From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from ptx.hi.pengutronix.de ([2001:67c:670:100:1d::c0])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <rhi@pengutronix.de>) id 1jmGCe-0003nf-1x
 for ptxdist@pengutronix.de; Fri, 19 Jun 2020 14:33:04 +0200
Received: from rhi by ptx.hi.pengutronix.de with local (Exim 4.92)
 (envelope-from <rhi@pengutronix.de>) id 1jmGCd-0008VT-PG
 for ptxdist@pengutronix.de; Fri, 19 Jun 2020 14:33:03 +0200
Date: Fri, 19 Jun 2020 14:33:03 +0200
From: Roland Hieber <rhi@pengutronix.de>
Message-ID: <20200619123303.2o5tfxpnwyxvfz6c@pengutronix.de>
References: <20190930093334.mhsilaqjogaz7x3q@pengutronix.de>
 <20200619123131.770-1-rhi@pengutronix.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20200619123131.770-1-rhi@pengutronix.de>
Subject: Re: [ptxdist] [PATCH v2] nss: make installed libraries configurable
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de

Ah, that was supposed to be -v2, of course.

 - Roland

On Fri, Jun 19, 2020 at 02:31:31PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
> 
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
> v1 -> v2:
>  - rebase to current master
>  - fix ecryptfs depedency, only libsoftokn is needed
>  - format libsoftokn help text a bit nicer
> 
> Range-diff:
>   1:  6fc40ec92172 ! 772:  a2711cfe218b nss: make installed libraries configurable
>     @@ Commit message
>      
>          Signed-off-by: Roland Hieber <rhi@pengutronix.de>
>      
>       ## rules/ecryptfs-utils.in ##
>      @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS
>       	prompt "ecryptfs-utils                "
>       	select KEYUTILS
>       	select NSS
>     -+	select NSS_INSTALL_LIBSSL
>     -+	select NSS_INSTALL_LIBSMIME
>     ++	select NSS_INSTALL_LIBSOFTOKN
>       	select HOST_INTLTOOL
>       	select BASH			if ECRYPTFS_UTILS_TESTS
>       	select COREUTILS		if ECRYPTFS_UTILS_TESTS
>     @@ rules/nss.in
>      +	  additional dependency on SQLite.
>      +
>      +	  FreeBL is a base library providing hash functions, big number
>     -+	  calculations, and cryptographic algorithms. DBM is a legacy library
>     -+	  providing database storage. Softoken is an NSS module that exposes
>     -+	  most FreeBL functionality as a PKCS#11 module, and can make use of DBM
>     -+	  or SQLite at runtime.
>     ++	  calculations, and cryptographic algorithms.
>     ++
>     ++	  DBM is a legacy library providing database storage.
>     ++
>     ++	  Softoken is an NSS module that exposes most FreeBL functionality as a
>     ++	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
>      +
>      +endif
>      
>     @@ rules/nss.make: NSS_MAKE_ENV := \
>       	NSS_ENABLE_ECC=1 \
>       	NSS_DISABLE_GTESTS=1 \
>       	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>     - 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
>     + 	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
>     + 	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>       
>      +# unless needed, prevent an additional runtime dependency by using the bundled,
>      +# statically-linked sqlite, but not installing anything that links to it
> 
>  rules/ecryptfs-utils.in |  1 +
>  rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
>  rules/nss.make          | 22 +++++++++-------
>  rules/qt5.in            |  2 ++
>  4 files changed, 71 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..8a62443bdddb 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
>  	prompt "ecryptfs-utils                "
>  	select KEYUTILS
>  	select NSS
> +	select NSS_INSTALL_LIBSOFTOKN
>  	select HOST_INTLTOOL
>  	select BASH			if ECRYPTFS_UTILS_TESTS
>  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..799bd5a73ae0 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,65 @@
>  ## SECTION=networking
>  
> -config NSS
> +menuconfig NSS
>  	tristate
> -	prompt "nss"
> +	prompt "nss                           "
>  	select NSPR
> -	select SQLITE
> +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
>  	help
>  	  Network Security Services (NSS) is a set of libraries designed to
>  	  support cross-platform development of security-enabled client and
>  	  server applications. Applications built with NSS can support
>  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
>  	  X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> +	bool
> +	prompt "install libsmime"
> +	default y
> +	help
> +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> +	  libsmime provides functionality related to S/MIME (Cryptographic
> +	  Message Syntax, PKCS#7) used by secure email and some instant
> +	  messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> +	bool
> +	prompt "install libssl"
> +	default y
> +	help
> +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> +	  network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> +	bool
> +	prompt "install libnssckbi"
> +	default y
> +	help
> +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> +	  CAs) and their trust assignments.
> +
> +config NSS_INSTALL_LIBSOFTOKN
> +	bool
> +	prompt "install libsoftokn"
> +	default y
> +	help
> +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> +	  additional dependency on SQLite.
> +
> +	  FreeBL is a base library providing hash functions, big number
> +	  calculations, and cryptographic algorithms.
> +
> +	  DBM is a legacy library providing database storage.
> +
> +	  Softoken is an NSS module that exposes most FreeBL functionality as a
> +	  PKCS#11 module, and can make use of DBM or SQLite at runtime.
> +
> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 44febc416711..6a003dd1743f 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
>  	BUILD_OPT=1 \
>  	MOZILLA_CLIENT=1 \
>  	NS_USE_GCC=1 \
> -	NSS_USE_SYSTEM_SQLITE=1 \
>  	NSS_ENABLE_ECC=1 \
>  	NSS_DISABLE_GTESTS=1 \
>  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
>  	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>  
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
>  NSS_MAKE_PAR := NO
>  NSS_MAKE_OPT := \
>  	OS_ARCH=Linux \
> @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
>  NSS_LIBS := \
>  	libnss3 \
>  	libnssutil3 \
> -	libsmime3 \
> -	libssl3 \
> -	libfreebl3 \
> -	libfreeblpriv3 \
> -	libnssckbi \
> -	libnssdbm3 \
> -	libsoftokn3
> -
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
>  
>  $(STATEDIR)/nss.install:
>  	@$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 162ea8b9beba..a5f8f3b94c4b 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -59,6 +59,8 @@ menuconfig QT5
>  	select NSPR			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
>  	select NSS			if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
>  	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Roland Hieber, Pengutronix e.K.          | r.hieber@pengutronix.de     |
Steuerwalder Str. 21                     | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686         | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de