[ptxdist] [PATCH v1] nss: make installed libraries configurable

[ptxdist] [PATCH v1] nss: make installed libraries configurable

[Roland Hieber]

Most NSS modules are only needed if any software links to them, or loads
them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
slim down the installation by more than 1 MiB, and also get rid of the
SQLite dependency.

Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
down their respective sub-dependencies.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 rules/ecryptfs-utils.in |  2 ++
 rules/nss.in            | 56 ++++++++++++++++++++++++++++++++++++++---
 rules/nss.make          | 22 +++++++++-------
 rules/qt5.in            |  2 ++
 4 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
index 5087f79d3ca2..7ac44e11bdf3 100644
--- a/rules/ecryptfs-utils.in
+++ b/rules/ecryptfs-utils.in
@@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS
 	prompt "ecryptfs-utils                "
 	select KEYUTILS
 	select NSS
+	select NSS_INSTALL_LIBSSL
+	select NSS_INSTALL_LIBSMIME
 	select HOST_INTLTOOL
 	select BASH			if ECRYPTFS_UTILS_TESTS
 	select COREUTILS		if ECRYPTFS_UTILS_TESTS
diff --git a/rules/nss.in b/rules/nss.in
index 3e4a07a75404..0f44a2b7d1c8 100644
--- a/rules/nss.in
+++ b/rules/nss.in
@@ -1,13 +1,63 @@
 ## SECTION=networking
 
-config NSS
+menuconfig NSS
 	tristate
-	prompt "nss"
+	prompt "nss                           "
 	select NSPR
-	select SQLITE
+	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
 	help
 	  Network Security Services (NSS) is a set of libraries designed to
 	  support cross-platform development of security-enabled client and
 	  server applications. Applications built with NSS can support
 	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
 	  X.509 v3 certificates, and other security standards.
+
+if NSS
+
+config NSS_INSTALL_LIBSMIME
+	bool
+	prompt "install libsmime"
+	default y
+	help
+	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
+
+	  libsmime provides functionality related to S/MIME (Cryptographic
+	  Message Syntax, PKCS#7) used by secure email and some instant
+	  messaging implementations.
+
+config NSS_INSTALL_LIBSSL
+	bool
+	prompt "install libssl"
+	default y
+	help
+	  Install libssl3.so, which adds about ~200 kiB to the footprint.
+
+	  libssl implements the Secure Sockets Layer/Transport Layer Security
+	  network protocols.
+
+config NSS_INSTALL_LIBNSSCKBI
+	bool
+	prompt "install libnssckbi"
+	default y
+	help
+	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
+
+	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
+	  CAs) and their trust assignments.
+
+config NSS_INSTALL_LIBSOFTOKN
+	bool
+	prompt "install libsoftokn"
+	default y
+	help
+	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
+	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
+	  additional dependency on SQLite.
+
+	  FreeBL is a base library providing hash functions, big number
+	  calculations, and cryptographic algorithms. DBM is a legacy library
+	  providing database storage. Softoken is an NSS module that exposes
+	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
+	  or SQLite at runtime.
+
+endif
diff --git a/rules/nss.make b/rules/nss.make
index 49406fb956c7..f9f322d94179 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -45,12 +45,17 @@ NSS_MAKE_ENV := \
 	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NS_USE_GCC=1 \
-	NSS_USE_SYSTEM_SQLITE=1 \
 	NSS_ENABLE_ECC=1 \
 	NSS_DISABLE_GTESTS=1 \
 	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
 
+# unless needed, prevent an additional runtime dependency by using the bundled,
+# statically-linked sqlite, but not installing anything that links to it
+ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
+NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
+endif
+
 NSS_MAKE_PAR := NO
 NSS_MAKE_OPT := \
 	OS_ARCH=Linux \
@@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \
 NSS_LIBS := \
 	libnss3 \
 	libnssutil3 \
-	libsmime3 \
-	libssl3 \
-	libfreebl3 \
-	libfreeblpriv3 \
-	libnssckbi \
-	libnssdbm3 \
-	libsoftokn3
-
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
 
 $(STATEDIR)/nss.install:
 	@$(call targetinfo)
diff --git a/rules/qt5.in b/rules/qt5.in
index 6c2de3cde04f..aa9b63f2fdf7 100644
--- a/rules/qt5.in
+++ b/rules/qt5.in
@@ -57,6 +57,8 @@ menuconfig QT5
 	select NSPR			if QT5_MODULE_QTWEBENGINE
 	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
 	select NSS			if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
 	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
 	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
 	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] [PATCH v1] nss: make installed libraries configurable

[Roland Hieber]

Please wait for a v2, I found a mismatched dependency in ecryptfs.

 - Roland

On Tue, Sep 24, 2019 at 05:14:27PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
> 
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
>  rules/ecryptfs-utils.in |  2 ++
>  rules/nss.in            | 56 ++++++++++++++++++++++++++++++++++++++---
>  rules/nss.make          | 22 +++++++++-------
>  rules/qt5.in            |  2 ++
>  4 files changed, 70 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..7ac44e11bdf3 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS
>  	prompt "ecryptfs-utils                "
>  	select KEYUTILS
>  	select NSS
> +	select NSS_INSTALL_LIBSSL
> +	select NSS_INSTALL_LIBSMIME
>  	select HOST_INTLTOOL
>  	select BASH			if ECRYPTFS_UTILS_TESTS
>  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..0f44a2b7d1c8 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,63 @@
>  ## SECTION=networking
>  
> -config NSS
> +menuconfig NSS
>  	tristate
> -	prompt "nss"
> +	prompt "nss                           "
>  	select NSPR
> -	select SQLITE
> +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
>  	help
>  	  Network Security Services (NSS) is a set of libraries designed to
>  	  support cross-platform development of security-enabled client and
>  	  server applications. Applications built with NSS can support
>  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
>  	  X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> +	bool
> +	prompt "install libsmime"
> +	default y
> +	help
> +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> +	  libsmime provides functionality related to S/MIME (Cryptographic
> +	  Message Syntax, PKCS#7) used by secure email and some instant
> +	  messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> +	bool
> +	prompt "install libssl"
> +	default y
> +	help
> +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> +	  network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> +	bool
> +	prompt "install libnssckbi"
> +	default y
> +	help
> +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> +	  CAs) and their trust assignments.
> +
> +config NSS_INSTALL_LIBSOFTOKN
> +	bool
> +	prompt "install libsoftokn"
> +	default y
> +	help
> +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> +	  additional dependency on SQLite.
> +
> +	  FreeBL is a base library providing hash functions, big number
> +	  calculations, and cryptographic algorithms. DBM is a legacy library
> +	  providing database storage. Softoken is an NSS module that exposes
> +	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
> +	  or SQLite at runtime.
> +
> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 49406fb956c7..f9f322d94179 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -45,12 +45,17 @@ NSS_MAKE_ENV := \
>  	BUILD_OPT=1 \
>  	MOZILLA_CLIENT=1 \
>  	NS_USE_GCC=1 \
> -	NSS_USE_SYSTEM_SQLITE=1 \
>  	NSS_ENABLE_ECC=1 \
>  	NSS_DISABLE_GTESTS=1 \
>  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
>  
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
>  NSS_MAKE_PAR := NO
>  NSS_MAKE_OPT := \
>  	OS_ARCH=Linux \
> @@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \
>  NSS_LIBS := \
>  	libnss3 \
>  	libnssutil3 \
> -	libsmime3 \
> -	libssl3 \
> -	libfreebl3 \
> -	libfreeblpriv3 \
> -	libnssckbi \
> -	libnssdbm3 \
> -	libsoftokn3
> -
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
>  
>  $(STATEDIR)/nss.install:
>  	@$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 6c2de3cde04f..aa9b63f2fdf7 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -57,6 +57,8 @@ menuconfig QT5
>  	select NSPR			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
>  	select NSS			if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
>  	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> -- 
> 2.23.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> 

-- 
Roland Hieber                     | r.hieber@pengutronix.de     |
Pengutronix e.K.                  | https://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5086 |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH] nss: make installed libraries configurable

[Roland Hieber]

Most NSS modules are only needed if any software links to them, or loads
them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
slim down the installation by more than 1 MiB, and also get rid of the
SQLite dependency.

Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
down their respective sub-dependencies.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
v1 -> v2:
 - rebase to current master
 - fix ecryptfs depedency, only libsoftokn is needed
 - format libsoftokn help text a bit nicer

Range-diff:
  1:  6fc40ec92172 ! 772:  a2711cfe218b nss: make installed libraries configurable
    @@ Commit message
     
         Signed-off-by: Roland Hieber <rhi@pengutronix.de>
     
      ## rules/ecryptfs-utils.in ##
     @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS
      	prompt "ecryptfs-utils                "
      	select KEYUTILS
      	select NSS
    -+	select NSS_INSTALL_LIBSSL
    -+	select NSS_INSTALL_LIBSMIME
    ++	select NSS_INSTALL_LIBSOFTOKN
      	select HOST_INTLTOOL
      	select BASH			if ECRYPTFS_UTILS_TESTS
      	select COREUTILS		if ECRYPTFS_UTILS_TESTS
    @@ rules/nss.in
     +	  additional dependency on SQLite.
     +
     +	  FreeBL is a base library providing hash functions, big number
    -+	  calculations, and cryptographic algorithms. DBM is a legacy library
    -+	  providing database storage. Softoken is an NSS module that exposes
    -+	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
    -+	  or SQLite at runtime.
    ++	  calculations, and cryptographic algorithms.
    ++
    ++	  DBM is a legacy library providing database storage.
    ++
    ++	  Softoken is an NSS module that exposes most FreeBL functionality as a
    ++	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
     +
     +endif
     
    @@ rules/nss.make: NSS_MAKE_ENV := \
      	NSS_ENABLE_ECC=1 \
      	NSS_DISABLE_GTESTS=1 \
      	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
    - 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
    + 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
    + 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
      
     +# unless needed, prevent an additional runtime dependency by using the bundled,
     +# statically-linked sqlite, but not installing anything that links to it

 rules/ecryptfs-utils.in |  1 +
 rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
 rules/nss.make          | 22 +++++++++-------
 rules/qt5.in            |  2 ++
 4 files changed, 71 insertions(+), 12 deletions(-)

diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
index 5087f79d3ca2..8a62443bdddb 100644
--- a/rules/ecryptfs-utils.in
+++ b/rules/ecryptfs-utils.in
@@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
 	prompt "ecryptfs-utils                "
 	select KEYUTILS
 	select NSS
+	select NSS_INSTALL_LIBSOFTOKN
 	select HOST_INTLTOOL
 	select BASH			if ECRYPTFS_UTILS_TESTS
 	select COREUTILS		if ECRYPTFS_UTILS_TESTS
diff --git a/rules/nss.in b/rules/nss.in
index 3e4a07a75404..799bd5a73ae0 100644
--- a/rules/nss.in
+++ b/rules/nss.in
@@ -1,13 +1,65 @@
 ## SECTION=networking
 
-config NSS
+menuconfig NSS
 	tristate
-	prompt "nss"
+	prompt "nss                           "
 	select NSPR
-	select SQLITE
+	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
 	help
 	  Network Security Services (NSS) is a set of libraries designed to
 	  support cross-platform development of security-enabled client and
 	  server applications. Applications built with NSS can support
 	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
 	  X.509 v3 certificates, and other security standards.
+
+if NSS
+
+config NSS_INSTALL_LIBSMIME
+	bool
+	prompt "install libsmime"
+	default y
+	help
+	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
+
+	  libsmime provides functionality related to S/MIME (Cryptographic
+	  Message Syntax, PKCS#7) used by secure email and some instant
+	  messaging implementations.
+
+config NSS_INSTALL_LIBSSL
+	bool
+	prompt "install libssl"
+	default y
+	help
+	  Install libssl3.so, which adds about ~200 kiB to the footprint.
+
+	  libssl implements the Secure Sockets Layer/Transport Layer Security
+	  network protocols.
+
+config NSS_INSTALL_LIBNSSCKBI
+	bool
+	prompt "install libnssckbi"
+	default y
+	help
+	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
+
+	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
+	  CAs) and their trust assignments.
+
+config NSS_INSTALL_LIBSOFTOKN
+	bool
+	prompt "install libsoftokn"
+	default y
+	help
+	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
+	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
+	  additional dependency on SQLite.
+
+	  FreeBL is a base library providing hash functions, big number
+	  calculations, and cryptographic algorithms.
+
+	  DBM is a legacy library providing database storage.
+
+	  Softoken is an NSS module that exposes most FreeBL functionality as a
+	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
+
+endif
diff --git a/rules/nss.make b/rules/nss.make
index 44febc416711..6a003dd1743f 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
 	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NS_USE_GCC=1 \
-	NSS_USE_SYSTEM_SQLITE=1 \
 	NSS_ENABLE_ECC=1 \
 	NSS_DISABLE_GTESTS=1 \
 	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
 
+# unless needed, prevent an additional runtime dependency by using the bundled,
+# statically-linked sqlite, but not installing anything that links to it
+ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
+NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
+endif
+
 NSS_MAKE_PAR := NO
 NSS_MAKE_OPT := \
 	OS_ARCH=Linux \
@@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
 NSS_LIBS := \
 	libnss3 \
 	libnssutil3 \
-	libsmime3 \
-	libssl3 \
-	libfreebl3 \
-	libfreeblpriv3 \
-	libnssckbi \
-	libnssdbm3 \
-	libsoftokn3
-
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
 
 $(STATEDIR)/nss.install:
 	@$(call targetinfo)
diff --git a/rules/qt5.in b/rules/qt5.in
index 162ea8b9beba..a5f8f3b94c4b 100644
--- a/rules/qt5.in
+++ b/rules/qt5.in
@@ -59,6 +59,8 @@ menuconfig QT5
 	select NSPR			if QT5_MODULE_QTWEBENGINE
 	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
 	select NSS			if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
 	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
 	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
 	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v2] nss: make installed libraries configurable

[Roland Hieber]

Ah, that was supposed to be -v2, of course.

 - Roland

On Fri, Jun 19, 2020 at 02:31:31PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
> 
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> v1 -> v2:
>  - rebase to current master
>  - fix ecryptfs depedency, only libsoftokn is needed
>  - format libsoftokn help text a bit nicer
> 
> Range-diff:
>   1:  6fc40ec92172 ! 772:  a2711cfe218b nss: make installed libraries configurable
>     @@ Commit message
>      
>          Signed-off-by: Roland Hieber <rhi@pengutronix.de>
>      
>       ## rules/ecryptfs-utils.in ##
>      @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS
>       	prompt "ecryptfs-utils                "
>       	select KEYUTILS
>       	select NSS
>     -+	select NSS_INSTALL_LIBSSL
>     -+	select NSS_INSTALL_LIBSMIME
>     ++	select NSS_INSTALL_LIBSOFTOKN
>       	select HOST_INTLTOOL
>       	select BASH			if ECRYPTFS_UTILS_TESTS
>       	select COREUTILS		if ECRYPTFS_UTILS_TESTS
>     @@ rules/nss.in
>      +	  additional dependency on SQLite.
>      +
>      +	  FreeBL is a base library providing hash functions, big number
>     -+	  calculations, and cryptographic algorithms. DBM is a legacy library
>     -+	  providing database storage. Softoken is an NSS module that exposes
>     -+	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
>     -+	  or SQLite at runtime.
>     ++	  calculations, and cryptographic algorithms.
>     ++
>     ++	  DBM is a legacy library providing database storage.
>     ++
>     ++	  Softoken is an NSS module that exposes most FreeBL functionality as a
>     ++	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
>      +
>      +endif
>      
>     @@ rules/nss.make: NSS_MAKE_ENV := \
>       	NSS_ENABLE_ECC=1 \
>       	NSS_DISABLE_GTESTS=1 \
>       	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>     - 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
>     + 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
>     + 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>       
>      +# unless needed, prevent an additional runtime dependency by using the bundled,
>      +# statically-linked sqlite, but not installing anything that links to it
> 
>  rules/ecryptfs-utils.in |  1 +
>  rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
>  rules/nss.make          | 22 +++++++++-------
>  rules/qt5.in            |  2 ++
>  4 files changed, 71 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..8a62443bdddb 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
>  	prompt "ecryptfs-utils                "
>  	select KEYUTILS
>  	select NSS
> +	select NSS_INSTALL_LIBSOFTOKN
>  	select HOST_INTLTOOL
>  	select BASH			if ECRYPTFS_UTILS_TESTS
>  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..799bd5a73ae0 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,65 @@
>  ## SECTION=networking
>  
> -config NSS
> +menuconfig NSS
>  	tristate
> -	prompt "nss"
> +	prompt "nss                           "
>  	select NSPR
> -	select SQLITE
> +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
>  	help
>  	  Network Security Services (NSS) is a set of libraries designed to
>  	  support cross-platform development of security-enabled client and
>  	  server applications. Applications built with NSS can support
>  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
>  	  X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> +	bool
> +	prompt "install libsmime"
> +	default y
> +	help
> +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> +	  libsmime provides functionality related to S/MIME (Cryptographic
> +	  Message Syntax, PKCS#7) used by secure email and some instant
> +	  messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> +	bool
> +	prompt "install libssl"
> +	default y
> +	help
> +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> +	  network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> +	bool
> +	prompt "install libnssckbi"
> +	default y
> +	help
> +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> +	  CAs) and their trust assignments.
> +
> +config NSS_INSTALL_LIBSOFTOKN
> +	bool
> +	prompt "install libsoftokn"
> +	default y
> +	help
> +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> +	  additional dependency on SQLite.
> +
> +	  FreeBL is a base library providing hash functions, big number
> +	  calculations, and cryptographic algorithms.
> +
> +	  DBM is a legacy library providing database storage.
> +
> +	  Softoken is an NSS module that exposes most FreeBL functionality as a
> +	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
> +
> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 44febc416711..6a003dd1743f 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
>  	BUILD_OPT=1 \
>  	MOZILLA_CLIENT=1 \
>  	NS_USE_GCC=1 \
> -	NSS_USE_SYSTEM_SQLITE=1 \
>  	NSS_ENABLE_ECC=1 \
>  	NSS_DISABLE_GTESTS=1 \
>  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
>  	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>  
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
>  NSS_MAKE_PAR := NO
>  NSS_MAKE_OPT := \
>  	OS_ARCH=Linux \
> @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
>  NSS_LIBS := \
>  	libnss3 \
>  	libnssutil3 \
> -	libsmime3 \
> -	libssl3 \
> -	libfreebl3 \
> -	libfreeblpriv3 \
> -	libnssckbi \
> -	libnssdbm3 \
> -	libsoftokn3
> -
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
>  
>  $(STATEDIR)/nss.install:
>  	@$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 162ea8b9beba..a5f8f3b94c4b 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -59,6 +59,8 @@ menuconfig QT5
>  	select NSPR			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
>  	select NSS			if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
>  	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable

[Roland Hieber]

Most NSS modules are only needed if any software links to them, or loads
them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
slim down the installation by more than 1 MiB, and also get rid of the
SQLite dependency.

Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
down their respective sub-dependencies.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 v2 -> v3: no changes
 
 v1 -> v2:
  - rebase onto current master
  - fix ecryptfs depedency, only libsoftokn is needed
  - format libsoftokn help text a bit nicer

 rules/ecryptfs-utils.in |  1 +
 rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
 rules/nss.make          | 22 +++++++++-------
 rules/qt5.in            |  2 ++
 4 files changed, 71 insertions(+), 12 deletions(-)

diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
index 5087f79d3ca2..8a62443bdddb 100644
--- a/rules/ecryptfs-utils.in
+++ b/rules/ecryptfs-utils.in
@@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
 	prompt "ecryptfs-utils                "
 	select KEYUTILS
 	select NSS
+	select NSS_INSTALL_LIBSOFTOKN
 	select HOST_INTLTOOL
 	select BASH			if ECRYPTFS_UTILS_TESTS
 	select COREUTILS		if ECRYPTFS_UTILS_TESTS
diff --git a/rules/nss.in b/rules/nss.in
index 3e4a07a75404..799bd5a73ae0 100644
--- a/rules/nss.in
+++ b/rules/nss.in
@@ -1,13 +1,65 @@
 ## SECTION=networking
 
-config NSS
+menuconfig NSS
 	tristate
-	prompt "nss"
+	prompt "nss                           "
 	select NSPR
-	select SQLITE
+	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
 	help
 	  Network Security Services (NSS) is a set of libraries designed to
 	  support cross-platform development of security-enabled client and
 	  server applications. Applications built with NSS can support
 	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
 	  X.509 v3 certificates, and other security standards.
+
+if NSS
+
+config NSS_INSTALL_LIBSMIME
+	bool
+	prompt "install libsmime"
+	default y
+	help
+	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
+
+	  libsmime provides functionality related to S/MIME (Cryptographic
+	  Message Syntax, PKCS#7) used by secure email and some instant
+	  messaging implementations.
+
+config NSS_INSTALL_LIBSSL
+	bool
+	prompt "install libssl"
+	default y
+	help
+	  Install libssl3.so, which adds about ~200 kiB to the footprint.
+
+	  libssl implements the Secure Sockets Layer/Transport Layer Security
+	  network protocols.
+
+config NSS_INSTALL_LIBNSSCKBI
+	bool
+	prompt "install libnssckbi"
+	default y
+	help
+	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
+
+	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
+	  CAs) and their trust assignments.
+
+config NSS_INSTALL_LIBSOFTOKN
+	bool
+	prompt "install libsoftokn"
+	default y
+	help
+	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
+	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
+	  additional dependency on SQLite.
+
+	  FreeBL is a base library providing hash functions, big number
+	  calculations, and cryptographic algorithms.
+
+	  DBM is a legacy library providing database storage.
+
+	  Softoken is an NSS module that exposes most FreeBL functionality as a
+	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
+
+endif
diff --git a/rules/nss.make b/rules/nss.make
index 44febc416711..6a003dd1743f 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
 	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NS_USE_GCC=1 \
-	NSS_USE_SYSTEM_SQLITE=1 \
 	NSS_ENABLE_ECC=1 \
 	NSS_DISABLE_GTESTS=1 \
 	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
 
+# unless needed, prevent an additional runtime dependency by using the bundled,
+# statically-linked sqlite, but not installing anything that links to it
+ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
+NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
+endif
+
 NSS_MAKE_PAR := NO
 NSS_MAKE_OPT := \
 	OS_ARCH=Linux \
@@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
 NSS_LIBS := \
 	libnss3 \
 	libnssutil3 \
-	libsmime3 \
-	libssl3 \
-	libfreebl3 \
-	libfreeblpriv3 \
-	libnssckbi \
-	libnssdbm3 \
-	libsoftokn3
-
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
 
 $(STATEDIR)/nss.install:
 	@$(call targetinfo)
diff --git a/rules/qt5.in b/rules/qt5.in
index 162ea8b9beba..a5f8f3b94c4b 100644
--- a/rules/qt5.in
+++ b/rules/qt5.in
@@ -59,6 +59,8 @@ menuconfig QT5
 	select NSPR			if QT5_MODULE_QTWEBENGINE
 	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
 	select NSS			if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
 	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
 	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
 	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

[ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot

[Roland Hieber]

From: Jan Luebbe <jlu@pengutronix.de>

ecryptfs-utils links to -lssl3 -lsmime3, without using any functions
from it. Install all libraries to the sysroot to make it work. The
unused libraries are still not installed on the target.

Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
 I overlook this patch in v2, but discovered it again during
 build-testing...

 v2 -> v3: new patch

 rules/nss.make | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/rules/nss.make b/rules/nss.make
index 6a003dd1743f..c8537ceb521b 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -74,24 +74,13 @@ NSS_INSTALL_OPT := \
 	$(NSS_MAKE_OPT) \
 	install
 
-NSS_LIBS := \
-	libnss3 \
-	libnssutil3 \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
-	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
-
 $(STATEDIR)/nss.install:
 	@$(call targetinfo)
 	@$(call world/install, NSS)
 
-	@$(foreach lib,$(NSS_LIBS), \
-		install -v -m644 -D $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/$(lib).so \
-			$(NSS_PKGDIR)/usr/lib/$(lib).so$(ptx/nl))
+	install -d -m755 $(NSS_PKGDIR)/usr/lib/
+	install -m 644 $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/*.so \
+		$(NSS_PKGDIR)/usr/lib/
 
 	install -d $(NSS_PKGDIR)/usr/lib/pkgconfig/
 	VERSION=$(NSS_VERSION) ptxd_replace_magic \
@@ -106,6 +95,17 @@ $(STATEDIR)/nss.install:
 # Target-Install
 # ----------------------------------------------------------------------------
 
+NSS_LIBS := \
+	libnss3 \
+	libnssutil3 \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
+
 $(STATEDIR)/nss.targetinstall:
 	@$(call targetinfo)
 
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot

[Michael Olbrich]

On Fri, Jun 19, 2020 at 03:44:25PM +0200, Roland Hieber wrote:
> From: Jan Luebbe <jlu@pengutronix.de>
> 
> ecryptfs-utils links to -lssl3 -lsmime3, without using any functions

I would guess that ecryptfs-utils uses pkg-config and these libraries are
listed there.

> from it. Install all libraries to the sysroot to make it work. The
> unused libraries are still not installed on the target.

I'm pretty sure that only works with -Wl,--as-needed and we cannot rely on
that. You need to patch nss.pc instead.

Michael

> Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
>  I overlook this patch in v2, but discovered it again during
>  build-testing...
> 
>  v2 -> v3: new patch
> 
>  rules/nss.make | 28 ++++++++++++++--------------
>  1 file changed, 14 insertions(+), 14 deletions(-)
> 
> diff --git a/rules/nss.make b/rules/nss.make
> index 6a003dd1743f..c8537ceb521b 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -74,24 +74,13 @@ NSS_INSTALL_OPT := \
>  	$(NSS_MAKE_OPT) \
>  	install
>  
> -NSS_LIBS := \
> -	libnss3 \
> -	libnssutil3 \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> -	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
> -
>  $(STATEDIR)/nss.install:
>  	@$(call targetinfo)
>  	@$(call world/install, NSS)
>  
> -	@$(foreach lib,$(NSS_LIBS), \
> -		install -v -m644 -D $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/$(lib).so \
> -			$(NSS_PKGDIR)/usr/lib/$(lib).so$(ptx/nl))
> +	install -d -m755 $(NSS_PKGDIR)/usr/lib/
> +	install -m 644 $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/*.so \
> +		$(NSS_PKGDIR)/usr/lib/
>  
>  	install -d $(NSS_PKGDIR)/usr/lib/pkgconfig/
>  	VERSION=$(NSS_VERSION) ptxd_replace_magic \
> @@ -106,6 +95,17 @@ $(STATEDIR)/nss.install:
>  # Target-Install
>  # ----------------------------------------------------------------------------
>  
> +NSS_LIBS := \
> +	libnss3 \
> +	libnssutil3 \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
> +
>  $(STATEDIR)/nss.targetinstall:
>  	@$(call targetinfo)
>  
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable

[Michael Olbrich]

On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
> 
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
>  v2 -> v3: no changes
>  
>  v1 -> v2:
>   - rebase onto current master
>   - fix ecryptfs depedency, only libsoftokn is needed
>   - format libsoftokn help text a bit nicer
> 
>  rules/ecryptfs-utils.in |  1 +
>  rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
>  rules/nss.make          | 22 +++++++++-------
>  rules/qt5.in            |  2 ++
>  4 files changed, 71 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..8a62443bdddb 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
>  	prompt "ecryptfs-utils                "
>  	select KEYUTILS
>  	select NSS
> +	select NSS_INSTALL_LIBSOFTOKN

This is loaded dynamically, right? There should be a comment here,
otherwise someone will try to remove it because it seems unused.

>  	select HOST_INTLTOOL
>  	select BASH			if ECRYPTFS_UTILS_TESTS
>  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..799bd5a73ae0 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,65 @@
>  ## SECTION=networking
>  
> -config NSS
> +menuconfig NSS
>  	tristate
> -	prompt "nss"
> +	prompt "nss                           "
>  	select NSPR
> -	select SQLITE
> +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
>  	help
>  	  Network Security Services (NSS) is a set of libraries designed to
>  	  support cross-platform development of security-enabled client and
>  	  server applications. Applications built with NSS can support
>  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
>  	  X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> +	bool
> +	prompt "install libsmime"
> +	default y

Remove the default. This is something libs/programs link to, so building
will fail if its needed and missing.

> +	help
> +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> +	  libsmime provides functionality related to S/MIME (Cryptographic
> +	  Message Syntax, PKCS#7) used by secure email and some instant
> +	  messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> +	bool
> +	prompt "install libssl"
> +	default y

Same here.

> +	help
> +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> +	  network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> +	bool
> +	prompt "install libnssckbi"
> +	default y
> +	help
> +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> +	  CAs) and their trust assignments.

This is loaded dynamically. So how should a package creator know, when this
is needed?

> +config NSS_INSTALL_LIBSOFTOKN
> +	bool
> +	prompt "install libsoftokn"
> +	default y
> +	help
> +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> +	  additional dependency on SQLite.
> +
> +	  FreeBL is a base library providing hash functions, big number
> +	  calculations, and cryptographic algorithms.
> +
> +	  DBM is a legacy library providing database storage.

Is this loaded dynamically? I'm not seeing any users and if this is legacy
then maybe we shouldn't install it at all?

> +	  Softoken is an NSS module that exposes most FreeBL functionality as a

	Softokn (without the 'e'), right?

> +	  PKCS#11 module, and can make use of DBM or SQLite at runtime.

So softokn is loaded dynamically by libnss3, right? Same question as above.
And what exactly is the relationship with libfreebl3.so? Is that loaded
dynamically by softokn? Same with libnssdbm3.so.

> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 44febc416711..6a003dd1743f 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
>  	BUILD_OPT=1 \
>  	MOZILLA_CLIENT=1 \
>  	NS_USE_GCC=1 \
> -	NSS_USE_SYSTEM_SQLITE=1 \
>  	NSS_ENABLE_ECC=1 \
>  	NSS_DISABLE_GTESTS=1 \
>  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
>  	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>  
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
>  NSS_MAKE_PAR := NO
>  NSS_MAKE_OPT := \
>  	OS_ARCH=Linux \
> @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
>  NSS_LIBS := \
>  	libnss3 \
>  	libnssutil3 \
> -	libsmime3 \
> -	libssl3 \
> -	libfreebl3 \
> -	libfreeblpriv3 \
> -	libnssckbi \
> -	libnssdbm3 \
> -	libsoftokn3
> -
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)

I think something like this is more readable:

NSS_LIBS-y					:= libnss3
NSS_LIBS-y					+= libnssutil3
NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME)	+= libsmime3
...

>  $(STATEDIR)/nss.install:
>  	@$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 162ea8b9beba..a5f8f3b94c4b 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -59,6 +59,8 @@ menuconfig QT5
>  	select NSPR			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
>  	select NSS			if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE

How do you know that this is needed?

> +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE

Does the current Qt5 version link to this? If yes, wich file? I only have
Qt 5.15 here right now (should hit master soon) and that only needs libnss3
and nssutil3.



In general, I'm not convinced that this whole thing is a good idea.
We're possibly skipping plugins that are usually always available, so the
error paths are probably not very well tested. And this is security related
stuff.

Michael

>  	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
>  	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable

[Michael Olbrich]

