From 41720e2e263b92b2ca3377a671c1cc8d07befe85 Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Tue, 23 Aug 2022 12:43:33 +0100
Subject: [PATCH] guix: build x86_64-linux bitcoind fully statically

-static-pie
Produce a static position independent executable on targets that support it.
A static position independent executable is similar to a static executable,
but can be loaded at any address without a dynamic linker.

See https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html
---
 contrib/devtools/security-check.py | 4 +++-
 contrib/devtools/symbol-check.py   | 9 ++++++---
 contrib/guix/libexec/build.sh      | 6 ++++--
 contrib/guix/manifest.scm          | 4 ++++
 4 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/contrib/devtools/security-check.py b/contrib/devtools/security-check.py
index 4c20685b51c..da96c8b6d40 100755
--- a/contrib/devtools/security-check.py
+++ b/contrib/devtools/security-check.py
@@ -248,7 +248,9 @@ BASE_MACHO = [
 
 CHECKS = {
     lief.EXE_FORMATS.ELF: {
-        lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_CONTROL_FLOW), ('FORTIFY', check_ELF_FORTIFY)],
+        # no imported fortified funcs if we are fully static, fortification is still applied
+        # the check could be changed to include all symbols later
+        lief.ARCHITECTURES.X86: BASE_ELF + [('CONTROL_FLOW', check_ELF_CONTROL_FLOW)],
         lief.ARCHITECTURES.ARM: BASE_ELF + [('FORTIFY', check_ELF_FORTIFY)],
         lief.ARCHITECTURES.ARM64: BASE_ELF + [('FORTIFY', check_ELF_FORTIFY)],
         lief.ARCHITECTURES.PPC: BASE_ELF + [('FORTIFY', check_ELF_FORTIFY)],
diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index e09f97cbdaa..7a88d5193a9 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -34,7 +34,7 @@ import lief
 MAX_VERSIONS = {
 'GCC':       (4,3,0),
 'GLIBC': {
-    lief.ELF.ARCH.x86_64: (2,31),
+    lief.ELF.ARCH.x86_64: (0,0),
     lief.ELF.ARCH.ARM:    (2,31),
     lief.ELF.ARCH.AARCH64:(2,31),
     lief.ELF.ARCH.PPC64:  (2,31),
@@ -54,7 +54,7 @@ IGNORE_EXPORTS = {
 # https://sourceware.org/glibc/wiki/ABIList?action=recall&rev=16
 ELF_INTERPRETER_NAMES: dict[lief.ELF.ARCH, dict[lief.ENDIANNESS, str]] = {
     lief.ELF.ARCH.x86_64:  {
-        lief.ENDIANNESS.LITTLE: "/lib64/ld-linux-x86-64.so.2",
+        lief.ENDIANNESS.LITTLE: "",
     },
     lief.ELF.ARCH.ARM:     {
         lief.ENDIANNESS.LITTLE: "/lib/ld-linux-armhf.so.3",
@@ -98,7 +98,6 @@ ELF_ALLOWED_LIBRARIES = {
 'libpthread.so.0', # threading
 'libm.so.6', # math library
 'libatomic.so.1',
-'ld-linux-x86-64.so.2', # 64-bit dynamic linker
 'ld-linux.so.2', # 32-bit dynamic linker
 'ld-linux-aarch64.so.1', # 64-bit ARM dynamic linker
 'ld-linux-armhf.so.3', # 32-bit ARM dynamic linker
@@ -219,6 +218,10 @@ def check_RUNPATH(binary) -> bool:
 
 def check_ELF_libraries(binary) -> bool:
     ok: bool = True
+
+    if binary.header.machine_type == lief.ELF.ARCH.x86_64:
+        return len(binary.libraries) == 0
+
     for library in binary.libraries:
         if library not in ELF_ALLOWED_LIBRARIES:
             print(f'{filename}: {library} is not in ALLOWED_LIBRARIES!')
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
index ddb8297d9e6..47608e16dac 100755
--- a/contrib/guix/libexec/build.sh
+++ b/contrib/guix/libexec/build.sh
@@ -142,10 +142,10 @@ export GUIX_LD_WRAPPER_DISABLE_RPATH=yes
 
 # Determine the correct value for -Wl,--dynamic-linker for the current $HOST
 case "$HOST" in
+    x86_64-linux-gnu) ;;
     *linux*)
         glibc_dynamic_linker=$(
             case "$HOST" in
-                x86_64-linux-gnu)      echo /lib64/ld-linux-x86-64.so.2 ;;
                 arm-linux-gnueabihf)   echo /lib/ld-linux-armhf.so.3 ;;
                 aarch64-linux-gnu)     echo /lib/ld-linux-aarch64.so.1 ;;
                 riscv64-linux-gnu)     echo /lib/ld-linux-riscv64-lp64d.so.1 ;;
@@ -176,7 +176,8 @@ make -C depends --jobs="$JOBS" HOST="$HOST" \
                                    x86_64_linux_AR=x86_64-linux-gnu-gcc-ar \
                                    x86_64_linux_RANLIB=x86_64-linux-gnu-gcc-ranlib \
                                    x86_64_linux_NM=x86_64-linux-gnu-gcc-nm \
-                                   x86_64_linux_STRIP=x86_64-linux-gnu-strip
+                                   x86_64_linux_STRIP=x86_64-linux-gnu-strip \
+                                   NO_QT=1 # Don't bother with static
 
 case "$HOST" in
     *darwin*)
@@ -225,6 +226,7 @@ esac
 
 # LDFLAGS
 case "$HOST" in
+    x86_64-linux-gnu) HOST_LDFLAGS=" -static-pie -static-libgcc -Wl,-O2" ;;
     *linux*)  HOST_LDFLAGS="-Wl,--as-needed -Wl,--dynamic-linker=$glibc_dynamic_linker -static-libstdc++ -Wl,-O2" ;;
     *mingw*)  HOST_LDFLAGS="-Wl,--no-insert-timestamp" ;;
 esac
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index ab6f3302df0..65068d8c687 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -590,6 +590,10 @@ inspecting signatures in Mach-O binaries.")
                    (package-with-c-toolchain nsis-x86_64 `(("toolchain" ,toolchain))))
                  nss-certs
                  osslsigncode))
+          ((string-contains target "x86_64-linux-")
+           (list (list gcc-toolchain-12 "static")
+                 (make-bitcoin-cross-toolchain target
+                                               #:base-libc glibc-2.40)))
           ((string-contains target "-linux-")
            (list bison
                  pkg-config