Merge bitcoin/bitcoin#23838: scripts: make security checks architecture independent

b9898ae scripts: make security checks architecture independent (fanquake)

Pull request description:

  This paves the way for using and checking for architecture dependent flags like `-fcf-protection` on x86_64 Linux and `-mbranch-protection` on 64 bit ARM.

  While we need a workaround for RISCV arch detection, I sent a change upstream (lief-project/LIEF#640), which has been merged. So we can drop this workaround along with our other RISCV workarounds (i.e lief-project/LIEF#562) with the next LIEF release.

  Required for #19075, #21851, #21888 etc.

  Guix build:
  ```bash
  bash-5.1# find guix-build-$(git rev-parse --short=12 HEAD)/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum
  c57bcad9d763aae223a256283fef6243d79e0df46c5b5706dc9034a87df56694  guix-build-b9898aeeaa6a/output/aarch64-linux-gnu/SHA256SUMS.part
  f16fb8f0a2d4dfd576fea440c487722d076f3db9d10ec0480b2f94df0c92a6a3  guix-build-b9898aeeaa6a/output/aarch64-linux-gnu/bitcoin-b9898aeeaa6a-aarch64-linux-gnu-debug.tar.gz
  0e6e660eca7484ddb160b3d62d8867cf171044e81e719de899cd9b8b898cc614  guix-build-b9898aeeaa6a/output/aarch64-linux-gnu/bitcoin-b9898aeeaa6a-aarch64-linux-gnu.tar.gz
  29f14e305a280dc1d33a1f2d660db952caf6f3a9aeff9ab9560f122821269ab2  guix-build-b9898aeeaa6a/output/arm-linux-gnueabihf/SHA256SUMS.part
  26477f58601363dfe8eb2639472f71943bc341d415b6190316af232f363f5485  guix-build-b9898aeeaa6a/output/arm-linux-gnueabihf/bitcoin-b9898aeeaa6a-arm-linux-gnueabihf-debug.tar.gz
  372be53fd6d7fedad1bddc45cd9d1ce34cff376eaae4f613e2aa2465728fba82  guix-build-b9898aeeaa6a/output/arm-linux-gnueabihf/bitcoin-b9898aeeaa6a-arm-linux-gnueabihf.tar.gz
  39778c9d2949deaba404c90b930e5a0b72663bb05e9d82e93439be131fd622e3  guix-build-b9898aeeaa6a/output/dist-archive/bitcoin-b9898aeeaa6a.tar.gz
  599eee817b364b0348034a3e8c97b4bb1a35a78e3ba3472f7589f7a241947b51  guix-build-b9898aeeaa6a/output/powerpc64-linux-gnu/SHA256SUMS.part
  ade0c5ac07d467aa73f85d2a08c3fc3b311816869a2b6903bba4b4e6c88ad9d2  guix-build-b9898aeeaa6a/output/powerpc64-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64-linux-gnu-debug.tar.gz
  c63db0e2570756df0b459e6114f01f0b47972ba8d81fcd9568edee95dfade23b  guix-build-b9898aeeaa6a/output/powerpc64-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64-linux-gnu.tar.gz
  dc4e6ba6958e534161a54669ff5d75bc312cfeb92567cc2092235eed0e2f6aa7  guix-build-b9898aeeaa6a/output/powerpc64le-linux-gnu/SHA256SUMS.part
  3ce4c7e50915f72f24fcd24e1e1bc8460cdf2c065e390cf5f626c4cffd50961c  guix-build-b9898aeeaa6a/output/powerpc64le-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64le-linux-gnu-debug.tar.gz
  c8f4a8f10f16fab07547553f1f2580c4aa98ac63246fb30da0560a6367990dd1  guix-build-b9898aeeaa6a/output/powerpc64le-linux-gnu/bitcoin-b9898aeeaa6a-powerpc64le-linux-gnu.tar.gz
  8206937fefc76cc277cc7aa8762d7554575942a9e1704106d5ab9b6fe01d5408  guix-build-b9898aeeaa6a/output/riscv64-linux-gnu/SHA256SUMS.part
  9530ee044927df02d96c3a9e5974d68b70a7105cb943b94e846c496c2d0579b9  guix-build-b9898aeeaa6a/output/riscv64-linux-gnu/bitcoin-b9898aeeaa6a-riscv64-linux-gnu-debug.tar.gz
  fc4885db902c3205d3c1bc45c7e03375e621633efb419df37f145d11329bd6ed  guix-build-b9898aeeaa6a/output/riscv64-linux-gnu/bitcoin-b9898aeeaa6a-riscv64-linux-gnu.tar.gz
  caedbc37d5aa5fbb0e370019ce5f1d5f6745b32153f562b0aee80aceec57deab  guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/SHA256SUMS.part
  1b363dfde1d83530ec4deb0f24547c07446f5db99f327fe382a6e91b4b6cc454  guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/bitcoin-b9898aeeaa6a-osx-unsigned.dmg
  bee82fe6e50a249eab21b6c97ad7436447489d0eabe3e5f7c992ba3b22dfc5ea  guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/bitcoin-b9898aeeaa6a-osx-unsigned.tar.gz
  a935280e1229c69bdd29f32d4c894f1384e765872c68ea0dcdacdf897d4bc013  guix-build-b9898aeeaa6a/output/x86_64-apple-darwin/bitcoin-b9898aeeaa6a-osx64.tar.gz
  370a87e34e694fe44ba0cd809a1ba044bcc0e7e100b01d74a883069b3d754d1c  guix-build-b9898aeeaa6a/output/x86_64-linux-gnu/SHA256SUMS.part
  46f8c3aa2c3a65f3fc73ddda344724e800bb463d80b062dc749ab76f4c21bc8c  guix-build-b9898aeeaa6a/output/x86_64-linux-gnu/bitcoin-b9898aeeaa6a-x86_64-linux-gnu-debug.tar.gz
  9704b95152ebe582f8aa70bbab8f34ea5e32d80dfda948c019cb9f7d0982f36c  guix-build-b9898aeeaa6a/output/x86_64-linux-gnu/bitcoin-b9898aeeaa6a-x86_64-linux-gnu.tar.gz
  8385a966601ab4b9dc11d4467435c26af93dce97b66f3d33d7a8f7a885ac326d  guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/SHA256SUMS.part
  f46812804e79166e5440b678166ce2cc38b5628d1a9e312b3af138720cacc478  guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win-unsigned.tar.gz
  1d7077fdc59ce6af2ea5bffaa5a2ab579f8e8382467a7140623a6a2c4a588a0c  guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win64-debug.zip
  033fa4263ec91ca1e53ff652f12104c3c2aa7da9240a9b48bfa8f2341c79a225  guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win64-setup-unsigned.exe
  b7fdc84dee75951c131747c00e1e3c2da87e6f98e9435ffe7fa350ecda6771e8  guix-build-b9898aeeaa6a/output/x86_64-w64-mingw32/bitcoin-b9898aeeaa6a-win64.zip
  ```