On Fri, Jun 19, 2020 at 05:04:47PM +0200, Michael Olbrich wrote:
> On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote:
> > Most NSS modules are only needed if any software links to them, or loads
> > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> > slim down the installation by more than 1 MiB, and also get rid of the
> > SQLite dependency.
> > 
> > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> > down their respective sub-dependencies.
> > 
> > Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> > ---
> >  v2 -> v3: no changes
> >  
> >  v1 -> v2:
> >   - rebase onto current master
> >   - fix ecryptfs depedency, only libsoftokn is needed
> >   - format libsoftokn help text a bit nicer
> > 
> >  rules/ecryptfs-utils.in |  1 +
> >  rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
> >  rules/nss.make          | 22 +++++++++-------
> >  rules/qt5.in            |  2 ++
> >  4 files changed, 71 insertions(+), 12 deletions(-)
> > 
> > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> > index 5087f79d3ca2..8a62443bdddb 100644
> > --- a/rules/ecryptfs-utils.in
> > +++ b/rules/ecryptfs-utils.in
> > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
> >  	prompt "ecryptfs-utils                "
> >  	select KEYUTILS
> >  	select NSS
> > +	select NSS_INSTALL_LIBSOFTOKN
> 
> This is loaded dynamically, right? There should be a comment here,
> otherwise someone will try to remove it because it seems unused.
> 
> >  	select HOST_INTLTOOL
> >  	select BASH			if ECRYPTFS_UTILS_TESTS
> >  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> > diff --git a/rules/nss.in b/rules/nss.in
> > index 3e4a07a75404..799bd5a73ae0 100644
> > --- a/rules/nss.in
> > +++ b/rules/nss.in
> > @@ -1,13 +1,65 @@
> >  ## SECTION=networking
> >  
> > -config NSS
> > +menuconfig NSS
> >  	tristate
> > -	prompt "nss"
> > +	prompt "nss                           "
> >  	select NSPR
> > -	select SQLITE
> > +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
> >  	help
> >  	  Network Security Services (NSS) is a set of libraries designed to
> >  	  support cross-platform development of security-enabled client and
> >  	  server applications. Applications built with NSS can support
> >  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
> >  	  X.509 v3 certificates, and other security standards.
> > +
> > +if NSS
> > +
> > +config NSS_INSTALL_LIBSMIME
> > +	bool
> > +	prompt "install libsmime"
> > +	default y
> 
> Remove the default. This is something libs/programs link to, so building
> will fail if its needed and missing.
> 
> > +	help
> > +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> > +
> > +	  libsmime provides functionality related to S/MIME (Cryptographic
> > +	  Message Syntax, PKCS#7) used by secure email and some instant
> > +	  messaging implementations.
> > +
> > +config NSS_INSTALL_LIBSSL
> > +	bool
> > +	prompt "install libssl"
> > +	default y
> 
> Same here.
> 
> > +	help
> > +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> > +
> > +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> > +	  network protocols.
> > +
> > +config NSS_INSTALL_LIBNSSCKBI
> > +	bool
> > +	prompt "install libnssckbi"
> > +	default y
> > +	help
> > +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> > +
> > +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> > +	  CAs) and their trust assignments.
> 
> This is loaded dynamically. So how should a package creator know, when this
> is needed?
> 
> > +config NSS_INSTALL_LIBSOFTOKN
> > +	bool
> > +	prompt "install libsoftokn"
> > +	default y
> > +	help
> > +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> > +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> > +	  additional dependency on SQLite.
> > +
> > +	  FreeBL is a base library providing hash functions, big number
> > +	  calculations, and cryptographic algorithms.
> > +
> > +	  DBM is a legacy library providing database storage.
> 
> Is this loaded dynamically? I'm not seeing any users and if this is legacy
> then maybe we shouldn't install it at all?
> 
> > +	  Softoken is an NSS module that exposes most FreeBL functionality as a
> 
> 	Softokn (without the 'e'), right?
> 
> > +	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
> 
> So softokn is loaded dynamically by libnss3, right? Same question as above.
> And what exactly is the relationship with libfreebl3.so? Is that loaded
> dynamically by softokn? Same with libnssdbm3.so.
> 
> > +endif
> > diff --git a/rules/nss.make b/rules/nss.make
> > index 44febc416711..6a003dd1743f 100644
> > --- a/rules/nss.make
> > +++ b/rules/nss.make
> > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
> >  	BUILD_OPT=1 \
> >  	MOZILLA_CLIENT=1 \
> >  	NS_USE_GCC=1 \
> > -	NSS_USE_SYSTEM_SQLITE=1 \
> >  	NSS_ENABLE_ECC=1 \
> >  	NSS_DISABLE_GTESTS=1 \
> >  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
> >  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
> >  	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
> >  
> > +# unless needed, prevent an additional runtime dependency by using the bundled,
> > +# statically-linked sqlite, but not installing anything that links to it
> > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> > +endif
> > +
> >  NSS_MAKE_PAR := NO
> >  NSS_MAKE_OPT := \
> >  	OS_ARCH=Linux \
> > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
> >  NSS_LIBS := \
> >  	libnss3 \
> >  	libnssutil3 \
> > -	libsmime3 \
> > -	libssl3 \
> > -	libfreebl3 \
> > -	libfreeblpriv3 \
> > -	libnssckbi \
> > -	libnssdbm3 \
> > -	libsoftokn3
> > -
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
> 
> I think something like this is more readable:
> 
> NSS_LIBS-y					:= libnss3
> NSS_LIBS-y					+= libnssutil3
> NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME)	+= libsmime3
> ...
> 
> >  $(STATEDIR)/nss.install:
> >  	@$(call targetinfo)
> > diff --git a/rules/qt5.in b/rules/qt5.in
> > index 162ea8b9beba..a5f8f3b94c4b 100644
> > --- a/rules/qt5.in
> > +++ b/rules/qt5.in
> > @@ -59,6 +59,8 @@ menuconfig QT5
> >  	select NSPR			if QT5_MODULE_QTWEBENGINE
> >  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
> >  	select NSS			if QT5_MODULE_QTWEBENGINE
> > +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
> 
> How do you know that this is needed?
> 
> > +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
> 
> Does the current Qt5 version link to this? If yes, wich file? I only have
> Qt 5.15 here right now (should hit master soon) and that only needs libnss3
> and nssutil3.
> 
> 
> 
> In general, I'm not convinced that this whole thing is a good idea.
> We're possibly skipping plugins that are usually always available, so the
> error paths are probably not very well tested. And this is security related
> stuff.

So this is mostly to make the package smaller for ecryptfs-utils, right?
I don't mind the options for smime and ssl. And softokn is needed there
anyways. And for Qt, the size really doesn't matter. So we could keep that
unconditionally.

So the question is, how to handle nssckbi safely?

Michael


> >  	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
> >  	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
> >  	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> > -- 
> > 2.27.0
> > 
> > 
> > _______________________________________________
> > ptxdist mailing list
> > ptxdist@pengutronix.de
> > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> > 
> 
> -- 
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable

[Roland Hieber]

On Fri, Jun 19, 2020 at 05:04:47PM +0200, Michael Olbrich wrote:
> On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote:
> > Most NSS modules are only needed if any software links to them, or loads
> > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> > slim down the installation by more than 1 MiB, and also get rid of the
> > SQLite dependency.
> > 
> > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> > down their respective sub-dependencies.
> > 
> > Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> > ---
> >  v2 -> v3: no changes
> >  
> >  v1 -> v2:
> >   - rebase onto current master
> >   - fix ecryptfs depedency, only libsoftokn is needed
> >   - format libsoftokn help text a bit nicer
> > 
> >  rules/ecryptfs-utils.in |  1 +
> >  rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
> >  rules/nss.make          | 22 +++++++++-------
> >  rules/qt5.in            |  2 ++
> >  4 files changed, 71 insertions(+), 12 deletions(-)
> > 
> > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> > index 5087f79d3ca2..8a62443bdddb 100644
> > --- a/rules/ecryptfs-utils.in
> > +++ b/rules/ecryptfs-utils.in
> > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
> >  	prompt "ecryptfs-utils                "
> >  	select KEYUTILS
> >  	select NSS
> > +	select NSS_INSTALL_LIBSOFTOKN
> 
> This is loaded dynamically, right? There should be a comment here,
> otherwise someone will try to remove it because it seems unused.
> 
> >  	select HOST_INTLTOOL
> >  	select BASH			if ECRYPTFS_UTILS_TESTS
> >  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> > diff --git a/rules/nss.in b/rules/nss.in
> > index 3e4a07a75404..799bd5a73ae0 100644
> > --- a/rules/nss.in
> > +++ b/rules/nss.in
> > @@ -1,13 +1,65 @@
> >  ## SECTION=networking
> >  
> > -config NSS
> > +menuconfig NSS
> >  	tristate
> > -	prompt "nss"
> > +	prompt "nss                           "
> >  	select NSPR
> > -	select SQLITE
> > +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
> >  	help
> >  	  Network Security Services (NSS) is a set of libraries designed to
> >  	  support cross-platform development of security-enabled client and
> >  	  server applications. Applications built with NSS can support
> >  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
> >  	  X.509 v3 certificates, and other security standards.
> > +
> > +if NSS
> > +
> > +config NSS_INSTALL_LIBSMIME
> > +	bool
> > +	prompt "install libsmime"
> > +	default y
> 
> Remove the default. This is something libs/programs link to, so building
> will fail if its needed and missing.
> 
> > +	help
> > +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> > +
> > +	  libsmime provides functionality related to S/MIME (Cryptographic
> > +	  Message Syntax, PKCS#7) used by secure email and some instant
> > +	  messaging implementations.
> > +
> > +config NSS_INSTALL_LIBSSL
> > +	bool
> > +	prompt "install libssl"
> > +	default y
> 
> Same here.
> 
> > +	help
> > +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> > +
> > +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> > +	  network protocols.
> > +
> > +config NSS_INSTALL_LIBNSSCKBI
> > +	bool
> > +	prompt "install libnssckbi"
> > +	default y
> > +	help
> > +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> > +
> > +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> > +	  CAs) and their trust assignments.
> 
> This is loaded dynamically. So how should a package creator know, when this
> is needed?
> 
> > +config NSS_INSTALL_LIBSOFTOKN
> > +	bool
> > +	prompt "install libsoftokn"
> > +	default y
> > +	help
> > +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> > +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> > +	  additional dependency on SQLite.
> > +
> > +	  FreeBL is a base library providing hash functions, big number
> > +	  calculations, and cryptographic algorithms.
> > +
> > +	  DBM is a legacy library providing database storage.
> 
> Is this loaded dynamically? I'm not seeing any users and if this is legacy
> then maybe we shouldn't install it at all?
> 
> > +	  Softoken is an NSS module that exposes most FreeBL functionality as a
> 
> 	Softokn (without the 'e'), right?
> 
> > +	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
> 
> So softokn is loaded dynamically by libnss3, right? Same question as above.
> And what exactly is the relationship with libfreebl3.so? Is that loaded
> dynamically by softokn? Same with libnssdbm3.so.
> 
> > +endif
> > diff --git a/rules/nss.make b/rules/nss.make
> > index 44febc416711..6a003dd1743f 100644
> > --- a/rules/nss.make
> > +++ b/rules/nss.make
> > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
> >  	BUILD_OPT=1 \
> >  	MOZILLA_CLIENT=1 \
> >  	NS_USE_GCC=1 \
> > -	NSS_USE_SYSTEM_SQLITE=1 \
> >  	NSS_ENABLE_ECC=1 \
> >  	NSS_DISABLE_GTESTS=1 \
> >  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
> >  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
> >  	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
> >  
> > +# unless needed, prevent an additional runtime dependency by using the bundled,
> > +# statically-linked sqlite, but not installing anything that links to it
> > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> > +endif
> > +
> >  NSS_MAKE_PAR := NO
> >  NSS_MAKE_OPT := \
> >  	OS_ARCH=Linux \
> > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
> >  NSS_LIBS := \
> >  	libnss3 \
> >  	libnssutil3 \
> > -	libsmime3 \
> > -	libssl3 \
> > -	libfreebl3 \
> > -	libfreeblpriv3 \
> > -	libnssckbi \
> > -	libnssdbm3 \
> > -	libsoftokn3
> > -
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> > +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
> 
> I think something like this is more readable:
> 
> NSS_LIBS-y					:= libnss3
> NSS_LIBS-y					+= libnssutil3
> NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME)	+= libsmime3
> ...
> 
> >  $(STATEDIR)/nss.install:
> >  	@$(call targetinfo)
> > diff --git a/rules/qt5.in b/rules/qt5.in
> > index 162ea8b9beba..a5f8f3b94c4b 100644
> > --- a/rules/qt5.in
> > +++ b/rules/qt5.in
> > @@ -59,6 +59,8 @@ menuconfig QT5
> >  	select NSPR			if QT5_MODULE_QTWEBENGINE
> >  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
> >  	select NSS			if QT5_MODULE_QTWEBENGINE
> > +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
> 
> How do you know that this is needed?
> 
> > +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
> 
> Does the current Qt5 version link to this? If yes, wich file? I only have
> Qt 5.15 here right now (should hit master soon) and that only needs libnss3
> and nssutil3.
> 
> 
> 
> In general, I'm not convinced that this whole thing is a good idea.
> We're possibly skipping plugins that are usually always available, so the
> error paths are probably not very well tested. And this is security related
> stuff.

To be honest, after looking at it again and trying to research answers
to your questions, I'm also no longer convinced. (I know that I had
researched the dependencies of libsoftokn in the NSS documentation
online during v1 of the patch, but I can no longer find it… and the code
itself also doesn't make it easy to find that out.)

v1 of the patch was also made under the false assumption that
ecryptfs-utils only linked to libssl and libsmime, but since it loads
libsoftokn as well at runtime, the space savings in the rootfs are only
down to only about 300 kiB instead of 1 MiB.

So I think we should leave the NSS rule as-is, unless the need arises
again, and someone more versed in NSS internals can say more about it.

 - Roland

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de