[WIP] sea: generate single executable directly with Node.js binary

[joyeecheung]

This is not yet ready for full review, as it lacks more documentation and tests. I've only tested this on macOS and Linux. For now, consider this as a POC for more feedback, especially the name of the command.

---

Instead of relying on a WASM build of postject to perform the
injection, add LIEF as dependency and generate the SEA directly
from core via a new CLI option --build-sea which takes the SEA
config. This simplifies SEA generation for users and makes it
easier to debug/maintain the SEA building process.

For the time being, backward compatibility with the postject-based SEA building process will be maintained, until there's motivation to break it (e.g. for optimizations)

The new process is simplified to as follows - no more knowledge about the blob location in the binary needed:

$ echo 'console.log("Hello")' > hello.js
$ echo '{ "main": "hello.js", "output": "sea" }' > sea-config.json
$ node --build-sea sea-config.json
$ ./sea
Hello

---

This idea was discussed a while back (brought up by @marco-ippolito) at the collaboration summit to improve the UX of SEA building process, which currently requires users to use an external tool (i.e. postject) to perform the injection, and know about the layout of the target binary. For most users, the details are probably not very useful. Moving the injection process into core simplifies the process.

I've been helping out with the SEA feature from time to time and as I see it, apart from UX improvement, I found the current WASM-based tool somewhat difficult to debug when I was trying to fix nodejs/postject#105. Also, the WASM build is significantly slower than a native build, which adds friction to the debugging process.

$ time out/Release/node test/sea/test-single-executable-application.js
Copied /Users/joyee/projects/node/out/Release/node to /Users/joyee/projects/node/test/.tmp.0/sea
Injected /Users/joyee/projects/node/test/.tmp.0/sea-prep.blob into /Users/joyee/projects/node/test/.tmp.0/sea
Signed /Users/joyee/projects/node/test/.tmp.0/sea

User time: 5.12s
System time: 0.38s
CPU time: 90%
Total time: 6.06s

$ time out/Release/node test/sea/test-build-sea.js
Signed /Users/joyee/projects/node/test/.tmp.0/sea

User time: 1.79s
System time: 0.34s
CPU time: 74%
Total time: 2.85s

At the summit @RaisinTen mentioned one concern about the potential binary size increase. With this POC the binary size is only increased by 5-6 MB on macOS/Linux, which seems acceptable (as a reference, this is smaller than the decrease we recently got from compiling V8 with default hidden visibility #56290 (comment))

# Linux
$ ls -lah ./node_without_lief ./out/Release/node
-rwxr-xr-x 1 developer developer 122M Dec 24 16:50 ./node_without_lief
-rwxr-xr-x 1 developer developer 128M Dec 24 16:51 ./out/Release/node

# macOS
$ ls -lah ./node_without_lief ./out/Release/node
-rwxr-xr-x@ 1 joyee  staff   125M Dec 24 17:48 ./node_without_lief
-rwxr-xr-x@ 1 joyee  staff   130M Dec 24 17:48 ./out/Release/node

In addition, I think the LIEF library may also be useful for other purposes e.g. demangling the names in the V8 prof profiles, which is a current bottleneck when trying to analyze logs via --prof-process by calling out to nm and c++filt.

[nodejs-github-bot]

Review requested:

• @nodejs/security-wg
• @nodejs/tsc