cmake: Add HARDENING option

hebasto · Oct 26, 2023 · 643decf · 643decf
1 parent 574d66d
commit 643decf
Showing 1 changed file with 44 additions and 0 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -53,6 +53,7 @@ cmake_dependent_option(BUILD_WALLET_TOOL "Build bitcoin-wallet tool." ON "ENABLE
 
 cmake_dependent_option(CXX20 "Enable compilation in C++20 mode." OFF "NOT MSVC" ON)
 option(THREADLOCAL "Enable features that depend on the C++ thread_local keyword (currently just thread names in debug logs)." ON)
+option(HARDENING "Attempt to harden the resulting executables." ON)
 
 tristate_option(CCACHE "Use ccache for compiling." "if ccache is found." AUTO)
 tristate_option(WITH_NATPMP "Enable NAT-PMP." "if libnatpmp is found." AUTO)
@@ -235,6 +236,48 @@ try_append_cxx_flags("-fno-extended-identifiers" TARGET core)
 # -fstack-reuse=none for all gcc builds. (Only gcc understands this flag).
 try_append_cxx_flags("-fstack-reuse=none" TARGET core)
 
+if(HARDENING)
+  add_library(hardening INTERFACE)
+  if(MSVC)
+    try_append_linker_flag("/DYNAMICBASE" TARGET hardening)
+    try_append_linker_flag("/HIGHENTROPYVA" TARGET hardening)
+    try_append_linker_flag("/NXCOMPAT" TARGET hardening)
+  else()
+    target_compile_options(hardening INTERFACE
+      $<$<NOT:$<CONFIG:Debug>>:-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3>
+    )
+
+    try_append_cxx_flags("-Wstack-protector" TARGET hardening)
+    try_append_cxx_flags("-fstack-protector-all" TARGET hardening)
+    try_append_cxx_flags("-fcf-protection=full" TARGET hardening)
+
+    if(MINGW)
+      # stack-clash-protection doesn't compile with GCC 10 and earlier.
+      # In any case, it is a no-op for Windows.
+      # See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458 for more details.
+    else()
+      try_append_cxx_flags("-fstack-clash-protection" TARGET hardening)
+    endif()
+
+    if(CMAKE_SYSTEM_PROCESSOR STREQUAL "aarch64" OR CMAKE_SYSTEM_PROCESSOR STREQUAL "arm64")
+      try_append_cxx_flags("-mbranch-protection=bti" TARGET hardening)
+    endif()
+
+    try_append_linker_flag("-Wl,--enable-reloc-section" TARGET hardening)
+    try_append_linker_flag("-Wl,--dynamicbase" TARGET hardening)
+    try_append_linker_flag("-Wl,--nxcompat" TARGET hardening)
+    try_append_linker_flag("-Wl,--high-entropy-va" TARGET hardening)
+    try_append_linker_flag("-Wl,-z,relro" TARGET hardening)
+    try_append_linker_flag("-Wl,-z,now" TARGET hardening)
+    try_append_linker_flag("-Wl,-z,separate-code" TARGET hardening)
+    if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
+      try_append_linker_flag("-Wl,-bind_at_load" TARGET hardening)
+      try_append_linker_flag("-Wl,-fixup_chains" TARGET hardening)
+    endif()
+  endif()
+  target_link_libraries(core INTERFACE hardening)
+endif()
+
 find_package(Python3 3.9 COMPONENTS Interpreter)
 set(PYTHON_COMMAND ${Python3_EXECUTABLE})
 
@@ -290,6 +333,7 @@ message("Linker flags for executables .......... ${CMAKE_EXE_LINKER_FLAGS}")
 message("Linker flags for shared libraries ..... ${CMAKE_SHARED_LINKER_FLAGS}")
 print_config_flags()
 message("Use assembly routines ................. ${ASM}")
+message("Attempt to harden executables ......... ${HARDENING}")
 message("Use ccache for compiling .............. ${CCACHE}")
 message("\n")
 if(configure_warnings)