Merge bitcoin/bitcoin#21889: macho: check for control flow instrumentation

42b589d18fed5e2b3cb6ac9937e3333619967a6c scripts: test for MACHO control flow instrumentation (fanquake) 469a5bc4fa74d70556cce454efbc38fb7945acd8 build: build Boost with -fcf-protection when targeting Darwin (fanquake) Pull request description: Addresses the macOS portion of #21888. Build Boost with `-fcf-protection` when targeting Darwin. This should be ok, because our cross-compiler (Clang 10) supports the option, and I'd expect all versions of Apple Clang being used to compile Core would also support it. Building Boost with this option is required so that the `main` provided to `test_bitcoin` has instrumentation. Note that the presence of instrumentation does not mean it will be used, as that is determined at runtime by the CPU. From the Intel control flow enforcement documentation: > The ENDBR32 and ENDBR64 instructions will have the same effect as the NOP instruction on Intel 64 processors that do not support CET. On processors supporting CET, these instructions do not change register or flag state. This allows CET instrumented programs to execute on processors that do not support CET. Even when CET is supported and enabled, these NOP–like instructions do not affect the execution state of the program, do not cause any additional register pressure, and are minimally intrusive from power and performance perspectives. Follow up from #21135. Guix builds: ```bash 663df8471400f06d4da739e39a886aa17f56a36d66e0ff7cc290686294ef39c9 guix-build-42b589d18fed/output/dist-archive/bitcoin-42b589d18fed.tar.gz 45e841661e1659a634468b6f8c9fb0a7956c31ba296f1fd0c02cd880736d6127 guix-build-42b589d18fed/output/x86_64-apple-darwin18/bitcoin-42b589d18fed-osx-unsigned.dmg 0ea85c99fef35429a5048fa14850bce6b900eaa887aeea419b019852f8d2be78 guix-build-42b589d18fed/output/x86_64-apple-darwin18/bitcoin-42b589d18fed-osx-unsigned.tar.gz 85857a5a4a5d4d3a172d6c361c12c4a94f6505fc12b527ea63b75bfe54ee1001 guix-build-42b589d18fed/output/x86_64-apple-darwin18/bitcoin-42b589d18fed-osx64.tar.gz ``` Gitian builds: ```bash # macOS: bdfd677a6b88273a741b433e1e7f554af50cc76b3342d44ab0c441e2b40efc96 bitcoin-42b589d18fed-osx-unsigned.dmg f3b2d09f3bea7a5cc489b02e8e53dd76a9922338500fae79cad0506655af56f9 bitcoin-42b589d18fed-osx-unsigned.tar.gz 29d5ad5e46bc9fb0056922a8b47c026e5e9f71e6cf447203b74644587d6fb6f7 bitcoin-42b589d18fed-osx64.tar.gz 663df8471400f06d4da739e39a886aa17f56a36d66e0ff7cc290686294ef39c9 src/bitcoin-42b589d18fed.tar.gz 366f8d7a2fc1f3e22cb1018043099126a71ce65380cc27b1c3280cce42d06c98 bitcoin-core-osx-22-res.yml ``` ACKs for top commit: laanwj: Code review ACK 42b589d18fed5e2b3cb6ac9937e3333619967a6c Tree-SHA512: 12cb8d462d64d845b9fe48c5c6978892adff8bf5b5572bb29f35df1f6176e47b32a68bcb6e4883c7d9454e76e8868851005a7325916852a2d0d32659ac7dae3f
author: W. J. van der Laan <laanwj@protonmail.com> 2021-05-14 12:17:42 +0200
committer: W. J. van der Laan <laanwj@protonmail.com> 2021-05-14 12:26:38 +0200
commit: ecf5f2c1a06edd8372402872525f8de1d4277453 (patch)
tree: 66d8bb7a83a02a34545adf91fe3f3ca69db90da3
parent: b82c3a0075db7a701bc7ae118070b65f05fc187d (diff)
parent: 42b589d18fed5e2b3cb6ac9937e3333619967a6c (diff)
download: bitcoin-ecf5f2c1a06edd8372402872525f8de1d4277453.tar.xz
3 files changed, 23 insertions, 6 deletions
diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index b6628c2ad5..0b59d8eada 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -188,6 +188,19 @@ def check_NX(executable) -> bool:
     binary = lief.parse(executable)
     return binary.has_nx
 
+def check_control_flow(executable) -> bool:
+    '''
+    Check for control flow instrumentation
+    '''
+    binary = lief.parse(executable)
+
+    content = binary.get_content_from_virtual_address(binary.entrypoint, 4, lief.Binary.VA_TYPES.AUTO)
+
+    if content == [243, 15, 30, 250]: # endbr64
+        return True
+    return False
+
+
 CHECKS = {
 'ELF': [
     ('PIE', check_ELF_PIE),
@@ -208,7 +221,8 @@ CHECKS = {
     ('NOUNDEFS', check_MACHO_NOUNDEFS),
     ('NX', check_NX),
     ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
-    ('Canary', check_MACHO_Canary)
+    ('Canary', check_MACHO_Canary),
+    ('CONTROL_FLOW', check_control_flow),
 ]
 }
 
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index 28b5f57489..c079fe5b4d 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -77,16 +77,18 @@ class TestSecurityChecks(unittest.TestCase):
         write_testcode(source)
 
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
-            (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary'))
+            (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary CONTROL_FLOW'))
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']),
-            (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS'))
+            (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS CONTROL_FLOW'))
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']),
-            (1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS'))
+            (1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS CONTROL_FLOW'))
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']),
-            (1, executable+': failed PIE LAZY_BINDINGS'))
+            (1, executable+': failed PIE LAZY_BINDINGS CONTROL_FLOW'))
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']),
+            (1, executable+': failed PIE CONTROL_FLOW'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
             (1, executable+': failed PIE'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']),
             (0, ''))
 
         clean_files(source, executable)
diff --git a/depends/packages/boost.mk b/depends/packages/boost.mk
index 0800c63dfc..6b3b293140 100644
--- a/depends/packages/boost.mk
+++ b/depends/packages/boost.mk
@@ -26,6 +26,7 @@ $(package)_config_libraries=filesystem,system,test
 $(package)_cxxflags=-std=c++17 -fvisibility=hidden
 $(package)_cxxflags_linux=-fPIC
 $(package)_cxxflags_android=-fPIC
+$(package)_cxxflags_darwin=-fcf-protection=full
 endef
 
 define $(package)_preprocess_cmds
author	W. J. van der Laan <laanwj@protonmail.com>	2021-05-14 12:17:42 +0200
committer	W. J. van der Laan <laanwj@protonmail.com>	2021-05-14 12:26:38 +0200
commit	ecf5f2c1a06edd8372402872525f8de1d4277453 (patch)
tree	66d8bb7a83a02a34545adf91fe3f3ca69db90da3
parent	b82c3a0075db7a701bc7ae118070b65f05fc187d (diff)
parent	42b589d18fed5e2b3cb6ac9937e3333619967a6c (diff)
download	bitcoin-ecf5f2c1a06edd8372402872525f8de1d4277453.tar.xz