From c2cd47280cf5db5645917574dd95e9ec6036319e Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Mon, 15 May 2023 20:41:46 +0000 Subject: [PATCH 1/4] depends: bump darwin clang to 11.1 Unfortunately clang 10 does not understand "-mmacosx-version-min=11.0", as it expects to see only 10.x. Bump minimally to 11.1 to fix that problem. This will likely be our last binary toolchain bump, as it will soon be replaced with usage of upstream vanilla llvm. --- contrib/guix/manifest.scm | 2 +- depends/packages/native_clang.mk | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index f1c2854d090..1808eeffbe4 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -608,5 +608,5 @@ inspecting signatures in Mach-O binaries.") ((string-contains target "-linux-") (list (make-bitcoin-cross-toolchain target))) ((string-contains target "darwin") - (list clang-toolchain-10 binutils cmake-minimal xorriso python-signapple)) + (list clang-toolchain-11 binutils cmake-minimal xorriso python-signapple)) (else '()))))) diff --git a/depends/packages/native_clang.mk b/depends/packages/native_clang.mk index b11037b83ee..109796c0e60 100644 --- a/depends/packages/native_clang.mk +++ b/depends/packages/native_clang.mk @@ -1,12 +1,12 @@ package=native_clang -$(package)_version=10.0.1 +$(package)_version=11.1.0 $(package)_download_path=https://github.com/llvm/llvm-project/releases/download/llvmorg-$($(package)_version) ifneq (,$(findstring aarch64,$(BUILD))) $(package)_file_name=clang+llvm-$($(package)_version)-aarch64-linux-gnu.tar.xz -$(package)_sha256_hash=90dc69a4758ca15cd0ffa45d07fbf5bf4309d47d2c7745a9f0735ecffde9c31f +$(package)_sha256_hash=18df38247af3fba0e0e2991fb00d7e3cf3560b4d3509233a14af699ef0039e1c else $(package)_file_name=clang+llvm-$($(package)_version)-x86_64-linux-gnu-ubuntu-16.04.tar.xz -$(package)_sha256_hash=48b83ef827ac2c213d5b64f5ad7ed082c8bcb712b46644e0dc5045c6f462c231 +$(package)_sha256_hash=c691a558967fb7709fb81e0ed80d1f775f4502810236aa968b4406526b43bee1 endif define $(package)_stage_cmds From fb61bc0c022cc0fff290b94ee4f9cf9f4160efe2 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Wed, 10 May 2023 22:34:06 +0000 Subject: [PATCH 2/4] depends: Bump MacOS minimum runtime requirement to 11.0 This is necessary as the new fixup_chains linker behavior is only valid when the runtime target is >=11.0. --- .cirrus.yml | 2 +- contrib/devtools/symbol-check.py | 2 +- contrib/devtools/test-symbol-check.py | 2 +- depends/hosts/darwin.mk | 2 +- doc/release-notes-empty-template.md | 2 +- share/qt/Info.plist.in | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index fd2a46433d8..40db8321b28 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -314,7 +314,7 @@ task: << : *CIRRUS_EPHEMERAL_WORKER_TEMPLATE_ENV task: - name: 'macOS 10.15 [gui, no tests] [jammy]' + name: 'macOS 11.0 [gui, no tests] [jammy]' << : *CONTAINER_DEPENDS_TEMPLATE container: docker_arguments: diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index 4fb997b0239..d85912398d7 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -232,7 +232,7 @@ def check_MACHO_libraries(binary) -> bool: return ok def check_MACHO_min_os(binary) -> bool: - if binary.build_version.minos == [10,15,0]: + if binary.build_version.minos == [11,0,0]: return True return False diff --git a/contrib/devtools/test-symbol-check.py b/contrib/devtools/test-symbol-check.py index e304880140e..fe8a99739f1 100755 --- a/contrib/devtools/test-symbol-check.py +++ b/contrib/devtools/test-symbol-check.py @@ -121,7 +121,7 @@ class TestSymbolChecks(unittest.TestCase): } ''') - self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,-platform_version','-Wl,macos', '-Wl,10.15', '-Wl,11.4']), + self.assertEqual(call_symbol_check(cc, source, executable, ['-Wl,-platform_version','-Wl,macos', '-Wl,11.0', '-Wl,11.4']), (1, f'{executable}: failed SDK')) def test_PE(self): diff --git a/depends/hosts/darwin.mk b/depends/hosts/darwin.mk index 111a49cfaf3..fa6d6d4b8b4 100644 --- a/depends/hosts/darwin.mk +++ b/depends/hosts/darwin.mk @@ -1,4 +1,4 @@ -OSX_MIN_VERSION=10.15 +OSX_MIN_VERSION=11.0 OSX_SDK_VERSION=11.0 XCODE_VERSION=12.2 XCODE_BUILD_ID=12B45b diff --git a/doc/release-notes-empty-template.md b/doc/release-notes-empty-template.md index 4cd2314308d..887104548b0 100644 --- a/doc/release-notes-empty-template.md +++ b/doc/release-notes-empty-template.md @@ -36,7 +36,7 @@ Compatibility ============== Bitcoin Core is supported and