mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de
Cc: Roland Hieber <rhi@pengutronix.de>
Subject: [ptxdist] [PATCH] nss: make installed libraries configurable
Date: Fri, 19 Jun 2020 14:31:31 +0200	[thread overview]
Message-ID: <20200619123131.770-1-rhi@pengutronix.de> (raw)
In-Reply-To: <20190930093334.mhsilaqjogaz7x3q@pengutronix.de>

Most NSS modules are only needed if any software links to them, or loads
them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
slim down the installation by more than 1 MiB, and also get rid of the
SQLite dependency.

Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
down their respective sub-dependencies.

Signed-off-by: Roland Hieber <rhi@pengutronix.de>
---
v1 -> v2:
 - rebase to current master
 - fix ecryptfs depedency, only libsoftokn is needed
 - format libsoftokn help text a bit nicer

Range-diff:
  1:  6fc40ec92172 ! 772:  a2711cfe218b nss: make installed libraries configurable
    @@ Commit message
     
         Signed-off-by: Roland Hieber <rhi@pengutronix.de>
     
      ## rules/ecryptfs-utils.in ##
     @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS
      	prompt "ecryptfs-utils                "
      	select KEYUTILS
      	select NSS
    -+	select NSS_INSTALL_LIBSSL
    -+	select NSS_INSTALL_LIBSMIME
    ++	select NSS_INSTALL_LIBSOFTOKN
      	select HOST_INTLTOOL
      	select BASH			if ECRYPTFS_UTILS_TESTS
      	select COREUTILS		if ECRYPTFS_UTILS_TESTS
    @@ rules/nss.in
     +	  additional dependency on SQLite.
     +
     +	  FreeBL is a base library providing hash functions, big number
    -+	  calculations, and cryptographic algorithms. DBM is a legacy library
    -+	  providing database storage. Softoken is an NSS module that exposes
    -+	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
    -+	  or SQLite at runtime.
    ++	  calculations, and cryptographic algorithms.
    ++
    ++	  DBM is a legacy library providing database storage.
    ++
    ++	  Softoken is an NSS module that exposes most FreeBL functionality as a
    ++	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
     +
     +endif
     
    @@ rules/nss.make: NSS_MAKE_ENV := \
      	NSS_ENABLE_ECC=1 \
      	NSS_DISABLE_GTESTS=1 \
      	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
    - 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
    + 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
    + 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
      
     +# unless needed, prevent an additional runtime dependency by using the bundled,
     +# statically-linked sqlite, but not installing anything that links to it

 rules/ecryptfs-utils.in |  1 +
 rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
 rules/nss.make          | 22 +++++++++-------
 rules/qt5.in            |  2 ++
 4 files changed, 71 insertions(+), 12 deletions(-)

diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
index 5087f79d3ca2..8a62443bdddb 100644
--- a/rules/ecryptfs-utils.in
+++ b/rules/ecryptfs-utils.in
@@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
 	prompt "ecryptfs-utils                "
 	select KEYUTILS
 	select NSS
+	select NSS_INSTALL_LIBSOFTOKN
 	select HOST_INTLTOOL
 	select BASH			if ECRYPTFS_UTILS_TESTS
 	select COREUTILS		if ECRYPTFS_UTILS_TESTS
diff --git a/rules/nss.in b/rules/nss.in
index 3e4a07a75404..799bd5a73ae0 100644
--- a/rules/nss.in
+++ b/rules/nss.in
@@ -1,13 +1,65 @@
 ## SECTION=networking
 
-config NSS
+menuconfig NSS
 	tristate
-	prompt "nss"
+	prompt "nss                           "
 	select NSPR
-	select SQLITE
+	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
 	help
 	  Network Security Services (NSS) is a set of libraries designed to
 	  support cross-platform development of security-enabled client and
 	  server applications. Applications built with NSS can support
 	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
 	  X.509 v3 certificates, and other security standards.
+
+if NSS
+
+config NSS_INSTALL_LIBSMIME
+	bool
+	prompt "install libsmime"
+	default y
+	help
+	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
+
+	  libsmime provides functionality related to S/MIME (Cryptographic
+	  Message Syntax, PKCS#7) used by secure email and some instant
+	  messaging implementations.
+
+config NSS_INSTALL_LIBSSL
+	bool
+	prompt "install libssl"
+	default y
+	help
+	  Install libssl3.so, which adds about ~200 kiB to the footprint.
+
+	  libssl implements the Secure Sockets Layer/Transport Layer Security
+	  network protocols.
+
+config NSS_INSTALL_LIBNSSCKBI
+	bool
+	prompt "install libnssckbi"
+	default y
+	help
+	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
+
+	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
+	  CAs) and their trust assignments.
+
+config NSS_INSTALL_LIBSOFTOKN
+	bool
+	prompt "install libsoftokn"
+	default y
+	help
+	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
+	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
+	  additional dependency on SQLite.
+
+	  FreeBL is a base library providing hash functions, big number
+	  calculations, and cryptographic algorithms.
+
+	  DBM is a legacy library providing database storage.
+
+	  Softoken is an NSS module that exposes most FreeBL functionality as a
+	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
+
+endif
diff --git a/rules/nss.make b/rules/nss.make
index 44febc416711..6a003dd1743f 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
 	BUILD_OPT=1 \
 	MOZILLA_CLIENT=1 \
 	NS_USE_GCC=1 \
-	NSS_USE_SYSTEM_SQLITE=1 \
 	NSS_ENABLE_ECC=1 \
 	NSS_DISABLE_GTESTS=1 \
 	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
 
+# unless needed, prevent an additional runtime dependency by using the bundled,
+# statically-linked sqlite, but not installing anything that links to it
+ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
+NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
+endif
+
 NSS_MAKE_PAR := NO
 NSS_MAKE_OPT := \
 	OS_ARCH=Linux \
@@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
 NSS_LIBS := \
 	libnss3 \
 	libnssutil3 \
-	libsmime3 \
-	libssl3 \
-	libfreebl3 \
-	libfreeblpriv3 \
-	libnssckbi \
-	libnssdbm3 \
-	libsoftokn3
-
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
 
 $(STATEDIR)/nss.install:
 	@$(call targetinfo)
diff --git a/rules/qt5.in b/rules/qt5.in
index 162ea8b9beba..a5f8f3b94c4b 100644
--- a/rules/qt5.in
+++ b/rules/qt5.in
@@ -59,6 +59,8 @@ menuconfig QT5
 	select NSPR			if QT5_MODULE_QTWEBENGINE
 	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
 	select NSS			if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
+	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
 	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
 	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
 	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

  reply	other threads:[~2020-06-19 12:31 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-24 15:14 [ptxdist] [PATCH v1] " Roland Hieber
2019-09-30  9:33 ` Roland Hieber
2020-06-19 12:31   ` Roland Hieber [this message]
2020-06-19 12:33     ` [ptxdist] [PATCH v2] " Roland Hieber
2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber
2020-06-19 13:44   ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber
2020-06-19 14:15     ` Michael Olbrich
2020-06-19 15:04   ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich
2020-06-19 15:30     ` Michael Olbrich
2020-06-22 10:02     ` Roland Hieber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200619123131.770-1-rhi@pengutronix.de \
    --to=rhi@pengutronix.de \
    --cc=ptxdist@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox