From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH v1] nss: make installed libraries configurable
Date: Mon, 30 Sep 2019 11:33:34 +0200 [thread overview]
Message-ID: <20190930093334.mhsilaqjogaz7x3q@pengutronix.de> (raw)
In-Reply-To: <20190924151427.18850-1-rhi@pengutronix.de>
Please wait for a v2, I found a mismatched dependency in ecryptfs.
- Roland
On Tue, Sep 24, 2019 at 05:14:27PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
>
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> rules/ecryptfs-utils.in | 2 ++
> rules/nss.in | 56 ++++++++++++++++++++++++++++++++++++++---
> rules/nss.make | 22 +++++++++-------
> rules/qt5.in | 2 ++
> 4 files changed, 70 insertions(+), 12 deletions(-)
>
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..7ac44e11bdf3 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS
> prompt "ecryptfs-utils "
> select KEYUTILS
> select NSS
> + select NSS_INSTALL_LIBSSL
> + select NSS_INSTALL_LIBSMIME
> select HOST_INTLTOOL
> select BASH if ECRYPTFS_UTILS_TESTS
> select COREUTILS if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..0f44a2b7d1c8 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,63 @@
> ## SECTION=networking
>
> -config NSS
> +menuconfig NSS
> tristate
> - prompt "nss"
> + prompt "nss "
> select NSPR
> - select SQLITE
> + select SQLITE if NSS_INSTALL_LIBSOFTOKN
> help
> Network Security Services (NSS) is a set of libraries designed to
> support cross-platform development of security-enabled client and
> server applications. Applications built with NSS can support
> SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
> X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> + bool
> + prompt "install libsmime"
> + default y
> + help
> + Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> + libsmime provides functionality related to S/MIME (Cryptographic
> + Message Syntax, PKCS#7) used by secure email and some instant
> + messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> + bool
> + prompt "install libssl"
> + default y
> + help
> + Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> + libssl implements the Secure Sockets Layer/Transport Layer Security
> + network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> + bool
> + prompt "install libnssckbi"
> + default y
> + help
> + Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> + CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> + CAs) and their trust assignments.
> +
> +config NSS_INSTALL_LIBSOFTOKN
> + bool
> + prompt "install libsoftokn"
> + default y
> + help
> + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> + additional dependency on SQLite.
> +
> + FreeBL is a base library providing hash functions, big number
> + calculations, and cryptographic algorithms. DBM is a legacy library
> + providing database storage. Softoken is an NSS module that exposes
> + most FreeBL functionality as a PKCS#11 module, and can make use of DBM
> + or SQLite at runtime.
> +
> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 49406fb956c7..f9f322d94179 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -45,12 +45,17 @@ NSS_MAKE_ENV := \
> BUILD_OPT=1 \
> MOZILLA_CLIENT=1 \
> NS_USE_GCC=1 \
> - NSS_USE_SYSTEM_SQLITE=1 \
> NSS_ENABLE_ECC=1 \
> NSS_DISABLE_GTESTS=1 \
> NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
> USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
>
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
> NSS_MAKE_PAR := NO
> NSS_MAKE_OPT := \
> OS_ARCH=Linux \
> @@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \
> NSS_LIBS := \
> libnss3 \
> libnssutil3 \
> - libsmime3 \
> - libssl3 \
> - libfreebl3 \
> - libfreeblpriv3 \
> - libnssckbi \
> - libnssdbm3 \
> - libsoftokn3
> -
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
>
> $(STATEDIR)/nss.install:
> @$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 6c2de3cde04f..aa9b63f2fdf7 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -57,6 +57,8 @@ menuconfig QT5
> select NSPR if QT5_MODULE_QTWEBENGINE
> select HOST_NSPR if QT5_MODULE_QTWEBENGINE
> select NSS if QT5_MODULE_QTWEBENGINE
> + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE
> + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE
> select HOST_NSS if QT5_MODULE_QTWEBENGINE
> select HOST_NINJA if QT5_MODULE_QTWEBENGINE
> select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> --
> 2.23.0
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
>
--
Roland Hieber | r.hieber@pengutronix.de |
Pengutronix e.K. | https://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5086 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2019-09-30 9:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-24 15:14 Roland Hieber
2019-09-30 9:33 ` Roland Hieber [this message]
2020-06-19 12:31 ` [ptxdist] [PATCH] " Roland Hieber
2020-06-19 12:33 ` [ptxdist] [PATCH v2] " Roland Hieber
2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber
2020-06-19 13:44 ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber
2020-06-19 14:15 ` Michael Olbrich
2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich
2020-06-19 15:30 ` Michael Olbrich
2020-06-22 10:02 ` Roland Hieber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190930093334.mhsilaqjogaz7x3q@pengutronix.de \
--to=rhi@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox