From 446e73cc0bb7cd628039eaf9b1bcc93db23b924f Mon Sep 17 00:00:00 2001 From: fanquake Date: Mon, 3 May 2021 14:45:08 +0800 Subject: [PATCH 1/5] build: use macOS 11 SDK (Xcode 12.2) This should be sufficient to support building for Apple ARM when cross-compiling. --- .cirrus.yml | 2 +- ci/test/00_setup_env_mac.sh | 4 ++-- contrib/devtools/symbol-check.py | 2 +- contrib/guix/README.md | 2 +- contrib/macdeploy/README.md | 20 ++++++++++---------- depends/hosts/darwin.mk | 6 +++--- 6 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.cirrus.yml b/.cirrus.yml index 240e2cf7053..dcc63c6e329 100644 --- a/.cirrus.yml +++ b/.cirrus.yml @@ -277,7 +277,7 @@ task: container: image: ubuntu:focal env: - MACOS_SDK: "Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers" + MACOS_SDK: "Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers" << : *CIRRUS_EPHEMERAL_WORKER_TEMPLATE_ENV FILE_ENV: "./ci/test/00_setup_env_mac.sh" diff --git a/ci/test/00_setup_env_mac.sh b/ci/test/00_setup_env_mac.sh index d70b993b996..c4f22c8f9ea 100755 --- a/ci/test/00_setup_env_mac.sh +++ b/ci/test/00_setup_env_mac.sh @@ -10,8 +10,8 @@ export CONTAINER_NAME=ci_macos_cross export DOCKER_NAME_TAG=ubuntu:20.04 # Check that Focal can cross-compile to macos export HOST=x86_64-apple-darwin export PACKAGES="cmake libz-dev libtinfo5 python3-setuptools xorriso" -export XCODE_VERSION=12.1 -export XCODE_BUILD_ID=12A7403 +export XCODE_VERSION=12.2 +export XCODE_BUILD_ID=12B45b export RUN_UNIT_TESTS=false export RUN_FUNCTIONAL_TESTS=false export GOAL="deploy" diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py index 4b695b3530a..461132ae63a 100755 --- a/contrib/devtools/symbol-check.py +++ b/contrib/devtools/symbol-check.py @@ -229,7 +229,7 @@ def check_MACHO_min_os(binary) -> bool: return False def check_MACHO_sdk(binary) -> bool: - if binary.build_version.sdk == [10, 15, 6]: + if binary.build_version.sdk == [11, 0, 0]: return True return False diff --git a/contrib/guix/README.md b/contrib/guix/README.md index 7cfa0de70ff..17df70e612f 100644 --- a/contrib/guix/README.md +++ b/contrib/guix/README.md @@ -249,7 +249,7 @@ details. Set the path where _extracted_ SDKs can be found. This is passed through to the depends tree. Note that this is should be set to the _parent_ directory of the actual SDK (e.g. `SDK_PATH=$HOME/Downloads/macOS-SDKs` instead of - `$HOME/Downloads/macOS-SDKs/Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers`). + `$HOME/Downloads/macOS-SDKs/Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers`). The path that this environment variable points to **must be a directory**, and **NOT a symlink to a directory**. diff --git a/contrib/macdeploy/README.md b/contrib/macdeploy/README.md index a685aac1c04..df7eac3ec82 100644 --- a/contrib/macdeploy/README.md +++ b/contrib/macdeploy/README.md @@ -13,13 +13,13 @@ When complete, it will have produced `Bitcoin-Core.dmg`. ### Step 1: Obtaining `Xcode.app` Our current macOS SDK -(`Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz`) can be +(`Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz`) can be extracted from -[Xcode_12.1.xip](https://download.developer.apple.com/Developer_Tools/Xcode_12.1/Xcode_12.1.xip). +[Xcode_12.2.xip](https://download.developer.apple.com/Developer_Tools/Xcode_12.2/Xcode_12.2.xip). Alternatively, after logging in to your account go to 'Downloads', then 'More' -and look for [`Xcode_12.1`](https://download.developer.apple.com/Developer_Tools/Xcode_12.1/Xcode_12.1.xip). +and look for [`Xcode_12.2`](https://download.developer.apple.com/Developer_Tools/Xcode_12.2/Xcode_12.2.xip). An Apple ID and cookies enabled for the hostname are needed to download this. -The `sha256sum` of the archive should be `612443b1894b39368a596ea1607f30cbb0481ad44d5e29c75edb71a6d2cf050f`. +The `sha256sum` of the archive should be `28d352f8c14a43d9b8a082ac6338dc173cb153f964c6e8fb6ba389e5be528bd0`. After Xcode version 7.x, Apple started shipping the `Xcode.app` in a `.xip` archive. This makes the SDK less-trivial to extract on non-macOS machines. One @@ -30,25 +30,25 @@ approach (tested on Debian Buster) is outlined below: apt install cpio git clone https://github.com/bitcoin-core/apple-sdk-tools.git -# Unpack Xcode_12.1.xip and place the resulting Xcode.app in your current +# Unpack Xcode_12.2.xip and place the resulting Xcode.app in your current # working directory -python3 apple-sdk-tools/extract_xcode.py -f Xcode_12.1.xip | cpio -d -i +python3 apple-sdk-tools/extract_xcode.py -f Xcode_12.2.xip | cpio -d -i ``` On macOS the process is more straightforward: ```bash -xip -x Xcode_12.1.xip +xip -x Xcode_12.2.xip ``` -### Step 2: Generating `Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz` from `Xcode.app` +### Step 2: Generating `Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz` from `Xcode.app` -To generate `Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz`, run +To generate `Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz`, run the script [`gen-sdk`](./gen-sdk) with the path to `Xcode.app` (extracted in the previous stage) as the first argument. ```bash -# Generate a Xcode-12.1-12A7403-extracted-SDK-with-libcxx-headers.tar.gz from +# Generate a Xcode-12.2-12B45b-extracted-SDK-with-libcxx-headers.tar.gz from # the supplied Xcode.app ./contrib/macdeploy/gen-sdk '/path/to/Xcode.app' ``` diff --git a/depends/hosts/darwin.mk b/depends/hosts/darwin.mk index ea92bb77933..6bf30b499a6 100644 --- a/depends/hosts/darwin.mk +++ b/depends/hosts/darwin.mk @@ -1,7 +1,7 @@ OSX_MIN_VERSION=10.15 -OSX_SDK_VERSION=10.15.6 -XCODE_VERSION=12.1 -XCODE_BUILD_ID=12A7403 +OSX_SDK_VERSION=11.0 +XCODE_VERSION=12.2 +XCODE_BUILD_ID=12B45b LD64_VERSION=609 OSX_SDK=$(SDK_PATH)/Xcode-$(XCODE_VERSION)-$(XCODE_BUILD_ID)-extracted-SDK-with-libcxx-headers From 6fe55160dd00fb387a5110a2d2e188618838e9a3 Mon Sep 17 00:00:00 2001 From: fanquake Date: Tue, 11 Jan 2022 21:18:24 +0800 Subject: [PATCH 2/5] contrib: support arm64 darwin in security checks --- contrib/devtools/security-check.py | 8 ++--- contrib/devtools/test-security-check.py | 41 ++++++++++++++++--------- 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py index 9e7059685c9..e6a29b73b92 100755 --- a/contrib/devtools/security-check.py +++ b/contrib/devtools/security-check.py @@ -211,12 +211,9 @@ BASE_PE = [ ] BASE_MACHO = [ - ('PIE', check_PIE), ('NOUNDEFS', check_MACHO_NOUNDEFS), - ('NX', check_NX), ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS), ('Canary', check_MACHO_Canary), - ('CONTROL_FLOW', check_MACHO_control_flow), ] CHECKS = { @@ -231,7 +228,10 @@ CHECKS = { lief.ARCHITECTURES.X86: BASE_PE, }, lief.EXE_FORMATS.MACHO: { - lief.ARCHITECTURES.X86: BASE_MACHO, + lief.ARCHITECTURES.X86: BASE_MACHO + [('PIE', check_PIE), + ('NX', check_NX), + ('CONTROL_FLOW', check_MACHO_control_flow)], + lief.ARCHITECTURES.ARM64: BASE_MACHO, } } diff --git a/contrib/devtools/test-security-check.py b/contrib/devtools/test-security-check.py index a5b9eac3027..d3d225f3abd 100755 --- a/contrib/devtools/test-security-check.py +++ b/contrib/devtools/test-security-check.py @@ -116,21 +116,34 @@ class TestSecurityChecks(unittest.TestCase): executable = 'test1' cc = determine_wellknown_cmd('CC', 'clang') write_testcode(source) + arch = get_arch(cc, source, executable) + + if arch == lief.ARCHITECTURES.X86: + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']), + (1, executable+': failed NOUNDEFS LAZY_BINDINGS Canary PIE NX CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']), + (1, executable+': failed NOUNDEFS LAZY_BINDINGS PIE NX CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']), + (1, executable+': failed NOUNDEFS LAZY_BINDINGS PIE CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']), + (1, executable+': failed LAZY_BINDINGS PIE CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']), + (1, executable+': failed PIE CONTROL_FLOW')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']), + (1, executable+': failed PIE')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']), + (0, '')) + else: + # arm64 darwin doesn't support non-PIE binaries, control flow or executable stacks + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fno-stack-protector']), + (1, executable+': failed NOUNDEFS LAZY_BINDINGS Canary')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-flat_namespace','-fstack-protector-all']), + (1, executable+': failed NOUNDEFS LAZY_BINDINGS')) + self.assertEqual(call_security_check(cc, source, executable, ['-fstack-protector-all']), + (1, executable+': failed LAZY_BINDINGS')) + self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-bind_at_load','-fstack-protector-all']), + (0, '')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fno-stack-protector']), - (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS Canary CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-Wl,-allow_stack_execute','-fstack-protector-all']), - (1, executable+': failed PIE NOUNDEFS NX LAZY_BINDINGS CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-flat_namespace','-fstack-protector-all']), - (1, executable+': failed PIE NOUNDEFS LAZY_BINDINGS CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-fstack-protector-all']), - (1, executable+': failed PIE LAZY_BINDINGS CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all']), - (1, executable+': failed PIE CONTROL_FLOW')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-no_pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']), - (1, executable+': failed PIE')) - self.assertEqual(call_security_check(cc, source, executable, ['-Wl,-pie','-Wl,-bind_at_load','-fstack-protector-all', '-fcf-protection=full']), - (0, '')) clean_files(source, executable) From ca47f2e211f48a8722bb04fd33e456d5db00b968 Mon Sep 17 00:00:00 2001 From: fanquake Date: Wed, 26 Jan 2022 08:57:51 +0800 Subject: [PATCH 3/5] guix: use autoconf 2.71 This allows for building with newer targets, like arm64-apple-darwin, due to having a newer bundled config.guess and config.sub. --- contrib/guix/manifest.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm index c1950ad08ea..22b922dc9bf 100644 --- a/contrib/guix/manifest.scm +++ b/contrib/guix/manifest.scm @@ -579,7 +579,7 @@ inspecting signatures in Mach-O binaries.") ;; Build tools gnu-make libtool - autoconf + autoconf-2.71 automake pkg-config bison From 0628815e9565a10df96f0f58b9a17cbf7f10dc27 Mon Sep 17 00:00:00 2001 From: fanquake Date: Wed, 14 Jul 2021 09:42:12 +0800 Subject: [PATCH 4/5] guix: add arm64-apple-darwin triplet --- contrib/guix/README.md | 2 +- contrib/guix/guix-build | 2 +- contrib/guix/guix-codesign | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/guix/README.md b/contrib/guix/README.md index 17df70e612f..90289f9d40e 100644 --- a/contrib/guix/README.md +++ b/contrib/guix/README.md @@ -224,7 +224,7 @@ details. _(defaults to "x86\_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu riscv64-linux-gnu powerpc64-linux-gnu powerpc64le-linux-gnu - x86\_64-w64-mingw32 x86\_64-apple-darwin")_ + x86\_64-w64-mingw32 x86\_64-apple-darwin arm64-apple-darwin")_ * _**SOURCES_PATH**_ diff --git a/contrib/guix/guix-build b/contrib/guix/guix-build index 3e2542a418b..bfffbda742c 100755 --- a/contrib/guix/guix-build +++ b/contrib/guix/guix-build @@ -76,7 +76,7 @@ mkdir -p "$VERSION_BASE" # Default to building for all supported HOSTs (overridable by environment) export HOSTS="${HOSTS:-x86_64-linux-gnu arm-linux-gnueabihf aarch64-linux-gnu riscv64-linux-gnu powerpc64-linux-gnu powerpc64le-linux-gnu x86_64-w64-mingw32 - x86_64-apple-darwin}" + x86_64-apple-darwin arm64-apple-darwin}" # Usage: distsrc_for_host HOST # diff --git a/contrib/guix/guix-codesign b/contrib/guix/guix-codesign index e52ad30b8d6..2dd30bfa645 100755 --- a/contrib/guix/guix-codesign +++ b/contrib/guix/guix-codesign @@ -91,7 +91,7 @@ fi ################ # Default to building for all supported HOSTs (overridable by environment) -export HOSTS="${HOSTS:-x86_64-w64-mingw32 x86_64-apple-darwin}" +export HOSTS="${HOSTS:-x86_64-w64-mingw32 x86_64-apple-darwin arm64-apple-darwin}" # Usage: distsrc_for_host HOST # From edd70b52fcd79026e9c63b8bc481fa68f95edf11 Mon Sep 17 00:00:00 2001 From: jarolrod Date: Wed, 10 Mar 2021 23:43:49 -0500 Subject: [PATCH 5/5] doc: add arm macOS depends platform triplet --- depends/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/depends/README.md b/depends/README.md index 9f0b60adf8e..6b6af99deec 100644 --- a/depends/README.md +++ b/depends/README.md @@ -29,6 +29,7 @@ Common `host-platform-triplet`s for cross compilation are: - `x86_64-pc-linux-gnu` for x86 Linux - `x86_64-w64-mingw32` for Win64 - `x86_64-apple-darwin` for macOS +- `arm64-apple-darwin` for ARM macOS - `arm-linux-gnueabihf` for Linux ARM 32 bit - `aarch64-linux-gnu` for Linux ARM 64 bit - `powerpc64-linux-gnu` for Linux POWER 64-bit (big endian)