Merge bitcoin#29695: guix: build GCC with --enable-standard-branch-protection

fanquake · fanquake · commit d04324a7056a · 2024-03-26T13:45:33.000Z
7850c5f guix: build GCC with --enable-standard-branch-protection (fanquake) Pull request description: This is one change extracted from bitcoin#24123 (which now produces fully BTI & PAC enabled bins), which will mean that everything in depends, for Guix builds, is compiled using `-mbranch-protection=standard`. Turning this on by default, is similar to what we already do with `--enable-default-ssp`, `--enable-default-pie` etc. See: https://gcc.gnu.org/install/specific.html#aarch64-x-x > To enable Branch Target Identification Mechanism and Return Address Signing by default at configure time use the `--enable-standard-branch-protection` option. > This is equivalent to having `-mbranch-protection=standard` during compilation. This can be explicitly disabled during compilation by passing the `-mbranch-protection=none` option which turns off all types of branch protections. ACKs for top commit: TheCharlatan: ACK 7850c5f Tree-SHA512: 18f898da27021bab502e708ea5fa9b325352f8f6e23d9488a2a0feda87e0af2ac0e4f87b3af9ad6a9a37bbfc99ab0285de4f0bdc174dcd38163d92c122e958e2
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
@@ -423,6 +423,7 @@ inspecting signatures in Mach-O binaries.")
             (list "--enable-initfini-array=yes",
                   "--enable-default-ssp=yes",
                   "--enable-default-pie=yes",
+                  "--enable-standard-branch-protection=yes",
                   building-on)))
         ((#:phases phases)
           `(modify-phases ,phases
