Merge bitcoin/bitcoin#22381: guix: Test security-check sanity before performing them (with macOS)

5b4703c6a70db2fa72fcace56a15db07d4b0acf1 guix: Test security-check sanity before performing them (Carl Dong)
6cf3345297d371b4785d80d54e802b52ff09e8c2 scripts: adjust test-symbol-check for guix release environment (fanquake)
1946b5f77cb5a6bb37500252079c3582cac4a6c9 scripts: more robustly test macOS symbol checks (fanquake)
a8127b34bce3597b8091e14057c926197966a234 build: Use and test PE binutils with --reloc-section (Carl Dong)
678348db515c770c4dddfac512cdd97be11d407d guix: Patch binutils to add security-related disable flags (Carl Dong)
9fdc8afe117b7b1ea845f8acae9e831922b8f92b devtools: Improve *-check.py tool detection (Carl Dong)
bda62eab38c5dd74e222eddedbca19ace9df6daa ci: skip running the Linux test-security-check target for now (fanquake)
d6ef3543ae16847d5a91fa9271acee9bd2164b32 lint: Run mypy with --show-error-codes (Carl Dong)

Pull request description:

  This is #20980 rebased (to include the Boost Process fix), and with an additional commit (892d6897f1e613084aa0517a660eab2412308e6e) to fix running the `test-security-check` target for the macOS build. It should pass inside Guix, as well as when cross-compiling on Ubuntu, or building natively on macOS.

  Note that the `test-security-check` may output some warnings (similar too):
  ```bash
  ld: warning: passed two min versions (10.14, 11.4) for platform macOS. Using 11.4.
  ld: warning: passed two min versions (10.14, 11.4) for platform macOS. Using 11.4.
  ld: warning: passed two min versions (10.14, 10.14) for platform macOS. Using 10.14.
  ```
  but those can be ignored, and come about due to us passing `-platform_version` when `-mmacosx-version-min` is already part of `CC`.