extensively tested on operating systems -using the Linux kernel, macOS 10.15+, and Windows 7 and newer. Bitcoin +using the Linux kernel, macOS 11.0+, and Windows 7 and newer. Bitcoin Core should also work on most other Unix-like systems but is not as frequently tested on them. It is not recommended to use Bitcoin Core on unsupported systems. diff --git a/share/qt/Info.plist.in b/share/qt/Info.plist.in index 053359e0a88..b4e6f6a150d 100644 --- a/share/qt/Info.plist.in +++ b/share/qt/Info.plist.in @@ -3,7 +3,7 @@ LSMinimumSystemVersion - 10.15.0 + 11 LSArchitecturePriority From 9bc357e205abc78524eae8906e6d231d6eb9f059 Mon Sep 17 00:00:00 2001 From: Cory Fields Date: Wed, 10 May 2023 22:50:50 +0000 Subject: [PATCH 3/4] build: explicitly opt-in to new fixup_chains functionality for darwin This replaces (but does not collide with) the previous bind_on_load. There is technically no need to opt-in to this functionality as long as >= MacOS 11.0 is being targetted, but it will be helpful to see in the logs. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index f9fac057d0a..f4368053a02 100644 --- a/configure.ac +++ b/configure.ac @@ -1008,6 +1008,7 @@ if test "$TARGET_OS" = "darwin"; then AX_CHECK_LINK_FLAG([-Wl,-dead_strip], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip"], [], [$LDFLAG_WERROR]) AX_CHECK_LINK_FLAG([-Wl,-dead_strip_dylibs], [CORE_LDFLAGS="$CORE_LDFLAGS -Wl,-dead_strip_dylibs"], [], [$LDFLAG_WERROR]) AX_CHECK_LINK_FLAG([-Wl,-bind_at_load], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-bind_at_load"], [], [$LDFLAG_WERROR]) + AX_CHECK_LINK_FLAG([-Wl,-fixup_chains], [HARDENED_LDFLAGS="$HARDENED_LDFLAGS -Wl,-fixup_chains"], [], [$LDFLAG_WERROR]) fi AC_CHECK_HEADERS([endian.h sys/endian.h byteswap.h sys/select.h sys/prctl.h sys/sysctl.h vm/vm_param.h sys/vmmeter.h sys/resources.h]) From 3df60704661cdb5e61ea2b999f468f3a1d16105f Mon Sep 17 00:00:00 2001 From: fanquake Date: Wed, 31 May 2023 14:32:10 +0100 Subject: [PATCH 4/4] contrib: remove macOS lazy_bind check In future, this will be replaced by a check for fixup_chains usage. --- contrib/devtools/security-check.py | 8 -------- contrib/devtools/test-security-check.py | 14 ++++++-------- 2 files changed, 6 insertions(+), 16 deletions(-) diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 452a1d42d6e..85f75f978a0 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -158,13 +158,6 @@ def check_MACHO_NOUNDEFS(binary) -> bool: ''' return binary.header.has(lief.MachO.HEADER_FLAGS.NOUNDEFS) -def check_MACHO_LAZY_BINDINGS(binary) -> bool: - ''' - Check for no lazy bindings. - We don't use or check for MH_BINDATLOAD. See #18295. - ''' - return binary.dyld_info.lazy_bind == (0,0) - def check_MACHO_Canary(binary) -> bool: ''' Check for use of stack canary @@ -214,7 +207,6 @@ BASE_PE = [ BASE_MACHO = [ ('NOUNDEFS', check_MACHO_NOUNDEFS), - ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS), ('Canary', check_MACHO_Canary), ] diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index d666291cba8..90268740c60 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -120,13 +120,13 @@ class TestSecurityChecks(unittest.TestCase): if arch == lief.ARCHITECTURES.X86: self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS Canary PIE NX CONTROL_FLOW')) + (1, executable+': failed NOUNDEFS Canary PIE NX CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS PIE NX CONTROL_FLOW')) + (1, executable+': failed NOUNDEFS PIE NX CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS PIE CONTROL_FLOW')) + (1, executable+': failed NOUNDEFS PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']), - (1, executable+': failed LAZY_BINDINGS PIE CONTROL_FLOW')) + (1, executable+': failed PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']), (1, executable+': failed PIE CONTROL_FLOW')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']), @@ -136,11 +136,9 @@ class TestSecurityChecks(unittest.TestCase): else: # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS Canary')) + (1, executable+': failed NOUNDEFS Canary')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all']), - (1, executable+': failed NOUNDEFS LAZY_BINDINGS')) - self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all']), - (1, executable+': failed LAZY_BINDINGS')) + (1, executable+': failed NOUNDEFS')) self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-bind_at_load','-fstack-protector-all']), (0, ''))