build: add -bind_at_load to macOS hardened LDFLAGS #17686

pull fanquake wants to merge 1 commits into bitcoin:master from fanquake:macos_ld_explicit_bind_at_load changing 1 files +1 −0
  1. fanquake commented at 10:00 PM on December 6, 2019: member

    This performs the same function as -Wl,-z,now, except for ld on macOS.

    You can check the binaries using otool -l, and looking for the LC_DYLD_INFO_ONLY section; lazy_bind_off and lazy_bind_size should both be 0.

    This seems to be the case with our current release binaries. However we can make the check, and applying the flag explicit in configure.

    man ld:

    -bind_at_load
Sets a bit in the mach header of the resulting binary which tells dyld
to bind all symbols when the binary is loaded, rather than lazily.

    TODO:

    • Follow up with MH_BINDATLOAD flag.
  2. fanquake added the label macOS on Dec 6, 2019
  3. fanquake added the label Build system on Dec 6, 2019
  4. fanquake added the label Needs gitian build on Dec 6, 2019
  5. DrahtBot commented at 3:01 AM on December 7, 2019: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    No conflicts as of last run.

  6. DrahtBot commented at 12:11 AM on December 8, 2019: contributor

    <!--a722867cd34abeea1fadc8d60700f111-->

    Gitian builds

    File commit fc0da027e8cda1d7304e50315a848c353bae4822<br>(master) commit 65347ca3fb93b86f4137384c8cad9f14c577d964<br>(master and this pull)
    bitcoin-0.19.99-aarch64-linux-gnu-debug.tar.gz de8751e92d57e5b2... 7658929043827b19...
    bitcoin-0.19.99-aarch64-linux-gnu.tar.gz 489fd32581f67e68... 3605487b48625824...
    bitcoin-0.19.99-arm-linux-gnueabihf-debug.tar.gz c1a45efe722d7d3e... d71dc43b4c5b4257...
    bitcoin-0.19.99-arm-linux-gnueabihf.tar.gz 3e53869094a514eb... 8498a5f5f67d2a1b...
    bitcoin-0.19.99-i686-pc-linux-gnu-debug.tar.gz 302f566a1c2a27d1... 3a5da89c24e58056...
    bitcoin-0.19.99-i686-pc-linux-gnu.tar.gz e7e36dbb8d8599ac... f95604f5e252bac6...
    bitcoin-0.19.99-osx-unsigned.dmg 783d6681fe4d8623... b02f0746a9ae2f2e...
    bitcoin-0.19.99-osx64.tar.gz e3d1c893682d616a... cb833e995b28c0db...
    bitcoin-0.19.99-riscv64-linux-gnu-debug.tar.gz e3474e1b5190b5d1... 6430f6fa923c0def...
    bitcoin-0.19.99-riscv64-linux-gnu.tar.gz 037c2bff8d25e513... e33019e8b56ee320...
    bitcoin-0.19.99-win64-debug.zip 6107ee3f3f59680f... 13047fce10a6ddc2...
    bitcoin-0.19.99-win64-setup-unsigned.exe 1693dfbccdcdce7a... 0e707248bfdb4b2b...
    bitcoin-0.19.99-win64.zip 990d47c68a4fe32a... ff494a0959304049...
    bitcoin-0.19.99-x86_64-linux-gnu-debug.tar.gz d5e2d0ea06ba6c85... 691649f72b37f4d2...
    bitcoin-0.19.99-x86_64-linux-gnu.tar.gz 25b69607857ed27c... 96603677c6a6ab78...
    bitcoin-0.19.99.tar.gz 0488b26c0c1cf1d7... 820aac2d956ab9c3...
    bitcoin-core-linux-0.20-res.yml efabe43ac9d48c89... a638b93f59811984...
    bitcoin-core-osx-0.20-res.yml 16ef33e79bb42f3a... 752440e5221e7315...
    bitcoin-core-win-0.20-res.yml 434c1193f0d0a3d3... 4ad76c3dc50cbb17...
    linux-build.log 4e8b1b3e797e327f... 70bf8dff3548440e...
    osx-build.log e78108cf5eb78ff7... 6377bbe2bff3baed...
    win-build.log 18ce8f02f41dc64d... c1079cc8815ceaaf...
    bitcoin-core-linux-0.20-res.yml.diff d02220bdb7106c92...
    bitcoin-core-osx-0.20-res.yml.diff c21ea34264fb4769...
    bitcoin-core-win-0.20-res.yml.diff 5c8b1a431ba78193...
    linux-build.log.diff 534e862f259eb2aa...
    osx-build.log.diff 71e271a8ab3481de...
    win-build.log.diff befb4f85e513ed97...
  7. DrahtBot removed the label Needs gitian build on Dec 8, 2019
  8. jonasschnelli commented at 6:08 AM on December 9, 2019: contributor