  Guix builds:
  ```bash
  71ed0c7a13a4726300779ffc87f7d271086a2744c36896fe6dc51fe3dc33df2e  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/SHA256SUMS.part
  9273980a17052c8ec45b77579781c14ab5d189fa25aa29907d5115513dd302b1  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu-debug.tar.gz
  9c042179af43c8896eb95a34294df15d4910308dcdba40b2010cd36e192938b8  guix-build-5b4703c6a70d/output/aarch64-linux-gnu/bitcoin-5b4703c6a70d-aarch64-linux-gnu.tar.gz
  1ceddecac113f50a952ba6a201cdcdb722e3dc804e663f219bfac8268ce42bf0  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/SHA256SUMS.part
  759597c4e925e75db4a2381c06cda9b9f4e4674c23436148676b31c9be05c7aa  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf-debug.tar.gz
  34e3b6beabaf8c95d7c2ca0d2c3ac4411766694ef43e00bd9783badbbaf045a7  guix-build-5b4703c6a70d/output/arm-linux-gnueabihf/bitcoin-5b4703c6a70d-arm-linux-gnueabihf.tar.gz
  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  guix-build-5b4703c6a70d/output/dist-archive/SKIPATTEST.TAG
  3664f6ceee7898caa374281fd877a7597fe491fa2e9f0c174c28d889d60b559c  guix-build-5b4703c6a70d/output/dist-archive/bitcoin-5b4703c6a70d.tar.gz
  d6bc35ba0750c1440bb32831b8c12cddee62f6dce10fec2650897444c2bf4748  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/SHA256SUMS.part
  a836edf6474ba0c16c19bb217549bac7936c1b44306ed512df58f607ee5568f2  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu-debug.tar.gz
  7cc91c6805d5069ca3bd1771e77d95f83eb184b137198cbf84d1d11d0a5c5afe  guix-build-5b4703c6a70d/output/powerpc64-linux-gnu/bitcoin-5b4703c6a70d-powerpc64-linux-gnu.tar.gz
  93b4cb7b83c4975120ad5de5a92f050f5760a2a3f2c37c204c647f5a581c924a  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/SHA256SUMS.part
  2266e2c5d0dafa28c6c057ccfc1c439baeab1d714d8c3f64a83015d2827116d2  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu-debug.tar.gz
  85f41f42c319b83d049d6fd2e2278c07b40a1e28a2eac596427822c0eef9dc3f  guix-build-5b4703c6a70d/output/powerpc64le-linux-gnu/bitcoin-5b4703c6a70d-powerpc64le-linux-gnu.tar.gz
  1499ca9119926083d8c3714ca10d8d4c8d864cbeee8848fd8445b7a1d081222d  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/SHA256SUMS.part
  1995fc1a2e45c49d4b0718aff5dcdac931917e8ae9e762fd23f1126abcecc248  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu-debug.tar.gz
  266889eb58429a470f0fd7bb123f2ae09b0aef86c47b0390938b3634a8f748a9  guix-build-5b4703c6a70d/output/riscv64-linux-gnu/bitcoin-5b4703c6a70d-riscv64-linux-gnu.tar.gz
  cdc3a0dcf80b110443dac5ddf8bc951001a776a651c898c5ea49bb2d487bfe29  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/SHA256SUMS.part
  8538d1eab96c97866b24546c453d95822f24cf9c6638b42ba523eb7aa441cb26  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.dmg
  d1b73133f1da68586b07292a8425f7f851e93f599c016376f23728c041cf39cc  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx-unsigned.tar.gz
  5ad94c5f8a5f29405955ff3ab35d137de1acc04398d6c8298fb187b57a6e316a  guix-build-5b4703c6a70d/output/x86_64-apple-darwin18/bitcoin-5b4703c6a70d-osx64.tar.gz
  8c6d7b3f847faa7b4d16ceecf228f26f146ea982615c1d7a00c57f9230a0c484  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/SHA256SUMS.part
  d0a8c99750319ad8046cfa132a54e5c13a08351f94439ae9af0f8e5486c2c2ea  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu-debug.tar.gz
  d816bb26dd4b0e309f2f576b1cccc6d78743fb2f357daad2da09bb1177330971  guix-build-5b4703c6a70d/output/x86_64-linux-gnu/bitcoin-5b4703c6a70d-x86_64-linux-gnu.tar.gz
  65caaa7f648c7eab1eb82c3331a2ca25b8cd4fe41439de55604501e02571de55  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/SHA256SUMS.part
  5bf6f7328cbceb0db22a2d7babb07b60cb6dcc19a6db84a1698589b7f5173a06  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win-unsigned.tar.gz
  7aabcb56115decef78d3797840b6e49dbc9b202d56f892490e92616fb06fec9e  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-debug.zip
  2f369694648ff9dc5ca1261a1e5874b1c7408ccf2802f9caef56c1334e8a5b7c  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64-setup-unsigned.exe
  1c1f92513c4aad38419ff49a7b80bf10e6b1eca01ee8c5e3b2acd1768cf1e3d5  guix-build-5b4703c6a70d/output/x86_64-w64-mingw32/bitcoin-5b4703c6a70d-win64.zip
  ```

ACKs for top commit:
  hebasto:
    Approach ACK 5b4703c6a70db2fa72fcace56a15db07d4b0acf1.

Tree-SHA512: 2cd92a245ea64ef7176cf402a1fa5348a9421c30a4d30d01c950c48f6dcc15cf22ce69ffe1657be97e5fccc14bd933d64683c4439b695528ce3dc34d72dda927

12 files changed, 262 insertions, 51 deletions

diff --git a/Makefile.am b/Makefile.am
index d84dab1842..3ac698b96f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -58,6 +58,7 @@ DIST_SHARE = \
 
 BIN_CHECKS=$(top_srcdir)/contrib/devtools/symbol-check.py \
            $(top_srcdir)/contrib/devtools/security-check.py \
+           $(top_srcdir)/contrib/devtools/utils.py \
            $(top_srcdir)/contrib/devtools/pixie.py
 
 WINDOWS_PACKAGING = $(top_srcdir)/share/pixmaps/bitcoin.ico \
@@ -366,14 +367,14 @@ clean-local: clean-docs
 
 test-security-check:
 if TARGET_DARWIN
-	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_MACHO
-	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_MACHO
+	$(AM_V_at) CC='$(CC)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_MACHO
+	$(AM_V_at) CC='$(CC)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_MACHO
 endif
 if TARGET_WINDOWS
-	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_PE
-	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_PE
+	$(AM_V_at) CC='$(CC)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_PE
+	$(AM_V_at) CC='$(CC)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_PE
 endif
 if TARGET_LINUX
-	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_ELF
-	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_ELF
+	$(AM_V_at) CC='$(CC)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_ELF
+	$(AM_V_at) CC='$(CC)' CPPFILT='$(CPPFILT)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_ELF
 endif
diff --git a/ci/test/00_setup_env_native_multiprocess.sh b/ci/test/00_setup_env_native_multiprocess.sh
index 1418dfbc51..8869b2a083 100755
--- a/ci/test/00_setup_env_native_multiprocess.sh
+++ b/ci/test/00_setup_env_native_multiprocess.sh
@@ -13,5 +13,4 @@ export DEP_OPTS="DEBUG=1 MULTIPROCESS=1"
 export GOAL="install"
 export BITCOIN_CONFIG="--enable-debug CC=clang CXX=clang++"  # Use clang to avoid OOM
 export TEST_RUNNER_ENV="BITCOIND=bitcoin-node"
-export RUN_SECURITY_TESTS="true"
 export PIP_PACKAGES="lief"
diff --git a/configure.ac b/configure.ac
index 94f01a51a6..6f78e8dec4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -900,6 +900,7 @@ if test x$use_hardening != xno; then
     ])
   fi
 
+  AX_CHECK_LINK_FLAG([[-Wl,--enable-reloc-section]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--enable-reloc-section"],, [[$LDFLAG_WERROR]])
   AX_CHECK_LINK_FLAG([[-Wl,--dynamicbase]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--dynamicbase"],, [[$LDFLAG_WERROR]])
   AX_CHECK_LINK_FLAG([[-Wl,--nxcompat]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--nxcompat"],, [[$LDFLAG_WERROR]])
   AX_CHECK_LINK_FLAG([[-Wl,--high-entropy-va]], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,--high-entropy-va"],, [[$LDFLAG_WERROR]])
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index 407c0a2d72..61f727fa63 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -12,12 +12,13 @@ Example usage:
 '''
 import subprocess
 import sys
-import os
 from typing import List, Optional
 
 import lief
 import pixie
 
+from utils import determine_wellknown_cmd
+
 # Debian 8 (Jessie) EOL: 2020. https://wiki.debian.org/DebianReleases#Production_Releases
 #
 # - g++ version 4.9.2 (https://packages.debian.org/search?suite=jessie&arch=any&searchon=names&keywords=g%2B%2B)
@@ -60,7 +61,6 @@ IGNORE_EXPORTS = {
 '_edata', '_end', '__end__', '_init', '__bss_start', '__bss_start__', '_bss_end__', '__bss_end__', '_fini', '_IO_stdin_used', 'stdin', 'stdout', 'stderr',
 'environ', '_environ', '__environ',
 }
-CPPFILT_CMD = os.getenv('CPPFILT', '/usr/bin/c++filt')
 
 # Allowed NEEDED libraries
 ELF_ALLOWED_LIBRARIES = {
@@ -140,7 +140,7 @@ class CPPFilt(object):
     Use a pipe to the 'c++filt' command.
     '''
     def __init__(self):
-        self.proc = subprocess.Popen(CPPFILT_CMD, stdin=subprocess.PIPE, stdout=subprocess.PIPE, universal_newlines=True)
+        self.proc = subprocess.Popen(determine_wellknown_cmd('CPPFILT', 'c++filt'), stdin=subprocess.PIPE, stdout=subprocess.PIPE, universal_newlines=True)
 
     def __call__(self, mangled):
         self.proc.stdin.write(mangled + '\n')
diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py
index c079fe5b4d..14058e2cc8 100755
--- a/contrib/devtools/test-security-check.py
+++ b/contrib/devtools/test-security-check.py
@@ -9,6 +9,8 @@ import os
 import subprocess
 import unittest
 
+from utils import determine_wellknown_cmd
+
 def write_testcode(filename):
     with open(filename, 'w', encoding="utf8") as f:
         f.write('''
@@ -25,7 +27,7 @@ def clean_files(source, executable):
     os.remove(executable)
 
 def call_security_check(cc, source, executable, options):
-    subprocess.run([cc,source,'-o',executable] + options, check=True)
+    subprocess.run([*cc,source,'-o',executable] + options, check=True)
     p = subprocess.run(['./contrib/devtools/security-check.py',executable], stdout=subprocess.PIPE, universal_newlines=True)
     return (p.returncode, p.stdout.rstrip())
 
@@ -33,7 +35,7 @@ class TestSecurityChecks(unittest.TestCase):
     def test_ELF(self):
         source = 'test1.c'
         executable = 'test1'
-        cc = 'gcc'
+        cc = determine_wellknown_cmd('CC', 'gcc')
         write_testcode(source)
 
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-zexecstack','-fno-stack-protector','-Wl,-znorelro','-no-pie','-fno-PIE', '-Wl,-z,separate-code']),
@@ -54,18 +56,20 @@ class TestSecurityChecks(unittest.TestCase):
     def test_PE(self):
         source = 'test1.c'
         executable = 'test1.exe'
-        cc = 'x86_64-w64-mingw32-gcc'
+        cc = determine_wellknown_cmd('CC', 'x86_64-w64-mingw32-gcc')
         write_testcode(source)
 
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
-            (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
-            (1, executable+': failed DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
-            (1, executable+': failed HIGH_ENTROPY_VA RELOC_SECTION'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-no-pie','-fno-PIE']),
-            (1, executable+': failed RELOC_SECTION'))
-        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--no-nxcompat','-Wl,--disable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
+            (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA NX RELOC_SECTION'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--disable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
+            (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA RELOC_SECTION'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-no-pie','-fno-PIE']),
+            (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--no-dynamicbase','-Wl,--no-high-entropy-va','-pie','-fPIE']),
+            (1, executable+': failed PIE DYNAMIC_BASE HIGH_ENTROPY_VA'))  # -pie -fPIE does nothing unless --dynamicbase is also supplied
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--no-high-entropy-va','-pie','-fPIE']),
+            (1, executable+': failed HIGH_ENTROPY_VA'))
+        self.assertEqual(call_security_check(cc, source, executable, ['-Wl,--nxcompat','-Wl,--enable-reloc-section','-Wl,--dynamicbase','-Wl,--high-entropy-va','-pie','-fPIE']),
             (0, ''))
 
         clean_files(source, executable)
@@ -73,7 +77,7 @@ class TestSecurityChecks(unittest.TestCase):
     def test_MACHO(self):
         source = 'test1.c'
         executable = 'test1'
-        cc = 'clang'
+        cc = determine_wellknown_cmd('CC', 'clang')
         write_testcode(source)
 
         self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']),
@@ -95,4 +99,3 @@ class TestSecurityChecks(unittest.TestCase):
 
 if __name__ == '__main__':
     unittest.main()
-
diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py
index 6ce2fa3560..7d83c5f751 100755
--- a/contrib/devtools/test-symbol-check.py
+++ b/contrib/devtools/test-symbol-check.py
@@ -7,41 +7,51 @@ Test script for symbol-check.py
 '''
 import os
 import subprocess
+from typing import List
 import unittest
 
-def call_symbol_check(cc, source, executable, options):
-    subprocess.run([cc,source,'-o',executable] + options, check=True)
+from utils import determine_wellknown_cmd
+
+def call_symbol_check(cc: List[str], source, executable, options):
+    subprocess.run([*cc,source,'-o',executable] + options, check=True)
     p = subprocess.run(['./contrib/devtools/symbol-check.py',executable], stdout=subprocess.PIPE, universal_newlines=True)
     os.remove(source)
     os.remove(executable)
     return (p.returncode, p.stdout.rstrip())
 
+def get_machine(cc: List[str]):
+    p = subprocess.run([*cc,'-dumpmachine'], stdout=subprocess.PIPE, universal_newlines=True)
+    return p.stdout.rstrip()
+
 class TestSymbolChecks(unittest.TestCase):
     def test_ELF(self):
         source = 'test1.c'
         executable = 'test1'
-        cc = 'gcc'
+        cc = determine_wellknown_cmd('CC', 'gcc')
+
+        # there's no way to do this test for RISC-V at the moment; we build for
+        # RISC-V in a glibc 2.27 envinonment and we allow all symbols from 2.27.
+        if 'riscv' in get_machine(cc):
+            self.skipTest("test not available for RISC-V")
 
-        # renameat2 was introduced in GLIBC 2.28, so is newer than the upper limit
-        # of glibc for all platforms
+        # nextup was introduced in GLIBC 2.24, so is newer than our supported
+        # glibc (2.17), and available in our release build environment (2.24).
         with open(source, 'w', encoding="utf8") as f:
             f.write('''
                 #define _GNU_SOURCE
-                #include <stdio.h>
-                #include <linux/fs.h>
+                #include <math.h>
 
