From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from dude02.hi.pengutronix.de ([2001:67c:670:100:1d::28] helo=dude02.lab.pengutronix.de) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jmIxz-0002h6-Kh for ptxdist@pengutronix.de; Fri, 19 Jun 2020 17:30:07 +0200 Received: from mol by dude02.lab.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1jmIxz-0003Sp-CT for ptxdist@pengutronix.de; Fri, 19 Jun 2020 17:30:07 +0200 Date: Fri, 19 Jun 2020 17:30:07 +0200 From: Michael Olbrich Message-ID: <20200619153007.GD8810@pengutronix.de> References: <20190924151427.18850-1-rhi@pengutronix.de> <20200619134425.12738-1-rhi@pengutronix.de> <20200619150447.GC8810@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200619150447.GC8810@pengutronix.de> Subject: Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On Fri, Jun 19, 2020 at 05:04:47PM +0200, Michael Olbrich wrote: > On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote: > > Most NSS modules are only needed if any software links to them, or loads > > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > > slim down the installation by more than 1 MiB, and also get rid of the > > SQLite dependency. > > > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > > down their respective sub-dependencies. > > > > Signed-off-by: Roland Hieber > > --- > > v2 -> v3: no changes > > > > v1 -> v2: > > - rebase onto current master > > - fix ecryptfs depedency, only libsoftokn is needed > > - format libsoftokn help text a bit nicer > > > > rules/ecryptfs-utils.in | 1 + > > rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- > > rules/nss.make | 22 +++++++++------- > > rules/qt5.in | 2 ++ > > 4 files changed, 71 insertions(+), 12 deletions(-) > > > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > > index 5087f79d3ca2..8a62443bdddb 100644 > > --- a/rules/ecryptfs-utils.in > > +++ b/rules/ecryptfs-utils.in > > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS > > prompt "ecryptfs-utils " > > select KEYUTILS > > select NSS > > + select NSS_INSTALL_LIBSOFTOKN > > This is loaded dynamically, right? There should be a comment here, > otherwise someone will try to remove it because it seems unused. > > > select HOST_INTLTOOL > > select BASH if ECRYPTFS_UTILS_TESTS > > select COREUTILS if ECRYPTFS_UTILS_TESTS > > diff --git a/rules/nss.in b/rules/nss.in > > index 3e4a07a75404..799bd5a73ae0 100644 > > --- a/rules/nss.in > > +++ b/rules/nss.in > > @@ -1,13 +1,65 @@ > > ## SECTION=networking > > > > -config NSS > > +menuconfig NSS > > tristate > > - prompt "nss" > > + prompt "nss " > > select NSPR > > - select SQLITE > > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > > help > > Network Security Services (NSS) is a set of libraries designed to > > support cross-platform development of security-enabled client and > > server applications. Applications built with NSS can support > > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > > X.509 v3 certificates, and other security standards. > > + > > +if NSS > > + > > +config NSS_INSTALL_LIBSMIME > > + bool > > + prompt "install libsmime" > > + default y > > Remove the default. This is something libs/programs link to, so building > will fail if its needed and missing. > > > + help > > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > > + > > + libsmime provides functionality related to S/MIME (Cryptographic > > + Message Syntax, PKCS#7) used by secure email and some instant > > + messaging implementations. > > + > > +config NSS_INSTALL_LIBSSL > > + bool > > + prompt "install libssl" > > + default y > > Same here. > > > + help > > + Install libssl3.so, which adds about ~200 kiB to the footprint. > > + > > + libssl implements the Secure Sockets Layer/Transport Layer Security > > + network protocols. > > + > > +config NSS_INSTALL_LIBNSSCKBI > > + bool > > + prompt "install libnssckbi" > > + default y > > + help > > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > > + > > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > > + CAs) and their trust assignments. > > This is loaded dynamically. So how should a package creator know, when this > is needed? > > > +config NSS_INSTALL_LIBSOFTOKN > > + bool > > + prompt "install libsoftokn" > > + default y > > + help > > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > > + additional dependency on SQLite. > > + > > + FreeBL is a base library providing hash functions, big number > > + calculations, and cryptographic algorithms. > > + > > + DBM is a legacy library providing database storage. > > Is this loaded dynamically? I'm not seeing any users and if this is legacy > then maybe we shouldn't install it at all? > > > + Softoken is an NSS module that exposes most FreeBL functionality as a > > Softokn (without the 'e'), right? > > > + PKCS#11 module, and can make use of DBM or SQLite at runtime. > > So softokn is loaded dynamically by libnss3, right? Same question as above. > And what exactly is the relationship with libfreebl3.so? Is that loaded > dynamically by softokn? Same with libnssdbm3.so. > > > +endif > > diff --git a/rules/nss.make b/rules/nss.make > > index 44febc416711..6a003dd1743f 100644 > > --- a/rules/nss.make > > +++ b/rules/nss.make > > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ > > BUILD_OPT=1 \ > > MOZILLA_CLIENT=1 \ > > NS_USE_GCC=1 \ > > - NSS_USE_SYSTEM_SQLITE=1 \ > > NSS_ENABLE_ECC=1 \ > > NSS_DISABLE_GTESTS=1 \ > > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > > USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > > > +# unless needed, prevent an additional runtime dependency by using the bundled, > > +# statically-linked sqlite, but not installing anything that links to it > > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > > +endif > > + > > NSS_MAKE_PAR := NO > > NSS_MAKE_OPT := \ > > OS_ARCH=Linux \ > > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ > > NSS_LIBS := \ > > libnss3 \ > > libnssutil3 \ > > - libsmime3 \ > > - libssl3 \ > > - libfreebl3 \ > > - libfreeblpriv3 \ > > - libnssckbi \ > > - libnssdbm3 \ > > - libsoftokn3 > > - > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > > I think something like this is more readable: > > NSS_LIBS-y := libnss3 > NSS_LIBS-y += libnssutil3 > NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME) += libsmime3 > ... > > > $(STATEDIR)/nss.install: > > @$(call targetinfo) > > diff --git a/rules/qt5.in b/rules/qt5.in > > index 162ea8b9beba..a5f8f3b94c4b 100644 > > --- a/rules/qt5.in > > +++ b/rules/qt5.in > > @@ -59,6 +59,8 @@ menuconfig QT5 > > select NSPR if QT5_MODULE_QTWEBENGINE > > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > > select NSS if QT5_MODULE_QTWEBENGINE > > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE > > How do you know that this is needed? > > > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE > > Does the current Qt5 version link to this? If yes, wich file? I only have > Qt 5.15 here right now (should hit master soon) and that only needs libnss3 > and nssutil3. > > > > In general, I'm not convinced that this whole thing is a good idea. > We're possibly skipping plugins that are usually always available, so the > error paths are probably not very well tested. And this is security related > stuff. So this is mostly to make the package smaller for ecryptfs-utils, right? I don't mind the options for smime and ssl. And softokn is needed there anyways. And for Qt, the size really doesn't matter. So we could keep that unconditionally. So the question is, how to handle nssckbi safely? Michael > > select HOST_NSS if QT5_MODULE_QTWEBENGINE > > select HOST_NINJA if QT5_MODULE_QTWEBENGINE > > select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA > > -- > > 2.27.0 > > > > > > _______________________________________________ > > ptxdist mailing list > > ptxdist@pengutronix.de > > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > > > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de