ACKs for top commit:
  laanwj:
    Code review ACK b9898ae
  hebasto:
    ACK b9898ae

Tree-SHA512: d7e7c3eb33f54d44a2252f36871fdb77c182da18ee02078e8b5b4f91d02ec91f9e5c829160839b010b40670202ff05d2c702b7a3873b450878f21ade4dc0ab58

Author: laanwj

contrib/devtools/security-check.py

@@ -12,6 +12,10 @@
 
 import lief #type:ignore
 
+# temporary constant, to be replaced with lief.ELF.ARCH.RISCV
+# https://github.com/lief-project/LIEF/pull/562
+LIEF_ELF_ARCH_RISCV = lief.ELF.ARCH(243)
+
 def check_ELF_RELRO(binary) -> bool:
     '''
     Check for read-only relocations.
@@ -178,31 +182,46 @@ def check_control_flow(binary) -> bool:
         return True
     return False
 
-
-CHECKS = {
-lief.EXE_FORMATS.ELF: [
+BASE_ELF = [
     ('PIE', check_PIE),
     ('NX', check_NX),
     ('RELRO', check_ELF_RELRO),
     ('Canary', check_ELF_Canary),
     ('separate_code', check_ELF_separate_code),
-],
-lief.EXE_FORMATS.PE: [
+]
+
+BASE_PE = [
     ('PIE', check_PIE),
     ('DYNAMIC_BASE', check_PE_DYNAMIC_BASE),
     ('HIGH_ENTROPY_VA', check_PE_HIGH_ENTROPY_VA),
     ('NX', check_NX),
     ('RELOC_SECTION', check_PE_RELOC_SECTION),
     ('CONTROL_FLOW', check_PE_control_flow),
-],
-lief.EXE_FORMATS.MACHO: [
+]
+
+BASE_MACHO = [
     ('PIE', check_PIE),
     ('NOUNDEFS', check_MACHO_NOUNDEFS),
     ('NX', check_NX),
     ('LAZY_BINDINGS', check_MACHO_LAZY_BINDINGS),
     ('Canary', check_MACHO_Canary),
     ('CONTROL_FLOW', check_control_flow),
 ]
+
+CHECKS = {
+    lief.EXE_FORMATS.ELF: {
+        lief.ARCHITECTURES.X86: BASE_ELF,
+        lief.ARCHITECTURES.ARM: BASE_ELF,
+        lief.ARCHITECTURES.ARM64: BASE_ELF,
+        lief.ARCHITECTURES.PPC: BASE_ELF,
+        LIEF_ELF_ARCH_RISCV: BASE_ELF,
+    },
+    lief.EXE_FORMATS.PE: {
+        lief.ARCHITECTURES.X86: BASE_PE,
+    },
+    lief.EXE_FORMATS.MACHO: {
+        lief.ARCHITECTURES.X86: BASE_MACHO,
+    }
 }
 
 if __name__ == '__main__':
@@ -211,13 +230,24 @@ def check_control_flow(binary) -> bool:
         try:
             binary = lief.parse(filename)
             etype = binary.format
+            arch = binary.abstract.header.architecture
+            binary.concrete
+
             if etype == lief.EXE_FORMATS.UNKNOWN:
                 print(f'{filename}: unknown executable format')
                 retval = 1
                 continue
 
+            if arch == lief.ARCHITECTURES.NONE:
+                if binary.header.machine_type == LIEF_ELF_ARCH_RISCV:
+                    arch = LIEF_ELF_ARCH_RISCV
+                else:
+                    print(f'{filename}: unknown architecture')
+                    retval = 1
+                    continue
+
             failed: List[str] = []
-            for (name, func) in CHECKS[etype]:
+            for (name, func) in CHECKS[etype][arch]:
                 if not func(binary):
                     failed.append(name)
             if failed: