0b8c73efed126 (Kittywhiskers Van Gogh) 5b292ee merge bitcoin#29846: replace GCC unaligned VMOV patch with binutils patch (Kittywhiskers Van Gogh) 4d1f7dc merge bitcoin#29828: remove `gcc-toolchain static` from Windows build (Kittywhiskers Van Gogh) f321d3d merge bitcoin#29673: use GCC 11 in macOS build env (Kittywhiskers Van Gogh) d570e2d merge bitcoin#29695: build GCC with --enable-standard-branch-protection (Kittywhiskers Van Gogh) c965943 merge bitcoin#29651: bump time-machine to dc4842797bfdc5f9f3f5f725bf189c2b68bd6b5a (Kittywhiskers Van Gogh) 59a125a merge bitcoin#27897: use GCC 12.3.0 to build releases (Kittywhiskers Van Gogh) a701b06 merge bitcoin#29078: Bump guix time-machine to unlock riscv64 metal (Kittywhiskers Van Gogh) d4b10a3 merge bitcoin#28786: switch to 6.1 kernel headers over 5.15 (Kittywhiskers Van Gogh) c371870 merge bitcoin#28580: update time-machine (Kittywhiskers Van Gogh) d36c9b6 merge bitcoin#28759: update signapple to latest master (Kittywhiskers Van Gogh) 38c71d8 merge bitcoin#28370: remove GCC 10 workaround from NSIS (Kittywhiskers Van Gogh) Pull request description: ## Additional Information * Dependent on #6382 * Dependency for #6384 ## Breaking Changes None expected ## Checklist - [x] I have performed a self-review of my own code - [x] I have commented my code, particularly in hard-to-understand areas **(note: N/A)** - [x] I have added or updated relevant unit/integration/functional/e2e tests **(note: N/A)** - [x] I have made corresponding changes to the documentation **(note: N/A)** - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_ ACKs for top commit: UdjinM6: utACK 91b7ef8 Tree-SHA512: 0cfb436a430cf4b624a48a9928ecac9cd5c50e88e51ed04e7d1d0100968af8be1183364f035ac75153781a5e1616aa2f6fadabf0a1c03ec4b66dedea544b77ad
Fabcien
added a commit
to Bitcoin-ABC/bitcoin-abc
that referenced
this pull request
Nov 29, 2024
Summary: ``` To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x ``` Backport of [[bitcoin/bitcoin#29695 | core#29695]]. Depends on D17231. Test Plan: Run the linux guix build. Reviewers: #bitcoin_abc, PiRK Reviewed By: #bitcoin_abc, PiRK Differential Revision: https://reviews.bitcoinabc.org/D17232
roqqit
pushed a commit
to doged-io/doged
that referenced
this pull request
Dec 2, 2024
Summary: ``` To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x ``` Backport of [[bitcoin/bitcoin#29695 | core#29695]]. Depends on D17231. Test Plan: Run the linux guix build. Reviewers: #bitcoin_abc, PiRK Reviewed By: #bitcoin_abc, PiRK Differential Revision: https://reviews.bitcoinabc.org/D17232
knst
added a commit
to knst/dash
that referenced
this pull request
Dec 26, 2024
, bitcoin#28580, bitcoin#28786, bitcoin#29078, bitcoin#27897, bitcoin#29651, bitcoin#29695, bitcoin#29673, bitcoin#29828, bitcoin#29846, bitcoin#30231, bitcoin#30438, partial bitcoin#30511 (guix backports: part 5)" This reverts commit be97bfe, reversing changes made to f155ecf.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is one change extracted from #24123 (which now produces fully BTI & PAC enabled bins), which will mean that everything in depends, for Guix builds, is compiled using
-mbranch-protection=standard.Turning this on by default, is similar to what we already do with
--enable-default-ssp,--enable-default-pieetc.See: https://gcc.gnu.org/install/specific.html#aarch64-x-x