guix: enable hardening options in GCC Build

Pass `--enable-default-pie` and `--enable-default-ssp` when configuring
our GCCs. This achieves the following:

--enable-default-pie
	Turn on -fPIE and -pie by default.

--enable-default-ssp
	Turn on -fstack-protector-strong by default.

Note that this isn't a replacement for passing hardneing flags
ourselves, but introduces some redundency, and there isn't really a
reason to not build a more "hardenings enabled" toolchain by default.

See also:
https://gcc.gnu.org/install/configure.html

Author: fanquake

contrib/guix/manifest.scm

@@ -132,12 +132,19 @@ chain for " target " development."))
 (define base-gcc gcc-10)
 (define base-linux-kernel-headers linux-libre-headers-5.15)
 
+;; https://gcc.gnu.org/install/configure.html
+(define (hardened-gcc gcc)
+  (package-with-extra-configure-variable (
+    package-with-extra-configure-variable gcc
+    "--enable-default-ssp" "yes")
+    "--enable-default-pie" "yes"))
+
 (define* (make-bitcoin-cross-toolchain target
                                        #:key
                                        (base-gcc-for-libc base-gcc)
                                        (base-kernel-headers base-linux-kernel-headers)
                                        (base-libc (make-glibc-with-bind-now (make-glibc-without-werror glibc-2.24)))
-                                       (base-gcc (make-gcc-rpath-link base-gcc)))
+                                       (base-gcc (make-gcc-rpath-link (hardened-gcc base-gcc))))
   "Convenience wrapper around MAKE-CROSS-TOOLCHAIN with default values
 desirable for building Bitcoin Core release binaries."
   (make-cross-toolchain target