-                int renameat2(int olddirfd, const char *oldpath,
-                    int newdirfd, const char *newpath, unsigned int flags);
+                double nextup(double x);
 
                 int main()
                 {
-                    renameat2(0, "test", 0, "test_", RENAME_EXCHANGE);
+                    nextup(3.14);
                     return 0;
                 }
         ''')
 
-        self.assertEqual(call_symbol_check(cc, source, executable, []),
-                (1, executable + ': symbol renameat2 from unsupported version GLIBC_2.28\n' +
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-lm']),
+                (1, executable + ': symbol nextup from unsupported version GLIBC_2.24\n' +
                     executable + ': failed IMPORTED_SYMBOLS'))
 
         # -lutil is part of the libc6 package so a safe bet that it's installed
@@ -82,7 +92,7 @@ class TestSymbolChecks(unittest.TestCase):
     def test_MACHO(self):
         source = 'test1.c'
         executable = 'test1'
-        cc = 'clang'
+        cc = determine_wellknown_cmd('CC', 'clang')
 
         with open(source, 'w', encoding="utf8") as f:
             f.write('''
@@ -96,7 +106,7 @@ class TestSymbolChecks(unittest.TestCase):
 
         ''')
 
-        self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat']),
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-lexpat', '-Wl,-platform_version','-Wl,macos', '-Wl,11.4', '-Wl,11.4']),
             (1, 'libexpat.1.dylib is not in ALLOWED_LIBRARIES!\n' +
                 f'{executable}: failed DYNAMIC_LIBRARIES MIN_OS SDK'))
 
@@ -113,7 +123,7 @@ class TestSymbolChecks(unittest.TestCase):
                 }
         ''')
 
-        self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics']),
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-framework', 'CoreGraphics', '-Wl,-platform_version','-Wl,macos', '-Wl,11.4', '-Wl,11.4']),
                 (1, f'{executable}: failed MIN_OS SDK'))
 
         source = 'test3.c'
@@ -126,13 +136,13 @@ class TestSymbolChecks(unittest.TestCase):
                 }
         ''')
 
-        self.assertEqual(call_symbol_check(cc, source, executable, ['-mmacosx-version-min=10.14']),
+        self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,-platform_version','-Wl,macos', '-Wl,10.14', '-Wl,11.4']),
                 (1, f'{executable}: failed SDK'))
 
     def test_PE(self):
         source = 'test1.c'
         executable = 'test1.exe'
-        cc = 'x86_64-w64-mingw32-gcc'
+        cc = determine_wellknown_cmd('CC', 'x86_64-w64-mingw32-gcc')
 
         with open(source, 'w', encoding="utf8") as f:
             f.write('''
@@ -182,4 +192,3 @@ class TestSymbolChecks(unittest.TestCase):
 
 if __name__ == '__main__':
     unittest.main()
-
diff --git a/contrib/devtools/utils.py b/contrib/devtools/utils.py
new file mode 100755
index 0000000000..68ad1c3aba
--- /dev/null
+++ b/contrib/devtools/utils.py
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+# Copyright (c) 2021 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+'''
+Common utility functions
+'''
+import shutil
+import sys
+import os
+from typing import List
+
+
+def determine_wellknown_cmd(envvar, progname) -> List[str]:
+    maybe_env = os.getenv(envvar)
+    maybe_which = shutil.which(progname)
+    if maybe_env:
+        return maybe_env.split(' ')  # Well-known vars are often meant to be word-split
+    elif maybe_which:
+        return [ maybe_which ]
+    else:
+        sys.exit(f"{progname} not found")
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index 02ef800963..0b96949a6b 100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -299,10 +299,11 @@ mkdir -p "$DISTSRC"
     # Build Bitcoin Core
     make --jobs="$JOBS" ${V:+V=1}
 
-    # Perform basic ELF security checks on a series of executables.
+    # Check that symbol/security checks tools are sane.
+    make test-security-check ${V:+V=1}
+    # Perform basic security checks on a series of executables.
     make -C src --jobs=1 check-security ${V:+V=1}
-    # Check that executables only contain allowed gcc, glibc and libstdc++
-    # version symbols for Linux distro back-compatibility.
+    # Check that executables only contain allowed version symbols.
     make -C src --jobs=1 check-symbols  ${V:+V=1}
 
     mkdir -p "$OUTDIR"
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index f4df4855fc..e71cf52533 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -80,6 +80,10 @@ http://www.linuxfromscratch.org/hlfs/view/development/chapter05/gcc-pass1.html"
                  (("-rpath=") "-rpath-link="))
                #t))))))))
 
+(define (make-binutils-with-mingw-w64-disable-flags xbinutils)
+  (package-with-extra-patches xbinutils
+    (search-our-patches "binutils-mingw-w64-disable-flags.patch")))
+
 (define (make-cross-toolchain target
                               base-gcc-for-libc
                               base-kernel-headers
@@ -168,7 +172,7 @@ desirable for building Bitcoin Core release binaries."
 