    Pinging @theuni

  9. laanwj commented at 9:40 AM on December 9, 2019: member

    Concept ACK

    Weren't you working on extending security-check.py to MacOS as well? It has been shown to be quite important to check these things are actually applied (#17569)

  10. fanquake commented at 1:41 PM on December 9, 2019: member

    Weren't you working on extending security-check.py to MacOS as well?

    Yea I started working on a macOS version here: https://github.com/fanquake/core-review/blob/master/macos_dylib_check.py. I can integrate those changes, as well as extend to check for the bind flags as part of this PR.

  11. laanwj commented at 3:40 PM on December 9, 2019: member

    I can integrate those changes, as well as extend to check for the bind flags as part of this PR.

    that'd be awesome!

  12. dongcarl commented at 6:54 PM on December 9, 2019: contributor

    Concept ACK, would love to see the macos_dylib_check.py be in the codebase and as part of reproducible builds (if that makes sense).

  13. fanquake added the label Waiting for author on Dec 9, 2019
  14. fanquake commented at 8:07 PM on December 9, 2019: member

    Currently on hold as we investigate some discrepancies with the macOS dynamic loader.

  15. build: add -bind_at_load to hardened LDFLAGS
    This performs the same function as -Wl,-z,now, except for ld on macOS.

You can check the binaries using otool -l, looking for the
LC_DYLD_INFO_ONLY section. lazy_bind_off and lazy_bind_size should both
be 0.

man ld:

-bind_at_load
Sets a bit in the mach header of the resulting binary which tells dyld
to bind all symbols when the binary is loaded, rather than lazily.
    c78b123982
  16. fanquake force-pushed on Dec 13, 2019
  17. fanquake removed the label Waiting for author on Dec 13, 2019
  18. theuni approved
  19. theuni commented at 8:36 PM on December 17, 2019: member

    ACK c78b123982d59fe2d633659f23d6893de627f3f6.

  20. fanquake referenced this in commit 47f45b6776 on Dec 17, 2019
  21. fanquake merged this on Dec 17, 2019
  22. fanquake closed this on Dec 17, 2019
  23. fanquake commented at 9:33 PM on December 17, 2019: member

    The macOS security and dylib checking changes are going to be PR'd shortly, as well as some additional ld flags error checking.

  24. fanquake deleted the branch on Dec 17, 2019
  25. sidhujag referenced this in commit 1420874b13 on Dec 17, 2019
  26. fanquake cross-referenced this on Mar 8, 2020 from issue scripts: add MACHO lazy bindings check to security-check.py by fanquake
  27. MarkLTZ cross-referenced this on Apr 4, 2020 from issue Bitcoin PR tracking by MarkLTZ
  28. fanquake referenced this in commit d486991aa5 on Apr 9, 2020
  29. sidhujag referenced this in commit 985073abb5 on Apr 13, 2020
  30. sidhujag referenced this in commit ec6da719c1 on Nov 10, 2020
  31. PastaPastaPasta referenced this in commit 2abb7f0106 on Jun 27, 2021
  32. PastaPastaPasta referenced this in commit dcf166592b on Jun 28, 2021
  33. PastaPastaPasta referenced this in commit bf2b1a6040 on Jun 29, 2021
  34. PastaPastaPasta referenced this in commit 386e576a1e on Jul 1, 2021
  35. PastaPastaPasta referenced this in commit e1c33e89d8 on Jul 1, 2021
  36. PastaPastaPasta referenced this in commit 10a4b01361 on Sep 17, 2021
  37. thelazier referenced this in commit 1fe2770c05 on Sep 25, 2021
  38. bitcoin locked this on Dec 16, 2021
Contributors
fanquakeDrahtBotjonasschnellilaanwjdongcarltheuni
Labels
macOSBuild system
Linked (view graph)
#17569 build: Allow export of environ symbols and work around rv64 toolchain issue#18295 scripts: add MACHO lazy bindings check to security-check.py
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-20 06:54 UTC