From: Roland Hieber <rhi@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH v2] nss: make installed libraries configurable
Date: Fri, 19 Jun 2020 14:33:03 +0200 [thread overview]
Message-ID: <20200619123303.2o5tfxpnwyxvfz6c@pengutronix.de> (raw)
In-Reply-To: <20200619123131.770-1-rhi@pengutronix.de>
Ah, that was supposed to be -v2, of course.
- Roland
On Fri, Jun 19, 2020 at 02:31:31PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
>
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> v1 -> v2:
> - rebase to current master
> - fix ecryptfs depedency, only libsoftokn is needed
> - format libsoftokn help text a bit nicer
>
> Range-diff:
> 1: 6fc40ec92172 ! 772: a2711cfe218b nss: make installed libraries configurable
> @@ Commit message
>
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
>
> ## rules/ecryptfs-utils.in ##
> @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS
> prompt "ecryptfs-utils "
> select KEYUTILS
> select NSS
> -+ select NSS_INSTALL_LIBSSL
> -+ select NSS_INSTALL_LIBSMIME
> ++ select NSS_INSTALL_LIBSOFTOKN
> select HOST_INTLTOOL
> select BASH if ECRYPTFS_UTILS_TESTS
> select COREUTILS if ECRYPTFS_UTILS_TESTS
> @@ rules/nss.in
> + additional dependency on SQLite.
> +
> + FreeBL is a base library providing hash functions, big number
> -+ calculations, and cryptographic algorithms. DBM is a legacy library
> -+ providing database storage. Softoken is an NSS module that exposes
> -+ most FreeBL functionality as a PKCS#11 module, and can make use of DBM
> -+ or SQLite at runtime.
> ++ calculations, and cryptographic algorithms.
> ++
> ++ DBM is a legacy library providing database storage.
> ++
> ++ Softoken is an NSS module that exposes most FreeBL functionality as a
> ++ PKCS#11 module, and can make use of DBM or SQLite at runtime.
> +
> +endif
>
> @@ rules/nss.make: NSS_MAKE_ENV := \
> NSS_ENABLE_ECC=1 \
> NSS_DISABLE_GTESTS=1 \
> NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
> - USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
> + USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
> + USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
>
> rules/ecryptfs-utils.in | 1 +
> rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++---
> rules/nss.make | 22 +++++++++-------
> rules/qt5.in | 2 ++
> 4 files changed, 71 insertions(+), 12 deletions(-)
>
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..8a62443bdddb 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
> prompt "ecryptfs-utils "
> select KEYUTILS
> select NSS
> + select NSS_INSTALL_LIBSOFTOKN
> select HOST_INTLTOOL
> select BASH if ECRYPTFS_UTILS_TESTS
> select COREUTILS if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..799bd5a73ae0 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,65 @@
> ## SECTION=networking
>
> -config NSS
> +menuconfig NSS
> tristate
> - prompt "nss"
> + prompt "nss "
> select NSPR
> - select SQLITE
> + select SQLITE if NSS_INSTALL_LIBSOFTOKN
> help
> Network Security Services (NSS) is a set of libraries designed to
> support cross-platform development of security-enabled client and
> server applications. Applications built with NSS can support
> SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
> X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> + bool
> + prompt "install libsmime"
> + default y
> + help
> + Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> + libsmime provides functionality related to S/MIME (Cryptographic
> + Message Syntax, PKCS#7) used by secure email and some instant
> + messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> + bool
> + prompt "install libssl"
> + default y
> + help
> + Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> + libssl implements the Secure Sockets Layer/Transport Layer Security
> + network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> + bool
> + prompt "install libnssckbi"
> + default y
> + help
> + Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> + CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> + CAs) and their trust assignments.
> +
> +config NSS_INSTALL_LIBSOFTOKN
> + bool
> + prompt "install libsoftokn"
> + default y
> + help
> + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> + additional dependency on SQLite.
> +
> + FreeBL is a base library providing hash functions, big number
> + calculations, and cryptographic algorithms.
> +
> + DBM is a legacy library providing database storage.
> +
> + Softoken is an NSS module that exposes most FreeBL functionality as a
> + PKCS#11 module, and can make use of DBM or SQLite at runtime.
> +
> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 44febc416711..6a003dd1743f 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
> BUILD_OPT=1 \
> MOZILLA_CLIENT=1 \
> NS_USE_GCC=1 \
> - NSS_USE_SYSTEM_SQLITE=1 \
> NSS_ENABLE_ECC=1 \
> NSS_DISABLE_GTESTS=1 \
> NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
> USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
> USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
> NSS_MAKE_PAR := NO
> NSS_MAKE_OPT := \
> OS_ARCH=Linux \
> @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
> NSS_LIBS := \
> libnss3 \
> libnssutil3 \
> - libsmime3 \
> - libssl3 \
> - libfreebl3 \
> - libfreeblpriv3 \
> - libnssckbi \
> - libnssdbm3 \
> - libsoftokn3
> -
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
>
> $(STATEDIR)/nss.install:
> @$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 162ea8b9beba..a5f8f3b94c4b 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -59,6 +59,8 @@ menuconfig QT5
> select NSPR if QT5_MODULE_QTWEBENGINE
> select HOST_NSPR if QT5_MODULE_QTWEBENGINE
> select NSS if QT5_MODULE_QTWEBENGINE
> + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE
> + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE
> select HOST_NSS if QT5_MODULE_QTWEBENGINE
> select HOST_NINJA if QT5_MODULE_QTWEBENGINE
> select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> --
> 2.27.0
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2020-06-19 12:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-24 15:14 [ptxdist] [PATCH v1] " Roland Hieber
2019-09-30 9:33 ` Roland Hieber
2020-06-19 12:31 ` [ptxdist] [PATCH] " Roland Hieber
2020-06-19 12:33 ` Roland Hieber [this message]
2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber
2020-06-19 13:44 ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber
2020-06-19 14:15 ` Michael Olbrich
2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich
2020-06-19 15:30 ` Michael Olbrich
2020-06-22 10:02 ` Roland Hieber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200619123303.2o5tfxpnwyxvfz6c@pengutronix.de \
--to=rhi@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox