[ptxdist] [PATCH v1] nss: make installed libraries configurable

[Roland Hieber <rhi@pengutronix.de>]

Most NSS modules are only needed if any software links to them, or loads
them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
slim down the installation by more than 1 MiB, and also get rid of the
SQLite dependency.

Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
down their respective sub-dependencies.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 rules/ecryptfs-utils.in |  2 ++
 rules/nss.in            | 56 ++++++++++++++++++++++++++++++++++++++---
 rules/nss.make          | 22 +++++++++-------
 rules/qt5.in            |  2 ++
 4 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
index 5087f79d3ca2..7ac44e11bdf3 100644
--- a/rules/ecryptfs-utils.in
+++ b/rules/ecryptfs-utils.in
@@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS
 	prompt "ecryptfs-utils                "
 	select KEYUTILS
 	select NSS
+	select NSS_INSTALL_LIBSSL
+	select NSS_INSTALL_LIBSMIME
 	select HOST_INTLTOOL
 	select BASH			if ECRYPTFS_UTILS_TESTS
 	select COREUTILS		if ECRYPTFS_UTILS_TESTS
diff --git a/rules/nss.in b/rules/nss.in
index 3e4a07a75404..0f44a2b7d1c8 100644
--- a/rules/nss.in
+++ b/rules/nss.in
@@ -1,13 +1,63 @@
 ## SECTION=networking
 
-config NSS
+menuconfig NSS
 	tristate
-	prompt "nss"
+	prompt "nss                           "
 	select NSPR
-	select SQLITE
+	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
 	help
 	  Network Security Services (NSS) is a set of libraries designed to
 	  support cross-platform development of security-enabled client and
 	  server applications. Applications built with NSS can support
 	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
 	  X.509 v3 certificates, and other security standards.
+
+if NSS
+
+config NSS_INSTALL_LIBSMIME
+	bool
+	prompt "install libsmime"
+	default y
+	help
+	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
+
+	  libsmime provides functionality related to S/MIME (Cryptographic
+	  Message Syntax, PKCS#7) used by secure email and some instant
+	  messaging implementations.
+
+config NSS_INSTALL_LIBSSL
+	bool
+	prompt "install libssl"
+	default y
+	help
+	  Install libssl3.so, which adds about ~200 kiB to the footprint.
+
+	  libssl implements the Secure Sockets Layer/Transport Layer Security
+	  network protocols.
+
+config NSS_INSTALL_LIBNSSCKBI
+	bool
+	prompt "install libnssckbi"
+	default y
+	help
+	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
+
+	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
+	  CAs) and their trust assignments.
+
+config NSS_INSTALL_LIBSOFTOKN
+	bool
+	prompt "install libsoftokn"
+	default y
+	help
+	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
+	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
+	  additional dependency on SQLite.
+
+	  FreeBL is a base library providing hash functions, big number
+	  calculations, and cryptographic algorithms. DBM is a legacy library
+	  providing database storage. Softoken is an NSS module that exposes
+	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
+	  or SQLite at runtime.
+
+endif
diff --git a/rules/nss.make b/rules/nss.make
index 49406fb956c7..f9f322d94179 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -45,12 +45,17 @@ NSS_MAKE_ENV := \
 	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NS_USE_GCC=1 \
-	NSS_USE_SYSTEM_SQLITE=1 \
 	NSS_ENABLE_ECC=1 \
 	NSS_DISABLE_GTESTS=1 \
 	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
 
+# unless needed, prevent an additional runtime dependency by using the bundled,
+# statically-linked sqlite, but not installing anything that links to it
+ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
+NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
+endif
+
 NSS_MAKE_PAR := NO
 NSS_MAKE_OPT := \
 	OS_ARCH=Linux \
@@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \
 NSS_LIBS := \
 	libnss3 \
 	libnssutil3 \
-	libsmime3 \
-	libssl3 \
-	libfreebl3 \
-	libfreeblpriv3 \
-	libnssckbi \
-	libnssdbm3 \
-	libsoftokn3
-
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
 
 $(STATEDIR)/nss.install:
 	@$(call targetinfo)
diff --git a/rules/qt5.in b/rules/qt5.in
index 6c2de3cde04f..aa9b63f2fdf7 100644
--- a/rules/qt5.in
+++ b/rules/qt5.in
@@ -57,6 +57,8 @@ menuconfig QT5
 	select NSPR			if QT5_MODULE_QTWEBENGINE
 	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
 	select NSS			if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
 	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
 	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
 	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de