guix: pass enable-bind-now to glibc

Both glibcs we build support `--enable-bind-now`: Disable lazy binding for installed shared objects and programs. This provides additional security hardening because it enables full RELRO and a read-only global offset table (GOT), at the cost of slightly increased program load times. See: https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html
author: fanquake <fanquake@gmail.com> 2022-06-27 11:25:07 +0100
committer: fanquake <fanquake@gmail.com> 2022-07-28 14:30:38 +0100
commit: aa87879a7707d24931132c23eb94461f9f86240b (patch)
tree: 3a2bb1d954d42380162330121c95cddc1fca6f8c /contrib/guix/manifest.scm
parent: 3897a131d022c29301809c3d6edfcb46e100dc21 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index cd69f9bf0e..1f3ab9ae65 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -136,7 +136,7 @@ chain for " target " development."))
                                        #:key
                                        (base-gcc-for-libc base-gcc)
                                        (base-kernel-headers base-linux-kernel-headers)
-                                       (base-libc (make-glibc-without-werror glibc-2.24))
+                                       (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24)))
                                        (base-gcc (make-gcc-rpath-link base-gcc)))
   "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
 desirable for building Bitcoin Core release binaries."
@@ -523,6 +523,9 @@ inspecting signatures in Mach-O binaries.")
 (define (make-glibc-with-stack-protector glibc)
   (package-with-extra-configure-variable glibc "--enable-stack-protector" "all"))
 
+(define (make-glibc-with-bind-now glibc)
+  (package-with-extra-configure-variable glibc "--enable-bind-now" "yes"))
+
 (define-public glibc-2.24
   (package
     (inherit glibc-2.31)
@@ -610,7 +613,8 @@ inspecting signatures in Mach-O binaries.")
           ((string-contains target "-linux-")
            (list (cond ((string-contains target "riscv64-")
                         (make-bitcoin-cross-toolchain target
-                                                      #:base-libc (make-glibc-with-stack-protector (make-glibc-without-werror glibc-2.27/bitcoin-patched))))
+                                                      #:base-libc (make-glibc-with-stack-protector
+                                                        (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.27/bitcoin-patched)))))
                        (else
                         (make-bitcoin-cross-toolchain target)))))
           ((string-contains target "darwin")
author	fanquake <fanquake@gmail.com>	2022-06-27 11:25:07 +0100
committer	fanquake <fanquake@gmail.com>	2022-07-28 14:30:38 +0100
commit	aa87879a7707d24931132c23eb94461f9f86240b (patch)
tree	3a2bb1d954d42380162330121c95cddc1fca6f8c /contrib/guix/manifest.scm
parent	3897a131d022c29301809c3d6edfcb46e100dc21 (diff)