 (define (make-mingw-pthreads-cross-toolchain target)
   "Create a cross-compilation toolchain package for TARGET"
-  (let* ((xbinutils (cross-binutils target))
+  (let* ((xbinutils (make-binutils-with-mingw-w64-disable-flags (cross-binutils target)))
          (pthreads-xlibc mingw-w64-x86_64-winpthreads)
          (pthreads-xgcc (make-gcc-with-pthreads
                          (cross-gcc target
diff --git a/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch b/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch
new file mode 100644
index 0000000000..8f88eb9dfd
--- /dev/null
+++ b/contrib/guix/patches/binutils-mingw-w64-disable-flags.patch
@@ -0,0 +1,171 @@
+Description: Add disable opposites to the security-related flags
+Author: Stephen Kitt <skitt@debian.org>
+
+This patch adds "no-" variants to disable the various security flags:
+"no-dynamicbase", "no-nxcompat", "no-high-entropy-va", "disable-reloc-section".
+
+--- a/ld/emultempl/pe.em
++++ b/ld/emultempl/pe.em
+@@ -259,9 +261,11 @@
+ 					(OPTION_ENABLE_LONG_SECTION_NAMES + 1)
+ /* DLLCharacteristics flags.  */
+ #define OPTION_DYNAMIC_BASE		(OPTION_DISABLE_LONG_SECTION_NAMES + 1)
+-#define OPTION_FORCE_INTEGRITY		(OPTION_DYNAMIC_BASE + 1)
++#define OPTION_NO_DYNAMIC_BASE		(OPTION_DYNAMIC_BASE + 1)
++#define OPTION_FORCE_INTEGRITY		(OPTION_NO_DYNAMIC_BASE + 1)
+ #define OPTION_NX_COMPAT		(OPTION_FORCE_INTEGRITY + 1)
+-#define OPTION_NO_ISOLATION		(OPTION_NX_COMPAT + 1)
++#define OPTION_NO_NX_COMPAT		(OPTION_NX_COMPAT + 1)
++#define OPTION_NO_ISOLATION		(OPTION_NO_NX_COMPAT + 1)
+ #define OPTION_NO_SEH			(OPTION_NO_ISOLATION + 1)
+ #define OPTION_NO_BIND			(OPTION_NO_SEH + 1)
+ #define OPTION_WDM_DRIVER		(OPTION_NO_BIND + 1)
+@@ -271,6 +275,7 @@
+ #define OPTION_NO_INSERT_TIMESTAMP	(OPTION_INSERT_TIMESTAMP + 1)
+ #define OPTION_BUILD_ID			(OPTION_NO_INSERT_TIMESTAMP + 1)
+ #define OPTION_ENABLE_RELOC_SECTION	(OPTION_BUILD_ID + 1)
++#define OPTION_DISABLE_RELOC_SECTION	(OPTION_ENABLE_RELOC_SECTION + 1)
+ 
+ static void
+ gld${EMULATION_NAME}_add_options
+@@ -342,8 +347,10 @@
+     {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
+     {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
+     {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
++    {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
+     {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
+     {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
++    {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
+     {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
+     {"no-seh", no_argument, NULL, OPTION_NO_SEH},
+     {"no-bind", no_argument, NULL, OPTION_NO_BIND},
+@@ -351,6 +358,7 @@
+     {"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE},
+     {"build-id", optional_argument, NULL, OPTION_BUILD_ID},
+     {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
++    {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
+     {NULL, no_argument, NULL, 0}
+   };
+ 
+@@ -485,9 +494,12 @@
+                                        in object files\n"));
+   fprintf (file, _("  --dynamicbase                      Image base address may be relocated using\n\
+                                        address space layout randomization (ASLR)\n"));
++  fprintf (file, _("  --no-dynamicbase                   Image base address may not be relocated\n"));
+   fprintf (file, _("  --enable-reloc-section             Create the base relocation table\n"));
++  fprintf (file, _("  --disable-reloc-section            Disable the base relocation table\n"));
+   fprintf (file, _("  --forceinteg               Code integrity checks are enforced\n"));
+   fprintf (file, _("  --nxcompat                 Image is compatible with data execution prevention\n"));
++  fprintf (file, _("  --no-nxcompat              Image is not compatible with data execution prevention\n"));
+   fprintf (file, _("  --no-isolation             Image understands isolation but do not isolate the image\n"));
+   fprintf (file, _("  --no-seh                   Image does not use SEH. No SE handler may\n\
+                                        be called in this image\n"));
+@@ -862,12 +874,21 @@
+     case OPTION_ENABLE_RELOC_SECTION:
+       pe_dll_enable_reloc_section = 1;
+       break;
++    case OPTION_DISABLE_RELOC_SECTION:
++      pe_dll_enable_reloc_section = 0;
++      /* fall through */
++    case OPTION_NO_DYNAMIC_BASE:
++      pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
++      break;
+     case OPTION_FORCE_INTEGRITY:
+       pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
+       break;
+     case OPTION_NX_COMPAT:
+       pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+       break;
++    case OPTION_NO_NX_COMPAT:
++      pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
++      break;
+     case OPTION_NO_ISOLATION:
+       pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
+       break;
+--- a/ld/emultempl/pep.em
++++ b/ld/emultempl/pep.em
+@@ -237,9 +240,12 @@
+   OPTION_ENABLE_LONG_SECTION_NAMES,
+   OPTION_DISABLE_LONG_SECTION_NAMES,
+   OPTION_HIGH_ENTROPY_VA,
++  OPTION_NO_HIGH_ENTROPY_VA,
+   OPTION_DYNAMIC_BASE,
++  OPTION_NO_DYNAMIC_BASE,
+   OPTION_FORCE_INTEGRITY,
+   OPTION_NX_COMPAT,
++  OPTION_NO_NX_COMPAT,
+   OPTION_NO_ISOLATION,
+   OPTION_NO_SEH,
+   OPTION_NO_BIND,
+@@ -248,7 +254,8 @@
+   OPTION_NO_INSERT_TIMESTAMP,
+   OPTION_TERMINAL_SERVER_AWARE,
+   OPTION_BUILD_ID,
+-  OPTION_ENABLE_RELOC_SECTION
++  OPTION_ENABLE_RELOC_SECTION,
++  OPTION_DISABLE_RELOC_SECTION
+ };
+ 
+ static void
+@@ -315,9 +322,12 @@
+     {"enable-long-section-names", no_argument, NULL, OPTION_ENABLE_LONG_SECTION_NAMES},
+     {"disable-long-section-names", no_argument, NULL, OPTION_DISABLE_LONG_SECTION_NAMES},
+     {"high-entropy-va", no_argument, NULL, OPTION_HIGH_ENTROPY_VA},
++    {"no-high-entropy-va", no_argument, NULL, OPTION_NO_HIGH_ENTROPY_VA},
+     {"dynamicbase",no_argument, NULL, OPTION_DYNAMIC_BASE},
++    {"no-dynamicbase", no_argument, NULL, OPTION_NO_DYNAMIC_BASE},
+     {"forceinteg", no_argument, NULL, OPTION_FORCE_INTEGRITY},
+     {"nxcompat", no_argument, NULL, OPTION_NX_COMPAT},
++    {"no-nxcompat", no_argument, NULL, OPTION_NO_NX_COMPAT},
+     {"no-isolation", no_argument, NULL, OPTION_NO_ISOLATION},
+     {"no-seh", no_argument, NULL, OPTION_NO_SEH},
+     {"no-bind", no_argument, NULL, OPTION_NO_BIND},
+@@ -327,6 +337,7 @@
+     {"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP},
+     {"build-id", optional_argument, NULL, OPTION_BUILD_ID},
+     {"enable-reloc-section", no_argument, NULL, OPTION_ENABLE_RELOC_SECTION},
++    {"disable-reloc-section", no_argument, NULL, OPTION_DISABLE_RELOC_SECTION},
+     {NULL, no_argument, NULL, 0}
+   };
+ 
+@@ -448,11 +461,15 @@
+                                        in object files\n"));
+   fprintf (file, _("  --high-entropy-va                  Image is compatible with 64-bit address space\n\
+                                        layout randomization (ASLR)\n"));
++  fprintf (file, _("  --no-high-entropy-va               Image is not compatible with 64-bit ASLR\n"));
+   fprintf (file, _("  --dynamicbase                      Image base address may be relocated using\n\
+                                        address space layout randomization (ASLR)\n"));
++  fprintf (file, _("  --no-dynamicbase                   Image base address may not be relocated\n"));
+   fprintf (file, _("  --enable-reloc-section             Create the base relocation table\n"));
++  fprintf (file, _("  --disable-reloc-section            Disable the base relocation table\n"));
+   fprintf (file, _("  --forceinteg               Code integrity checks are enforced\n"));
+   fprintf (file, _("  --nxcompat                 Image is compatible with data execution prevention\n"));
++  fprintf (file, _("  --no-nxcompat              Image is not compatible with data execution prevention\n"));
+   fprintf (file, _("  --no-isolation             Image understands isolation but do not isolate the image\n"));
+   fprintf (file, _("  --no-seh                   Image does not use SEH; no SE handler may\n\
+                                        be called in this image\n"));
+@@ -809,12 +826,24 @@
+     case OPTION_ENABLE_RELOC_SECTION:
+       pep_dll_enable_reloc_section = 1;
+       break;
++    case OPTION_DISABLE_RELOC_SECTION:
++      pep_dll_enable_reloc_section = 0;
++      /* fall through */
++    case OPTION_NO_DYNAMIC_BASE:
++      pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASE;
++      /* fall through */
++    case OPTION_NO_HIGH_ENTROPY_VA:
++      pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA;
++      break;
+     case OPTION_FORCE_INTEGRITY:
+       pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITY;
+       break;
+     case OPTION_NX_COMPAT:
+       pe_dll_characteristics |= IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
+       break;
++    case OPTION_NO_NX_COMPAT:
++      pe_dll_characteristics &= ~IMAGE_DLL_CHARACTERISTICS_NX_COMPAT;
++      break;
+     case OPTION_NO_ISOLATION:
+       pe_dll_characteristics |= IMAGE_DLLCHARACTERISTICS_NO_ISOLATION;
+       break;
diff --git a/src/Makefile.am b/src/Makefile.am
index 9430b778f0..7de5fb36ed 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -814,23 +814,23 @@ clean-local:
 check-symbols: $(bin_PROGRAMS)
 if TARGET_DARWIN
 	@echo "Checking macOS dynamic libraries..."
-	$(AM_V_at) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
+	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
 endif
 
 if TARGET_WINDOWS
 	@echo "Checking Windows dynamic libraries..."
-	$(AM_V_at) OBJDUMP=$(OBJDUMP) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
+	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
 endif
 
 if TARGET_LINUX
 	@echo "Checking glibc back compat..."
-	$(AM_V_at) CPPFILT=$(CPPFILT) $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
+	$(AM_V_at) CPPFILT='$(CPPFILT)' $(PYTHON) $(top_srcdir)/contrib/devtools/symbol-check.py $(bin_PROGRAMS)
 endif
 
 check-security: $(bin_PROGRAMS)
 if HARDEN
 	@echo "Checking binary security..."
-	$(AM_V_at) OBJDUMP=$(OBJDUMP) OTOOL=$(OTOOL) $(PYTHON) $(top_srcdir)/contrib/devtools/security-check.py $(bin_PROGRAMS)
+	$(AM_V_at) $(PYTHON) $(top_srcdir)/contrib/devtools/security-check.py $(bin_PROGRAMS)
 endif
 
 libbitcoin_ipc_mpgen_input = \
diff --git a/test/lint/lint-python.sh b/test/lint/lint-python.sh
index 51815963f6..c448fa6f9a 100755
--- a/test/lint/lint-python.sh
+++ b/test/lint/lint-python.sh
@@ -102,7 +102,7 @@ if ! PYTHONWARNINGS="ignore" flake8 --ignore=B,C,E,F,I,N,W --select=$(IFS=","; e
     EXIT_CODE=1
 fi
 
-if ! mypy --ignore-missing-imports $(git ls-files "test/functional/*.py" "contrib/devtools/*.py"); then
+if ! mypy --ignore-missing-imports --show-error-codes $(git ls-files "test/functional/*.py" "contrib/devtools/*.py"); then
     EXIT_CODE=1
 fi