Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable

[Michael Olbrich <m.olbrich@pengutronix.de>]

On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote:
> Most NSS modules are only needed if any software links to them, or loads
> them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
> slim down the installation by more than 1 MiB, and also get rid of the
> SQLite dependency.
> 
> Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
> down their respective sub-dependencies.
> 
> Signed-off-by: Roland Hieber <rhi@pengutronix.de>
> ---
>  v2 -> v3: no changes
>  
>  v1 -> v2:
>   - rebase onto current master
>   - fix ecryptfs depedency, only libsoftokn is needed
>   - format libsoftokn help text a bit nicer
> 
>  rules/ecryptfs-utils.in |  1 +
>  rules/nss.in            | 58 ++++++++++++++++++++++++++++++++++++++---
>  rules/nss.make          | 22 +++++++++-------
>  rules/qt5.in            |  2 ++
>  4 files changed, 71 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
> index 5087f79d3ca2..8a62443bdddb 100644
> --- a/rules/ecryptfs-utils.in
> +++ b/rules/ecryptfs-utils.in
> @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS
>  	prompt "ecryptfs-utils                "
>  	select KEYUTILS
>  	select NSS
> +	select NSS_INSTALL_LIBSOFTOKN

This is loaded dynamically, right? There should be a comment here,
otherwise someone will try to remove it because it seems unused.

>  	select HOST_INTLTOOL
>  	select BASH			if ECRYPTFS_UTILS_TESTS
>  	select COREUTILS		if ECRYPTFS_UTILS_TESTS
> diff --git a/rules/nss.in b/rules/nss.in
> index 3e4a07a75404..799bd5a73ae0 100644
> --- a/rules/nss.in
> +++ b/rules/nss.in
> @@ -1,13 +1,65 @@
>  ## SECTION=networking
>  
> -config NSS
> +menuconfig NSS
>  	tristate
> -	prompt "nss"
> +	prompt "nss                           "
>  	select NSPR
> -	select SQLITE
> +	select SQLITE	if NSS_INSTALL_LIBSOFTOKN
>  	help
>  	  Network Security Services (NSS) is a set of libraries designed to
>  	  support cross-platform development of security-enabled client and
>  	  server applications. Applications built with NSS can support
>  	  SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
>  	  X.509 v3 certificates, and other security standards.
> +
> +if NSS
> +
> +config NSS_INSTALL_LIBSMIME
> +	bool
> +	prompt "install libsmime"
> +	default y

Remove the default. This is something libs/programs link to, so building
will fail if its needed and missing.

> +	help
> +	  Install libsmime3.so, which adds about ~90 kiB to the footprint.
> +
> +	  libsmime provides functionality related to S/MIME (Cryptographic
> +	  Message Syntax, PKCS#7) used by secure email and some instant
> +	  messaging implementations.
> +
> +config NSS_INSTALL_LIBSSL
> +	bool
> +	prompt "install libssl"
> +	default y

Same here.

> +	help
> +	  Install libssl3.so, which adds about ~200 kiB to the footprint.
> +
> +	  libssl implements the Secure Sockets Layer/Transport Layer Security
> +	  network protocols.
> +
> +config NSS_INSTALL_LIBNSSCKBI
> +	bool
> +	prompt "install libnssckbi"
> +	default y
> +	help
> +	  Install libnssckbi.so, which adds about ~350 kiB to the footprint.
> +
> +	  CKBI is a PKCS#11 module which provides a set of trust anchors (Root
> +	  CAs) and their trust assignments.

This is loaded dynamically. So how should a package creator know, when this
is needed?

> +config NSS_INSTALL_LIBSOFTOKN
> +	bool
> +	prompt "install libsoftokn"
> +	default y
> +	help
> +	  Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
> +	  libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
> +	  additional dependency on SQLite.
> +
> +	  FreeBL is a base library providing hash functions, big number
> +	  calculations, and cryptographic algorithms.
> +
> +	  DBM is a legacy library providing database storage.

Is this loaded dynamically? I'm not seeing any users and if this is legacy
then maybe we shouldn't install it at all?

> +	  Softoken is an NSS module that exposes most FreeBL functionality as a

	Softokn (without the 'e'), right?

> +	  PKCS#11 module, and can make use of DBM or SQLite at runtime.

So softokn is loaded dynamically by libnss3, right? Same question as above.
And what exactly is the relationship with libfreebl3.so? Is that loaded
dynamically by softokn? Same with libnssdbm3.so.

> +endif
> diff --git a/rules/nss.make b/rules/nss.make
> index 44febc416711..6a003dd1743f 100644
> --- a/rules/nss.make
> +++ b/rules/nss.make
> @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \
>  	BUILD_OPT=1 \
>  	MOZILLA_CLIENT=1 \
>  	NS_USE_GCC=1 \
> -	NSS_USE_SYSTEM_SQLITE=1 \
>  	NSS_ENABLE_ECC=1 \
>  	NSS_DISABLE_GTESTS=1 \
>  	NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
>  	USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \
>  	USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1)
>  
> +# unless needed, prevent an additional runtime dependency by using the bundled,
> +# statically-linked sqlite, but not installing anything that links to it
> +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
> +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
> +endif
> +
>  NSS_MAKE_PAR := NO
>  NSS_MAKE_OPT := \
>  	OS_ARCH=Linux \
> @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \
>  NSS_LIBS := \
>  	libnss3 \
>  	libnssutil3 \
> -	libsmime3 \
> -	libssl3 \
> -	libfreebl3 \
> -	libfreeblpriv3 \
> -	libnssckbi \
> -	libnssdbm3 \
> -	libsoftokn3
> -
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
> +	$(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)

I think something like this is more readable:

NSS_LIBS-y					:= libnss3
NSS_LIBS-y					+= libnssutil3
NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME)	+= libsmime3
...

>  $(STATEDIR)/nss.install:
>  	@$(call targetinfo)
> diff --git a/rules/qt5.in b/rules/qt5.in
> index 162ea8b9beba..a5f8f3b94c4b 100644
> --- a/rules/qt5.in
> +++ b/rules/qt5.in
> @@ -59,6 +59,8 @@ menuconfig QT5
>  	select NSPR			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NSPR		if QT5_MODULE_QTWEBENGINE
>  	select NSS			if QT5_MODULE_QTWEBENGINE
> +	select NSS_INSTALL_LIBNSSCKBI	if QT5_MODULE_QTWEBENGINE

How do you know that this is needed?

> +	select NSS_INSTALL_LIBSMIME	if QT5_MODULE_QTWEBENGINE

Does the current Qt5 version link to this? If yes, wich file? I only have
Qt 5.15 here right now (should hit master soon) and that only needs libnss3
and nssutil3.



In general, I'm not convinced that this whole thing is a good idea.
We're possibly skipping plugins that are usually always available, so the
error paths are probably not very well tested. And this is security related
stuff.

Michael

>  	select HOST_NSS			if QT5_MODULE_QTWEBENGINE
>  	select HOST_NINJA		if QT5_MODULE_QTWEBENGINE
>  	select ALSA_LIB			if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de