aboutsummaryrefslogtreecommitdiff
path: root/contrib/guix
diff options
context:
space:
mode:
authorfanquake <fanquake@gmail.com>2022-06-20 15:30:19 +0100
committerfanquake <fanquake@gmail.com>2022-07-28 14:30:38 +0100
commitc99a1ecc52d8594b9dac4266770d8156693f35e3 (patch)
treec71c560d02311987c16fa6e8e20a124ce4dc29a8 /contrib/guix
parentaa87879a7707d24931132c23eb94461f9f86240b (diff)
guix: enable hardening options in GCC Build
Pass `--enable-default-pie` and `--enable-default-ssp` when configuring our GCCs. This achieves the following: --enable-default-pie Turn on -fPIE and -pie by default. --enable-default-ssp Turn on -fstack-protector-strong by default. Note that this isn't a replacement for passing hardneing flags ourselves, but introduces some redundency, and there isn't really a reason to not build a more "hardenings enabled" toolchain by default. See also: https://gcc.gnu.org/install/configure.html
Diffstat (limited to 'contrib/guix')
-rw-r--r--contrib/guix/manifest.scm9
1 files changed, 8 insertions, 1 deletions
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 1f3ab9ae65..f93d6e26e8 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -132,12 +132,19 @@ chain for " target " development."))
(define base-gcc gcc-10)
(define base-linux-kernel-headers linux-libre-headers-5.15)
+;; https://gcc.gnu.org/install/configure.html
+(define (hardened-gcc gcc)
+ (package-with-extra-configure-variable (
+ package-with-extra-configure-variable gcc
+ "--enable-default-ssp" "yes")
+ "--enable-default-pie" "yes"))
+
(define* (make-bitcoin-cross-toolchain target
#:key
(base-gcc-for-libc base-gcc)
(base-kernel-headers base-linux-kernel-headers)
(base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24)))
- (base-gcc (make-gcc-rpath-link base-gcc)))
+ (base-gcc (make-gcc-rpath-link (hardened-gcc base-gcc))))
"Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
desirable for building Bitcoin Core release binaries."
(make-cross-toolchain target