From d97f3f7bc347fa6d88d32b4c0893c2dbff447137 Mon Sep 17 00:00:00 2001
From: fanquake <fanquake@gmail.com>
Date: Mon, 14 Aug 2023 15:22:54 +0100
Subject: [PATCH] guix: use glibc 2.33

glibc 2.32 was the first to ship with support for branch protection when
compiled with a compatible compiler, see below. However a number of
bugfixes/improvements shipped in glibc 2.33, so use that, rather than
trying to backport all relevant changes.

glibc 2.32 release notes: https://lwn.net/Articles/828210/

* AArch64 now supports standard branch protection security hardening
  in glibc when it is built with a GCC that is configured with
  --enable-standard-branch-protection (or if -mbranch-protection=standard
  flag is passed when building both GCC target libraries and glibc,
  in either case a custom GCC is needed).  This includes branch target
  identification (BTI) and pointer authentication for return addresses
  (PAC-RET).  They require armv8.5-a and armv8.3-a architecture
  extensions respectively for the protection to be effective,
  otherwise the used instructions are nops.  User code can use PAC-RET
  without libc support, but BTI requires a libc that is built with BTI
  support, otherwise runtime objects linked into user code will not be
  BTI compatible.

`__libc_single_threaded` added as it is now exported from at least
`bitcoin-wallet` and `test_bitcoin`.
---
 contrib/devtools/symbol-check.py | 12 ++++++------
 contrib/guix/manifest.scm        | 25 ++++++-------------------
 2 files changed, 12 insertions(+), 25 deletions(-)

diff --git a/contrib/devtools/symbol-check.py b/contrib/devtools/symbol-check.py
index 564f1db5ac0..e94ba46e524 100755
--- a/contrib/devtools/symbol-check.py
+++ b/contrib/devtools/symbol-check.py
@@ -34,11 +34,11 @@ import lief
 MAX_VERSIONS = {
 'GCC':       (4,3,0),
 'GLIBC': {
-    lief.ELF.ARCH.x86_64: (2,31),
-    lief.ELF.ARCH.ARM:    (2,31),
-    lief.ELF.ARCH.AARCH64:(2,31),
-    lief.ELF.ARCH.PPC64:  (2,31),
-    lief.ELF.ARCH.RISCV:  (2,31),
+    lief.ELF.ARCH.x86_64: (2,33),
+    lief.ELF.ARCH.ARM:    (2,33),
+    lief.ELF.ARCH.AARCH64:(2,33),
+    lief.ELF.ARCH.PPC64:  (2,33),
+    lief.ELF.ARCH.RISCV:  (2,33),
 },
 'LIBATOMIC': (1,0),
 'V':         (0,5,0),  # xkb (bitcoin-qt only)
@@ -47,7 +47,7 @@ MAX_VERSIONS = {
 # Ignore symbols that are exported as part of every executable
 IGNORE_EXPORTS = {
 'environ', '_environ', '__environ', '_fini', '_init', 'stdin',
-'stdout', 'stderr',
+'stdout', 'stderr', '__libc_single_threaded',
 }
 
 # Expected linker-loader names can be found here:
diff --git a/contrib/guix/manifest.scm b/contrib/guix/manifest.scm
index 4e7e9552182..10d7c40bc64 100644
--- a/contrib/guix/manifest.scm
+++ b/contrib/guix/manifest.scm
@@ -99,7 +99,7 @@ chain for " target " development."))
                                        #:key
                                        (base-gcc-for-libc linux-base-gcc)
                                        (base-kernel-headers base-linux-kernel-headers)
-                                       (base-libc glibc-2.31)
+                                       (base-libc glibc-2.33)
                                        (base-gcc linux-base-gcc))
   "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
 desirable for building Bitcoin Core release binaries."
@@ -452,11 +452,11 @@ inspecting signatures in Mach-O binaries.")
                  (("-rpath=") "-rpath-link="))
                #t))))))))
 
-(define-public glibc-2.31
-  (let ((commit "7b27c450c34563a28e634cccb399cd415e71ebfe"))
+(define-public glibc-2.33
+  (let ((commit "5f08d1df2c07904c1dc98bdf2b363c65874266f7"))
   (package
     (inherit glibc) ;; 2.35
-    (version "2.31")
+    (version "2.33")
     (source (origin
               (method git-fetch)
               (uri (git-reference
@@ -465,7 +465,7 @@ inspecting signatures in Mach-O binaries.")
               (file-name (git-file-name "glibc" commit))
               (sha256
                (base32
-                "017qdpr5id7ddb4lpkzj2li1abvw916m3fc6n7nw28z4h5qbv2n0"))
+                "0a9bxg13h9m19yx4aihix3l9yylv9vf9szkjj96cjg2zglx1izkf"))
               (patches (search-our-patches "glibc-guix-prefix.patch"))))
     (arguments
       (substitute-keyword-arguments (package-arguments glibc)
@@ -478,20 +478,7 @@ inspecting signatures in Mach-O binaries.")
                   "--disable-werror",
                   "--disable-timezone-tools",
                   "--disable-profile",
-                  building-on)))
-    ((#:phases phases)
-        `(modify-phases ,phases
-           (add-before 'configure 'set-etc-rpc-installation-directory
-             (lambda* (#:key outputs #:allow-other-keys)
-               ;; Install the rpc data base file under `$out/etc/rpc'.
-               ;; Otherwise build will fail with "Permission denied."
-               ;; Can be removed when we are building 2.32 or later.
-               (let ((out (assoc-ref outputs "out")))
-                 (substitute* "sunrpc/Makefile"
-                   (("^\\$\\(inst_sysconfdir\\)/rpc(.*)$" _ suffix)
-                    (string-append out "/etc/rpc" suffix "\n"))
-                   (("^install-others =.*$")
-                    (string-append "install-others = " out "/etc/rpc\n")))))))))))))
+                  building-on))))))))
 
 ;; The sponge tool from moreutils.
 (define-public sponge