* [ptxdist] [PATCH v1] nss: make installed libraries configurable @ 2019-09-24 15:14 Roland Hieber 2019-09-30 9:33 ` Roland Hieber 2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber 0 siblings, 2 replies; 10+ messages in thread From: Roland Hieber @ 2019-09-24 15:14 UTC (permalink / raw) To: ptxdist; +Cc: Roland Hieber Most NSS modules are only needed if any software links to them, or loads them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can slim down the installation by more than 1 MiB, and also get rid of the SQLite dependency. Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin down their respective sub-dependencies. Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- rules/ecryptfs-utils.in | 2 ++ rules/nss.in | 56 ++++++++++++++++++++++++++++++++++++++--- rules/nss.make | 22 +++++++++------- rules/qt5.in | 2 ++ 4 files changed, 70 insertions(+), 12 deletions(-) diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in index 5087f79d3ca2..7ac44e11bdf3 100644 --- a/rules/ecryptfs-utils.in +++ b/rules/ecryptfs-utils.in @@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS prompt "ecryptfs-utils " select KEYUTILS select NSS + select NSS_INSTALL_LIBSSL + select NSS_INSTALL_LIBSMIME select HOST_INTLTOOL select BASH if ECRYPTFS_UTILS_TESTS select COREUTILS if ECRYPTFS_UTILS_TESTS diff --git a/rules/nss.in b/rules/nss.in index 3e4a07a75404..0f44a2b7d1c8 100644 --- a/rules/nss.in +++ b/rules/nss.in @@ -1,13 +1,63 @@ ## SECTION=networking -config NSS +menuconfig NSS tristate - prompt "nss" + prompt "nss " select NSPR - select SQLITE + select SQLITE if NSS_INSTALL_LIBSOFTOKN help Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. + +if NSS + +config NSS_INSTALL_LIBSMIME + bool + prompt "install libsmime" + default y + help + Install libsmime3.so, which adds about ~90 kiB to the footprint. + + libsmime provides functionality related to S/MIME (Cryptographic + Message Syntax, PKCS#7) used by secure email and some instant + messaging implementations. + +config NSS_INSTALL_LIBSSL + bool + prompt "install libssl" + default y + help + Install libssl3.so, which adds about ~200 kiB to the footprint. + + libssl implements the Secure Sockets Layer/Transport Layer Security + network protocols. + +config NSS_INSTALL_LIBNSSCKBI + bool + prompt "install libnssckbi" + default y + help + Install libnssckbi.so, which adds about ~350 kiB to the footprint. + + CKBI is a PKCS#11 module which provides a set of trust anchors (Root + CAs) and their trust assignments. + +config NSS_INSTALL_LIBSOFTOKN + bool + prompt "install libsoftokn" + default y + help + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an + additional dependency on SQLite. + + FreeBL is a base library providing hash functions, big number + calculations, and cryptographic algorithms. DBM is a legacy library + providing database storage. Softoken is an NSS module that exposes + most FreeBL functionality as a PKCS#11 module, and can make use of DBM + or SQLite at runtime. + +endif diff --git a/rules/nss.make b/rules/nss.make index 49406fb956c7..f9f322d94179 100644 --- a/rules/nss.make +++ b/rules/nss.make @@ -45,12 +45,17 @@ NSS_MAKE_ENV := \ BUILD_OPT=1 \ MOZILLA_CLIENT=1 \ NS_USE_GCC=1 \ - NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ NSS_DISABLE_GTESTS=1 \ NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) +# unless needed, prevent an additional runtime dependency by using the bundled, +# statically-linked sqlite, but not installing anything that links to it +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 +endif + NSS_MAKE_PAR := NO NSS_MAKE_OPT := \ OS_ARCH=Linux \ @@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \ NSS_LIBS := \ libnss3 \ libnssutil3 \ - libsmime3 \ - libssl3 \ - libfreebl3 \ - libfreeblpriv3 \ - libnssckbi \ - libnssdbm3 \ - libsoftokn3 - + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) $(STATEDIR)/nss.install: @$(call targetinfo) diff --git a/rules/qt5.in b/rules/qt5.in index 6c2de3cde04f..aa9b63f2fdf7 100644 --- a/rules/qt5.in +++ b/rules/qt5.in @@ -57,6 +57,8 @@ menuconfig QT5 select NSPR if QT5_MODULE_QTWEBENGINE select HOST_NSPR if QT5_MODULE_QTWEBENGINE select NSS if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE select HOST_NSS if QT5_MODULE_QTWEBENGINE select HOST_NINJA if QT5_MODULE_QTWEBENGINE select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA -- 2.23.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ptxdist] [PATCH v1] nss: make installed libraries configurable 2019-09-24 15:14 [ptxdist] [PATCH v1] nss: make installed libraries configurable Roland Hieber @ 2019-09-30 9:33 ` Roland Hieber 2020-06-19 12:31 ` [ptxdist] [PATCH] " Roland Hieber 2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber 1 sibling, 1 reply; 10+ messages in thread From: Roland Hieber @ 2019-09-30 9:33 UTC (permalink / raw) To: ptxdist Please wait for a v2, I found a mismatched dependency in ecryptfs. - Roland On Tue, Sep 24, 2019 at 05:14:27PM +0200, Roland Hieber wrote: > Most NSS modules are only needed if any software links to them, or loads > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > slim down the installation by more than 1 MiB, and also get rid of the > SQLite dependency. > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > down their respective sub-dependencies. > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > rules/ecryptfs-utils.in | 2 ++ > rules/nss.in | 56 ++++++++++++++++++++++++++++++++++++++--- > rules/nss.make | 22 +++++++++------- > rules/qt5.in | 2 ++ > 4 files changed, 70 insertions(+), 12 deletions(-) > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > index 5087f79d3ca2..7ac44e11bdf3 100644 > --- a/rules/ecryptfs-utils.in > +++ b/rules/ecryptfs-utils.in > @@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS > prompt "ecryptfs-utils " > select KEYUTILS > select NSS > + select NSS_INSTALL_LIBSSL > + select NSS_INSTALL_LIBSMIME > select HOST_INTLTOOL > select BASH if ECRYPTFS_UTILS_TESTS > select COREUTILS if ECRYPTFS_UTILS_TESTS > diff --git a/rules/nss.in b/rules/nss.in > index 3e4a07a75404..0f44a2b7d1c8 100644 > --- a/rules/nss.in > +++ b/rules/nss.in > @@ -1,13 +1,63 @@ > ## SECTION=networking > > -config NSS > +menuconfig NSS > tristate > - prompt "nss" > + prompt "nss " > select NSPR > - select SQLITE > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > help > Network Security Services (NSS) is a set of libraries designed to > support cross-platform development of security-enabled client and > server applications. Applications built with NSS can support > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > X.509 v3 certificates, and other security standards. > + > +if NSS > + > +config NSS_INSTALL_LIBSMIME > + bool > + prompt "install libsmime" > + default y > + help > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > + > + libsmime provides functionality related to S/MIME (Cryptographic > + Message Syntax, PKCS#7) used by secure email and some instant > + messaging implementations. > + > +config NSS_INSTALL_LIBSSL > + bool > + prompt "install libssl" > + default y > + help > + Install libssl3.so, which adds about ~200 kiB to the footprint. > + > + libssl implements the Secure Sockets Layer/Transport Layer Security > + network protocols. > + > +config NSS_INSTALL_LIBNSSCKBI > + bool > + prompt "install libnssckbi" > + default y > + help > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > + > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > + CAs) and their trust assignments. > + > +config NSS_INSTALL_LIBSOFTOKN > + bool > + prompt "install libsoftokn" > + default y > + help > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > + additional dependency on SQLite. > + > + FreeBL is a base library providing hash functions, big number > + calculations, and cryptographic algorithms. DBM is a legacy library > + providing database storage. Softoken is an NSS module that exposes > + most FreeBL functionality as a PKCS#11 module, and can make use of DBM > + or SQLite at runtime. > + > +endif > diff --git a/rules/nss.make b/rules/nss.make > index 49406fb956c7..f9f322d94179 100644 > --- a/rules/nss.make > +++ b/rules/nss.make > @@ -45,12 +45,17 @@ NSS_MAKE_ENV := \ > BUILD_OPT=1 \ > MOZILLA_CLIENT=1 \ > NS_USE_GCC=1 \ > - NSS_USE_SYSTEM_SQLITE=1 \ > NSS_ENABLE_ECC=1 \ > NSS_DISABLE_GTESTS=1 \ > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) > > +# unless needed, prevent an additional runtime dependency by using the bundled, > +# statically-linked sqlite, but not installing anything that links to it > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > +endif > + > NSS_MAKE_PAR := NO > NSS_MAKE_OPT := \ > OS_ARCH=Linux \ > @@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \ > NSS_LIBS := \ > libnss3 \ > libnssutil3 \ > - libsmime3 \ > - libssl3 \ > - libfreebl3 \ > - libfreeblpriv3 \ > - libnssckbi \ > - libnssdbm3 \ > - libsoftokn3 > - > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > > $(STATEDIR)/nss.install: > @$(call targetinfo) > diff --git a/rules/qt5.in b/rules/qt5.in > index 6c2de3cde04f..aa9b63f2fdf7 100644 > --- a/rules/qt5.in > +++ b/rules/qt5.in > @@ -57,6 +57,8 @@ menuconfig QT5 > select NSPR if QT5_MODULE_QTWEBENGINE > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > select NSS if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE > select HOST_NSS if QT5_MODULE_QTWEBENGINE > select HOST_NINJA if QT5_MODULE_QTWEBENGINE > select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA > -- > 2.23.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > -- Roland Hieber | r.hieber@pengutronix.de | Pengutronix e.K. | https://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim | Phone: +49-5121-206917-5086 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* [ptxdist] [PATCH] nss: make installed libraries configurable 2019-09-30 9:33 ` Roland Hieber @ 2020-06-19 12:31 ` Roland Hieber 2020-06-19 12:33 ` [ptxdist] [PATCH v2] " Roland Hieber 0 siblings, 1 reply; 10+ messages in thread From: Roland Hieber @ 2020-06-19 12:31 UTC (permalink / raw) To: ptxdist; +Cc: Roland Hieber Most NSS modules are only needed if any software links to them, or loads them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can slim down the installation by more than 1 MiB, and also get rid of the SQLite dependency. Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin down their respective sub-dependencies. Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- v1 -> v2: - rebase to current master - fix ecryptfs depedency, only libsoftokn is needed - format libsoftokn help text a bit nicer Range-diff: 1: 6fc40ec92172 ! 772: a2711cfe218b nss: make installed libraries configurable @@ Commit message Signed-off-by: Roland Hieber <rhi@pengutronix.de> ## rules/ecryptfs-utils.in ## @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS prompt "ecryptfs-utils " select KEYUTILS select NSS -+ select NSS_INSTALL_LIBSSL -+ select NSS_INSTALL_LIBSMIME ++ select NSS_INSTALL_LIBSOFTOKN select HOST_INTLTOOL select BASH if ECRYPTFS_UTILS_TESTS select COREUTILS if ECRYPTFS_UTILS_TESTS @@ rules/nss.in + additional dependency on SQLite. + + FreeBL is a base library providing hash functions, big number -+ calculations, and cryptographic algorithms. DBM is a legacy library -+ providing database storage. Softoken is an NSS module that exposes -+ most FreeBL functionality as a PKCS#11 module, and can make use of DBM -+ or SQLite at runtime. ++ calculations, and cryptographic algorithms. ++ ++ DBM is a legacy library providing database storage. ++ ++ Softoken is an NSS module that exposes most FreeBL functionality as a ++ PKCS#11 module, and can make use of DBM or SQLite at runtime. + +endif @@ rules/nss.make: NSS_MAKE_ENV := \ NSS_ENABLE_ECC=1 \ NSS_DISABLE_GTESTS=1 \ NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ - USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) + USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ + USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) +# unless needed, prevent an additional runtime dependency by using the bundled, +# statically-linked sqlite, but not installing anything that links to it rules/ecryptfs-utils.in | 1 + rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- rules/nss.make | 22 +++++++++------- rules/qt5.in | 2 ++ 4 files changed, 71 insertions(+), 12 deletions(-) diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in index 5087f79d3ca2..8a62443bdddb 100644 --- a/rules/ecryptfs-utils.in +++ b/rules/ecryptfs-utils.in @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS prompt "ecryptfs-utils " select KEYUTILS select NSS + select NSS_INSTALL_LIBSOFTOKN select HOST_INTLTOOL select BASH if ECRYPTFS_UTILS_TESTS select COREUTILS if ECRYPTFS_UTILS_TESTS diff --git a/rules/nss.in b/rules/nss.in index 3e4a07a75404..799bd5a73ae0 100644 --- a/rules/nss.in +++ b/rules/nss.in @@ -1,13 +1,65 @@ ## SECTION=networking -config NSS +menuconfig NSS tristate - prompt "nss" + prompt "nss " select NSPR - select SQLITE + select SQLITE if NSS_INSTALL_LIBSOFTOKN help Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. + +if NSS + +config NSS_INSTALL_LIBSMIME + bool + prompt "install libsmime" + default y + help + Install libsmime3.so, which adds about ~90 kiB to the footprint. + + libsmime provides functionality related to S/MIME (Cryptographic + Message Syntax, PKCS#7) used by secure email and some instant + messaging implementations. + +config NSS_INSTALL_LIBSSL + bool + prompt "install libssl" + default y + help + Install libssl3.so, which adds about ~200 kiB to the footprint. + + libssl implements the Secure Sockets Layer/Transport Layer Security + network protocols. + +config NSS_INSTALL_LIBNSSCKBI + bool + prompt "install libnssckbi" + default y + help + Install libnssckbi.so, which adds about ~350 kiB to the footprint. + + CKBI is a PKCS#11 module which provides a set of trust anchors (Root + CAs) and their trust assignments. + +config NSS_INSTALL_LIBSOFTOKN + bool + prompt "install libsoftokn" + default y + help + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an + additional dependency on SQLite. + + FreeBL is a base library providing hash functions, big number + calculations, and cryptographic algorithms. + + DBM is a legacy library providing database storage. + + Softoken is an NSS module that exposes most FreeBL functionality as a + PKCS#11 module, and can make use of DBM or SQLite at runtime. + +endif diff --git a/rules/nss.make b/rules/nss.make index 44febc416711..6a003dd1743f 100644 --- a/rules/nss.make +++ b/rules/nss.make @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ BUILD_OPT=1 \ MOZILLA_CLIENT=1 \ NS_USE_GCC=1 \ - NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ NSS_DISABLE_GTESTS=1 \ NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) +# unless needed, prevent an additional runtime dependency by using the bundled, +# statically-linked sqlite, but not installing anything that links to it +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 +endif + NSS_MAKE_PAR := NO NSS_MAKE_OPT := \ OS_ARCH=Linux \ @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ NSS_LIBS := \ libnss3 \ libnssutil3 \ - libsmime3 \ - libssl3 \ - libfreebl3 \ - libfreeblpriv3 \ - libnssckbi \ - libnssdbm3 \ - libsoftokn3 - + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) $(STATEDIR)/nss.install: @$(call targetinfo) diff --git a/rules/qt5.in b/rules/qt5.in index 162ea8b9beba..a5f8f3b94c4b 100644 --- a/rules/qt5.in +++ b/rules/qt5.in @@ -59,6 +59,8 @@ menuconfig QT5 select NSPR if QT5_MODULE_QTWEBENGINE select HOST_NSPR if QT5_MODULE_QTWEBENGINE select NSS if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE select HOST_NSS if QT5_MODULE_QTWEBENGINE select HOST_NINJA if QT5_MODULE_QTWEBENGINE select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA -- 2.27.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ptxdist] [PATCH v2] nss: make installed libraries configurable 2020-06-19 12:31 ` [ptxdist] [PATCH] " Roland Hieber @ 2020-06-19 12:33 ` Roland Hieber 0 siblings, 0 replies; 10+ messages in thread From: Roland Hieber @ 2020-06-19 12:33 UTC (permalink / raw) To: ptxdist Ah, that was supposed to be -v2, of course. - Roland On Fri, Jun 19, 2020 at 02:31:31PM +0200, Roland Hieber wrote: > Most NSS modules are only needed if any software links to them, or loads > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > slim down the installation by more than 1 MiB, and also get rid of the > SQLite dependency. > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > down their respective sub-dependencies. > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > v1 -> v2: > - rebase to current master > - fix ecryptfs depedency, only libsoftokn is needed > - format libsoftokn help text a bit nicer > > Range-diff: > 1: 6fc40ec92172 ! 772: a2711cfe218b nss: make installed libraries configurable > @@ Commit message > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > > ## rules/ecryptfs-utils.in ## > @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS > prompt "ecryptfs-utils " > select KEYUTILS > select NSS > -+ select NSS_INSTALL_LIBSSL > -+ select NSS_INSTALL_LIBSMIME > ++ select NSS_INSTALL_LIBSOFTOKN > select HOST_INTLTOOL > select BASH if ECRYPTFS_UTILS_TESTS > select COREUTILS if ECRYPTFS_UTILS_TESTS > @@ rules/nss.in > + additional dependency on SQLite. > + > + FreeBL is a base library providing hash functions, big number > -+ calculations, and cryptographic algorithms. DBM is a legacy library > -+ providing database storage. Softoken is an NSS module that exposes > -+ most FreeBL functionality as a PKCS#11 module, and can make use of DBM > -+ or SQLite at runtime. > ++ calculations, and cryptographic algorithms. > ++ > ++ DBM is a legacy library providing database storage. > ++ > ++ Softoken is an NSS module that exposes most FreeBL functionality as a > ++ PKCS#11 module, and can make use of DBM or SQLite at runtime. > + > +endif > > @@ rules/nss.make: NSS_MAKE_ENV := \ > NSS_ENABLE_ECC=1 \ > NSS_DISABLE_GTESTS=1 \ > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > - USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) > + USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > + USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > +# unless needed, prevent an additional runtime dependency by using the bundled, > +# statically-linked sqlite, but not installing anything that links to it > > rules/ecryptfs-utils.in | 1 + > rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- > rules/nss.make | 22 +++++++++------- > rules/qt5.in | 2 ++ > 4 files changed, 71 insertions(+), 12 deletions(-) > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > index 5087f79d3ca2..8a62443bdddb 100644 > --- a/rules/ecryptfs-utils.in > +++ b/rules/ecryptfs-utils.in > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS > prompt "ecryptfs-utils " > select KEYUTILS > select NSS > + select NSS_INSTALL_LIBSOFTOKN > select HOST_INTLTOOL > select BASH if ECRYPTFS_UTILS_TESTS > select COREUTILS if ECRYPTFS_UTILS_TESTS > diff --git a/rules/nss.in b/rules/nss.in > index 3e4a07a75404..799bd5a73ae0 100644 > --- a/rules/nss.in > +++ b/rules/nss.in > @@ -1,13 +1,65 @@ > ## SECTION=networking > > -config NSS > +menuconfig NSS > tristate > - prompt "nss" > + prompt "nss " > select NSPR > - select SQLITE > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > help > Network Security Services (NSS) is a set of libraries designed to > support cross-platform development of security-enabled client and > server applications. Applications built with NSS can support > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > X.509 v3 certificates, and other security standards. > + > +if NSS > + > +config NSS_INSTALL_LIBSMIME > + bool > + prompt "install libsmime" > + default y > + help > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > + > + libsmime provides functionality related to S/MIME (Cryptographic > + Message Syntax, PKCS#7) used by secure email and some instant > + messaging implementations. > + > +config NSS_INSTALL_LIBSSL > + bool > + prompt "install libssl" > + default y > + help > + Install libssl3.so, which adds about ~200 kiB to the footprint. > + > + libssl implements the Secure Sockets Layer/Transport Layer Security > + network protocols. > + > +config NSS_INSTALL_LIBNSSCKBI > + bool > + prompt "install libnssckbi" > + default y > + help > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > + > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > + CAs) and their trust assignments. > + > +config NSS_INSTALL_LIBSOFTOKN > + bool > + prompt "install libsoftokn" > + default y > + help > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > + additional dependency on SQLite. > + > + FreeBL is a base library providing hash functions, big number > + calculations, and cryptographic algorithms. > + > + DBM is a legacy library providing database storage. > + > + Softoken is an NSS module that exposes most FreeBL functionality as a > + PKCS#11 module, and can make use of DBM or SQLite at runtime. > + > +endif > diff --git a/rules/nss.make b/rules/nss.make > index 44febc416711..6a003dd1743f 100644 > --- a/rules/nss.make > +++ b/rules/nss.make > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ > BUILD_OPT=1 \ > MOZILLA_CLIENT=1 \ > NS_USE_GCC=1 \ > - NSS_USE_SYSTEM_SQLITE=1 \ > NSS_ENABLE_ECC=1 \ > NSS_DISABLE_GTESTS=1 \ > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > +# unless needed, prevent an additional runtime dependency by using the bundled, > +# statically-linked sqlite, but not installing anything that links to it > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > +endif > + > NSS_MAKE_PAR := NO > NSS_MAKE_OPT := \ > OS_ARCH=Linux \ > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ > NSS_LIBS := \ > libnss3 \ > libnssutil3 \ > - libsmime3 \ > - libssl3 \ > - libfreebl3 \ > - libfreeblpriv3 \ > - libnssckbi \ > - libnssdbm3 \ > - libsoftokn3 > - > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > > $(STATEDIR)/nss.install: > @$(call targetinfo) > diff --git a/rules/qt5.in b/rules/qt5.in > index 162ea8b9beba..a5f8f3b94c4b 100644 > --- a/rules/qt5.in > +++ b/rules/qt5.in > @@ -59,6 +59,8 @@ menuconfig QT5 > select NSPR if QT5_MODULE_QTWEBENGINE > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > select NSS if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE > select HOST_NSS if QT5_MODULE_QTWEBENGINE > select HOST_NINJA if QT5_MODULE_QTWEBENGINE > select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA > -- > 2.27.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable 2019-09-24 15:14 [ptxdist] [PATCH v1] nss: make installed libraries configurable Roland Hieber 2019-09-30 9:33 ` Roland Hieber @ 2020-06-19 13:44 ` Roland Hieber 2020-06-19 13:44 ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber 2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich 1 sibling, 2 replies; 10+ messages in thread From: Roland Hieber @ 2020-06-19 13:44 UTC (permalink / raw) To: ptxdist; +Cc: Roland Hieber Most NSS modules are only needed if any software links to them, or loads them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can slim down the installation by more than 1 MiB, and also get rid of the SQLite dependency. Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin down their respective sub-dependencies. Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- v2 -> v3: no changes v1 -> v2: - rebase onto current master - fix ecryptfs depedency, only libsoftokn is needed - format libsoftokn help text a bit nicer rules/ecryptfs-utils.in | 1 + rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- rules/nss.make | 22 +++++++++------- rules/qt5.in | 2 ++ 4 files changed, 71 insertions(+), 12 deletions(-) diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in index 5087f79d3ca2..8a62443bdddb 100644 --- a/rules/ecryptfs-utils.in +++ b/rules/ecryptfs-utils.in @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS prompt "ecryptfs-utils " select KEYUTILS select NSS + select NSS_INSTALL_LIBSOFTOKN select HOST_INTLTOOL select BASH if ECRYPTFS_UTILS_TESTS select COREUTILS if ECRYPTFS_UTILS_TESTS diff --git a/rules/nss.in b/rules/nss.in index 3e4a07a75404..799bd5a73ae0 100644 --- a/rules/nss.in +++ b/rules/nss.in @@ -1,13 +1,65 @@ ## SECTION=networking -config NSS +menuconfig NSS tristate - prompt "nss" + prompt "nss " select NSPR - select SQLITE + select SQLITE if NSS_INSTALL_LIBSOFTOKN help Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. + +if NSS + +config NSS_INSTALL_LIBSMIME + bool + prompt "install libsmime" + default y + help + Install libsmime3.so, which adds about ~90 kiB to the footprint. + + libsmime provides functionality related to S/MIME (Cryptographic + Message Syntax, PKCS#7) used by secure email and some instant + messaging implementations. + +config NSS_INSTALL_LIBSSL + bool + prompt "install libssl" + default y + help + Install libssl3.so, which adds about ~200 kiB to the footprint. + + libssl implements the Secure Sockets Layer/Transport Layer Security + network protocols. + +config NSS_INSTALL_LIBNSSCKBI + bool + prompt "install libnssckbi" + default y + help + Install libnssckbi.so, which adds about ~350 kiB to the footprint. + + CKBI is a PKCS#11 module which provides a set of trust anchors (Root + CAs) and their trust assignments. + +config NSS_INSTALL_LIBSOFTOKN + bool + prompt "install libsoftokn" + default y + help + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an + additional dependency on SQLite. + + FreeBL is a base library providing hash functions, big number + calculations, and cryptographic algorithms. + + DBM is a legacy library providing database storage. + + Softoken is an NSS module that exposes most FreeBL functionality as a + PKCS#11 module, and can make use of DBM or SQLite at runtime. + +endif diff --git a/rules/nss.make b/rules/nss.make index 44febc416711..6a003dd1743f 100644 --- a/rules/nss.make +++ b/rules/nss.make @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ BUILD_OPT=1 \ MOZILLA_CLIENT=1 \ NS_USE_GCC=1 \ - NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ NSS_DISABLE_GTESTS=1 \ NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) +# unless needed, prevent an additional runtime dependency by using the bundled, +# statically-linked sqlite, but not installing anything that links to it +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 +endif + NSS_MAKE_PAR := NO NSS_MAKE_OPT := \ OS_ARCH=Linux \ @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ NSS_LIBS := \ libnss3 \ libnssutil3 \ - libsmime3 \ - libssl3 \ - libfreebl3 \ - libfreeblpriv3 \ - libnssckbi \ - libnssdbm3 \ - libsoftokn3 - + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) $(STATEDIR)/nss.install: @$(call targetinfo) diff --git a/rules/qt5.in b/rules/qt5.in index 162ea8b9beba..a5f8f3b94c4b 100644 --- a/rules/qt5.in +++ b/rules/qt5.in @@ -59,6 +59,8 @@ menuconfig QT5 select NSPR if QT5_MODULE_QTWEBENGINE select HOST_NSPR if QT5_MODULE_QTWEBENGINE select NSS if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE select HOST_NSS if QT5_MODULE_QTWEBENGINE select HOST_NINJA if QT5_MODULE_QTWEBENGINE select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA -- 2.27.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot 2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber @ 2020-06-19 13:44 ` Roland Hieber 2020-06-19 14:15 ` Michael Olbrich 2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich 1 sibling, 1 reply; 10+ messages in thread From: Roland Hieber @ 2020-06-19 13:44 UTC (permalink / raw) To: ptxdist; +Cc: Jan Luebbe, Roland Hieber From: Jan Luebbe <jlu@pengutronix.de> ecryptfs-utils links to -lssl3 -lsmime3, without using any functions from it. Install all libraries to the sysroot to make it work. The unused libraries are still not installed on the target. Signed-off-by: Jan Luebbe <jlu@pengutronix.de> Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- I overlook this patch in v2, but discovered it again during build-testing... v2 -> v3: new patch rules/nss.make | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rules/nss.make b/rules/nss.make index 6a003dd1743f..c8537ceb521b 100644 --- a/rules/nss.make +++ b/rules/nss.make @@ -74,24 +74,13 @@ NSS_INSTALL_OPT := \ $(NSS_MAKE_OPT) \ install -NSS_LIBS := \ - libnss3 \ - libnssutil3 \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) - $(STATEDIR)/nss.install: @$(call targetinfo) @$(call world/install, NSS) - @$(foreach lib,$(NSS_LIBS), \ - install -v -m644 -D $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/$(lib).so \ - $(NSS_PKGDIR)/usr/lib/$(lib).so$(ptx/nl)) + install -d -m755 $(NSS_PKGDIR)/usr/lib/ + install -m 644 $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/*.so \ + $(NSS_PKGDIR)/usr/lib/ install -d $(NSS_PKGDIR)/usr/lib/pkgconfig/ VERSION=$(NSS_VERSION) ptxd_replace_magic \ @@ -106,6 +95,17 @@ $(STATEDIR)/nss.install: # Target-Install # ---------------------------------------------------------------------------- +NSS_LIBS := \ + libnss3 \ + libnssutil3 \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) + $(STATEDIR)/nss.targetinstall: @$(call targetinfo) -- 2.27.0 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot 2020-06-19 13:44 ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber @ 2020-06-19 14:15 ` Michael Olbrich 0 siblings, 0 replies; 10+ messages in thread From: Michael Olbrich @ 2020-06-19 14:15 UTC (permalink / raw) To: ptxdist; +Cc: Jan Luebbe, Roland Hieber On Fri, Jun 19, 2020 at 03:44:25PM +0200, Roland Hieber wrote: > From: Jan Luebbe <jlu@pengutronix.de> > > ecryptfs-utils links to -lssl3 -lsmime3, without using any functions I would guess that ecryptfs-utils uses pkg-config and these libraries are listed there. > from it. Install all libraries to the sysroot to make it work. The > unused libraries are still not installed on the target. I'm pretty sure that only works with -Wl,--as-needed and we cannot rely on that. You need to patch nss.pc instead. Michael > Signed-off-by: Jan Luebbe <jlu@pengutronix.de> > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > I overlook this patch in v2, but discovered it again during > build-testing... > > v2 -> v3: new patch > > rules/nss.make | 28 ++++++++++++++-------------- > 1 file changed, 14 insertions(+), 14 deletions(-) > > diff --git a/rules/nss.make b/rules/nss.make > index 6a003dd1743f..c8537ceb521b 100644 > --- a/rules/nss.make > +++ b/rules/nss.make > @@ -74,24 +74,13 @@ NSS_INSTALL_OPT := \ > $(NSS_MAKE_OPT) \ > install > > -NSS_LIBS := \ > - libnss3 \ > - libnssutil3 \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > - $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > - > $(STATEDIR)/nss.install: > @$(call targetinfo) > @$(call world/install, NSS) > > - @$(foreach lib,$(NSS_LIBS), \ > - install -v -m644 -D $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/$(lib).so \ > - $(NSS_PKGDIR)/usr/lib/$(lib).so$(ptx/nl)) > + install -d -m755 $(NSS_PKGDIR)/usr/lib/ > + install -m 644 $(NSS_DIR)/dist/Linux$(PTXCONF_KERNEL_VERSION)_$(NSS_ARCH)_*/lib/*.so \ > + $(NSS_PKGDIR)/usr/lib/ > > install -d $(NSS_PKGDIR)/usr/lib/pkgconfig/ > VERSION=$(NSS_VERSION) ptxd_replace_magic \ > @@ -106,6 +95,17 @@ $(STATEDIR)/nss.install: > # Target-Install > # ---------------------------------------------------------------------------- > > +NSS_LIBS := \ > + libnss3 \ > + libnssutil3 \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > + > $(STATEDIR)/nss.targetinstall: > @$(call targetinfo) > > -- > 2.27.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable 2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber 2020-06-19 13:44 ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber @ 2020-06-19 15:04 ` Michael Olbrich 2020-06-19 15:30 ` Michael Olbrich 2020-06-22 10:02 ` Roland Hieber 1 sibling, 2 replies; 10+ messages in thread From: Michael Olbrich @ 2020-06-19 15:04 UTC (permalink / raw) To: ptxdist On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote: > Most NSS modules are only needed if any software links to them, or loads > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > slim down the installation by more than 1 MiB, and also get rid of the > SQLite dependency. > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > down their respective sub-dependencies. > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > v2 -> v3: no changes > > v1 -> v2: > - rebase onto current master > - fix ecryptfs depedency, only libsoftokn is needed > - format libsoftokn help text a bit nicer > > rules/ecryptfs-utils.in | 1 + > rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- > rules/nss.make | 22 +++++++++------- > rules/qt5.in | 2 ++ > 4 files changed, 71 insertions(+), 12 deletions(-) > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > index 5087f79d3ca2..8a62443bdddb 100644 > --- a/rules/ecryptfs-utils.in > +++ b/rules/ecryptfs-utils.in > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS > prompt "ecryptfs-utils " > select KEYUTILS > select NSS > + select NSS_INSTALL_LIBSOFTOKN This is loaded dynamically, right? There should be a comment here, otherwise someone will try to remove it because it seems unused. > select HOST_INTLTOOL > select BASH if ECRYPTFS_UTILS_TESTS > select COREUTILS if ECRYPTFS_UTILS_TESTS > diff --git a/rules/nss.in b/rules/nss.in > index 3e4a07a75404..799bd5a73ae0 100644 > --- a/rules/nss.in > +++ b/rules/nss.in > @@ -1,13 +1,65 @@ > ## SECTION=networking > > -config NSS > +menuconfig NSS > tristate > - prompt "nss" > + prompt "nss " > select NSPR > - select SQLITE > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > help > Network Security Services (NSS) is a set of libraries designed to > support cross-platform development of security-enabled client and > server applications. Applications built with NSS can support > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > X.509 v3 certificates, and other security standards. > + > +if NSS > + > +config NSS_INSTALL_LIBSMIME > + bool > + prompt "install libsmime" > + default y Remove the default. This is something libs/programs link to, so building will fail if its needed and missing. > + help > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > + > + libsmime provides functionality related to S/MIME (Cryptographic > + Message Syntax, PKCS#7) used by secure email and some instant > + messaging implementations. > + > +config NSS_INSTALL_LIBSSL > + bool > + prompt "install libssl" > + default y Same here. > + help > + Install libssl3.so, which adds about ~200 kiB to the footprint. > + > + libssl implements the Secure Sockets Layer/Transport Layer Security > + network protocols. > + > +config NSS_INSTALL_LIBNSSCKBI > + bool > + prompt "install libnssckbi" > + default y > + help > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > + > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > + CAs) and their trust assignments. This is loaded dynamically. So how should a package creator know, when this is needed? > +config NSS_INSTALL_LIBSOFTOKN > + bool > + prompt "install libsoftokn" > + default y > + help > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > + additional dependency on SQLite. > + > + FreeBL is a base library providing hash functions, big number > + calculations, and cryptographic algorithms. > + > + DBM is a legacy library providing database storage. Is this loaded dynamically? I'm not seeing any users and if this is legacy then maybe we shouldn't install it at all? > + Softoken is an NSS module that exposes most FreeBL functionality as a Softokn (without the 'e'), right? > + PKCS#11 module, and can make use of DBM or SQLite at runtime. So softokn is loaded dynamically by libnss3, right? Same question as above. And what exactly is the relationship with libfreebl3.so? Is that loaded dynamically by softokn? Same with libnssdbm3.so. > +endif > diff --git a/rules/nss.make b/rules/nss.make > index 44febc416711..6a003dd1743f 100644 > --- a/rules/nss.make > +++ b/rules/nss.make > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ > BUILD_OPT=1 \ > MOZILLA_CLIENT=1 \ > NS_USE_GCC=1 \ > - NSS_USE_SYSTEM_SQLITE=1 \ > NSS_ENABLE_ECC=1 \ > NSS_DISABLE_GTESTS=1 \ > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > +# unless needed, prevent an additional runtime dependency by using the bundled, > +# statically-linked sqlite, but not installing anything that links to it > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > +endif > + > NSS_MAKE_PAR := NO > NSS_MAKE_OPT := \ > OS_ARCH=Linux \ > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ > NSS_LIBS := \ > libnss3 \ > libnssutil3 \ > - libsmime3 \ > - libssl3 \ > - libfreebl3 \ > - libfreeblpriv3 \ > - libnssckbi \ > - libnssdbm3 \ > - libsoftokn3 > - > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) I think something like this is more readable: NSS_LIBS-y := libnss3 NSS_LIBS-y += libnssutil3 NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME) += libsmime3 ... > $(STATEDIR)/nss.install: > @$(call targetinfo) > diff --git a/rules/qt5.in b/rules/qt5.in > index 162ea8b9beba..a5f8f3b94c4b 100644 > --- a/rules/qt5.in > +++ b/rules/qt5.in > @@ -59,6 +59,8 @@ menuconfig QT5 > select NSPR if QT5_MODULE_QTWEBENGINE > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > select NSS if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE How do you know that this is needed? > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE Does the current Qt5 version link to this? If yes, wich file? I only have Qt 5.15 here right now (should hit master soon) and that only needs libnss3 and nssutil3. In general, I'm not convinced that this whole thing is a good idea. We're possibly skipping plugins that are usually always available, so the error paths are probably not very well tested. And this is security related stuff. Michael > select HOST_NSS if QT5_MODULE_QTWEBENGINE > select HOST_NINJA if QT5_MODULE_QTWEBENGINE > select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA > -- > 2.27.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable 2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich @ 2020-06-19 15:30 ` Michael Olbrich 2020-06-22 10:02 ` Roland Hieber 1 sibling, 0 replies; 10+ messages in thread From: Michael Olbrich @ 2020-06-19 15:30 UTC (permalink / raw) To: ptxdist On Fri, Jun 19, 2020 at 05:04:47PM +0200, Michael Olbrich wrote: > On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote: > > Most NSS modules are only needed if any software links to them, or loads > > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > > slim down the installation by more than 1 MiB, and also get rid of the > > SQLite dependency. > > > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > > down their respective sub-dependencies. > > > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > > --- > > v2 -> v3: no changes > > > > v1 -> v2: > > - rebase onto current master > > - fix ecryptfs depedency, only libsoftokn is needed > > - format libsoftokn help text a bit nicer > > > > rules/ecryptfs-utils.in | 1 + > > rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- > > rules/nss.make | 22 +++++++++------- > > rules/qt5.in | 2 ++ > > 4 files changed, 71 insertions(+), 12 deletions(-) > > > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > > index 5087f79d3ca2..8a62443bdddb 100644 > > --- a/rules/ecryptfs-utils.in > > +++ b/rules/ecryptfs-utils.in > > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS > > prompt "ecryptfs-utils " > > select KEYUTILS > > select NSS > > + select NSS_INSTALL_LIBSOFTOKN > > This is loaded dynamically, right? There should be a comment here, > otherwise someone will try to remove it because it seems unused. > > > select HOST_INTLTOOL > > select BASH if ECRYPTFS_UTILS_TESTS > > select COREUTILS if ECRYPTFS_UTILS_TESTS > > diff --git a/rules/nss.in b/rules/nss.in > > index 3e4a07a75404..799bd5a73ae0 100644 > > --- a/rules/nss.in > > +++ b/rules/nss.in > > @@ -1,13 +1,65 @@ > > ## SECTION=networking > > > > -config NSS > > +menuconfig NSS > > tristate > > - prompt "nss" > > + prompt "nss " > > select NSPR > > - select SQLITE > > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > > help > > Network Security Services (NSS) is a set of libraries designed to > > support cross-platform development of security-enabled client and > > server applications. Applications built with NSS can support > > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > > X.509 v3 certificates, and other security standards. > > + > > +if NSS > > + > > +config NSS_INSTALL_LIBSMIME > > + bool > > + prompt "install libsmime" > > + default y > > Remove the default. This is something libs/programs link to, so building > will fail if its needed and missing. > > > + help > > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > > + > > + libsmime provides functionality related to S/MIME (Cryptographic > > + Message Syntax, PKCS#7) used by secure email and some instant > > + messaging implementations. > > + > > +config NSS_INSTALL_LIBSSL > > + bool > > + prompt "install libssl" > > + default y > > Same here. > > > + help > > + Install libssl3.so, which adds about ~200 kiB to the footprint. > > + > > + libssl implements the Secure Sockets Layer/Transport Layer Security > > + network protocols. > > + > > +config NSS_INSTALL_LIBNSSCKBI > > + bool > > + prompt "install libnssckbi" > > + default y > > + help > > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > > + > > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > > + CAs) and their trust assignments. > > This is loaded dynamically. So how should a package creator know, when this > is needed? > > > +config NSS_INSTALL_LIBSOFTOKN > > + bool > > + prompt "install libsoftokn" > > + default y > > + help > > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > > + additional dependency on SQLite. > > + > > + FreeBL is a base library providing hash functions, big number > > + calculations, and cryptographic algorithms. > > + > > + DBM is a legacy library providing database storage. > > Is this loaded dynamically? I'm not seeing any users and if this is legacy > then maybe we shouldn't install it at all? > > > + Softoken is an NSS module that exposes most FreeBL functionality as a > > Softokn (without the 'e'), right? > > > + PKCS#11 module, and can make use of DBM or SQLite at runtime. > > So softokn is loaded dynamically by libnss3, right? Same question as above. > And what exactly is the relationship with libfreebl3.so? Is that loaded > dynamically by softokn? Same with libnssdbm3.so. > > > +endif > > diff --git a/rules/nss.make b/rules/nss.make > > index 44febc416711..6a003dd1743f 100644 > > --- a/rules/nss.make > > +++ b/rules/nss.make > > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ > > BUILD_OPT=1 \ > > MOZILLA_CLIENT=1 \ > > NS_USE_GCC=1 \ > > - NSS_USE_SYSTEM_SQLITE=1 \ > > NSS_ENABLE_ECC=1 \ > > NSS_DISABLE_GTESTS=1 \ > > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > > USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > > > +# unless needed, prevent an additional runtime dependency by using the bundled, > > +# statically-linked sqlite, but not installing anything that links to it > > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > > +endif > > + > > NSS_MAKE_PAR := NO > > NSS_MAKE_OPT := \ > > OS_ARCH=Linux \ > > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ > > NSS_LIBS := \ > > libnss3 \ > > libnssutil3 \ > > - libsmime3 \ > > - libssl3 \ > > - libfreebl3 \ > > - libfreeblpriv3 \ > > - libnssckbi \ > > - libnssdbm3 \ > > - libsoftokn3 > > - > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > > I think something like this is more readable: > > NSS_LIBS-y := libnss3 > NSS_LIBS-y += libnssutil3 > NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME) += libsmime3 > ... > > > $(STATEDIR)/nss.install: > > @$(call targetinfo) > > diff --git a/rules/qt5.in b/rules/qt5.in > > index 162ea8b9beba..a5f8f3b94c4b 100644 > > --- a/rules/qt5.in > > +++ b/rules/qt5.in > > @@ -59,6 +59,8 @@ menuconfig QT5 > > select NSPR if QT5_MODULE_QTWEBENGINE > > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > > select NSS if QT5_MODULE_QTWEBENGINE > > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE > > How do you know that this is needed? > > > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE > > Does the current Qt5 version link to this? If yes, wich file? I only have > Qt 5.15 here right now (should hit master soon) and that only needs libnss3 > and nssutil3. > > > > In general, I'm not convinced that this whole thing is a good idea. > We're possibly skipping plugins that are usually always available, so the > error paths are probably not very well tested. And this is security related > stuff. So this is mostly to make the package smaller for ecryptfs-utils, right? I don't mind the options for smime and ssl. And softokn is needed there anyways. And for Qt, the size really doesn't matter. So we could keep that unconditionally. So the question is, how to handle nssckbi safely? Michael > > select HOST_NSS if QT5_MODULE_QTWEBENGINE > > select HOST_NINJA if QT5_MODULE_QTWEBENGINE > > select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || QT5_MODULE_QTWEBENGINE_MEDIA > > -- > > 2.27.0 > > > > > > _______________________________________________ > > ptxdist mailing list > > ptxdist@pengutronix.de > > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > > > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable 2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich 2020-06-19 15:30 ` Michael Olbrich @ 2020-06-22 10:02 ` Roland Hieber 1 sibling, 0 replies; 10+ messages in thread From: Roland Hieber @ 2020-06-22 10:02 UTC (permalink / raw) To: ptxdist On Fri, Jun 19, 2020 at 05:04:47PM +0200, Michael Olbrich wrote: > On Fri, Jun 19, 2020 at 03:44:24PM +0200, Roland Hieber wrote: > > Most NSS modules are only needed if any software links to them, or loads > > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > > slim down the installation by more than 1 MiB, and also get rid of the > > SQLite dependency. > > > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > > down their respective sub-dependencies. > > > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > > --- > > v2 -> v3: no changes > > > > v1 -> v2: > > - rebase onto current master > > - fix ecryptfs depedency, only libsoftokn is needed > > - format libsoftokn help text a bit nicer > > > > rules/ecryptfs-utils.in | 1 + > > rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- > > rules/nss.make | 22 +++++++++------- > > rules/qt5.in | 2 ++ > > 4 files changed, 71 insertions(+), 12 deletions(-) > > > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > > index 5087f79d3ca2..8a62443bdddb 100644 > > --- a/rules/ecryptfs-utils.in > > +++ b/rules/ecryptfs-utils.in > > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS > > prompt "ecryptfs-utils " > > select KEYUTILS > > select NSS > > + select NSS_INSTALL_LIBSOFTOKN > > This is loaded dynamically, right? There should be a comment here, > otherwise someone will try to remove it because it seems unused. > > > select HOST_INTLTOOL > > select BASH if ECRYPTFS_UTILS_TESTS > > select COREUTILS if ECRYPTFS_UTILS_TESTS > > diff --git a/rules/nss.in b/rules/nss.in > > index 3e4a07a75404..799bd5a73ae0 100644 > > --- a/rules/nss.in > > +++ b/rules/nss.in > > @@ -1,13 +1,65 @@ > > ## SECTION=networking > > > > -config NSS > > +menuconfig NSS > > tristate > > - prompt "nss" > > + prompt "nss " > > select NSPR > > - select SQLITE > > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > > help > > Network Security Services (NSS) is a set of libraries designed to > > support cross-platform development of security-enabled client and > > server applications. Applications built with NSS can support > > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > > X.509 v3 certificates, and other security standards. > > + > > +if NSS > > + > > +config NSS_INSTALL_LIBSMIME > > + bool > > + prompt "install libsmime" > > + default y > > Remove the default. This is something libs/programs link to, so building > will fail if its needed and missing. > > > + help > > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > > + > > + libsmime provides functionality related to S/MIME (Cryptographic > > + Message Syntax, PKCS#7) used by secure email and some instant > > + messaging implementations. > > + > > +config NSS_INSTALL_LIBSSL > > + bool > > + prompt "install libssl" > > + default y > > Same here. > > > + help > > + Install libssl3.so, which adds about ~200 kiB to the footprint. > > + > > + libssl implements the Secure Sockets Layer/Transport Layer Security > > + network protocols. > > + > > +config NSS_INSTALL_LIBNSSCKBI > > + bool > > + prompt "install libnssckbi" > > + default y > > + help > > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > > + > > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > > + CAs) and their trust assignments. > > This is loaded dynamically. So how should a package creator know, when this > is needed? > > > +config NSS_INSTALL_LIBSOFTOKN > > + bool > > + prompt "install libsoftokn" > > + default y > > + help > > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > > + additional dependency on SQLite. > > + > > + FreeBL is a base library providing hash functions, big number > > + calculations, and cryptographic algorithms. > > + > > + DBM is a legacy library providing database storage. > > Is this loaded dynamically? I'm not seeing any users and if this is legacy > then maybe we shouldn't install it at all? > > > + Softoken is an NSS module that exposes most FreeBL functionality as a > > Softokn (without the 'e'), right? > > > + PKCS#11 module, and can make use of DBM or SQLite at runtime. > > So softokn is loaded dynamically by libnss3, right? Same question as above. > And what exactly is the relationship with libfreebl3.so? Is that loaded > dynamically by softokn? Same with libnssdbm3.so. > > > +endif > > diff --git a/rules/nss.make b/rules/nss.make > > index 44febc416711..6a003dd1743f 100644 > > --- a/rules/nss.make > > +++ b/rules/nss.make > > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ > > BUILD_OPT=1 \ > > MOZILLA_CLIENT=1 \ > > NS_USE_GCC=1 \ > > - NSS_USE_SYSTEM_SQLITE=1 \ > > NSS_ENABLE_ECC=1 \ > > NSS_DISABLE_GTESTS=1 \ > > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > > USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > > > +# unless needed, prevent an additional runtime dependency by using the bundled, > > +# statically-linked sqlite, but not installing anything that links to it > > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > > +endif > > + > > NSS_MAKE_PAR := NO > > NSS_MAKE_OPT := \ > > OS_ARCH=Linux \ > > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ > > NSS_LIBS := \ > > libnss3 \ > > libnssutil3 \ > > - libsmime3 \ > > - libssl3 \ > > - libfreebl3 \ > > - libfreeblpriv3 \ > > - libnssckbi \ > > - libnssdbm3 \ > > - libsoftokn3 > > - > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > > I think something like this is more readable: > > NSS_LIBS-y := libnss3 > NSS_LIBS-y += libnssutil3 > NSS_LIBS-$(PTXCONF_NSS_INSTALL_LIBSMIME) += libsmime3 > ... > > > $(STATEDIR)/nss.install: > > @$(call targetinfo) > > diff --git a/rules/qt5.in b/rules/qt5.in > > index 162ea8b9beba..a5f8f3b94c4b 100644 > > --- a/rules/qt5.in > > +++ b/rules/qt5.in > > @@ -59,6 +59,8 @@ menuconfig QT5 > > select NSPR if QT5_MODULE_QTWEBENGINE > > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > > select NSS if QT5_MODULE_QTWEBENGINE > > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE > > How do you know that this is needed? > > > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE > > Does the current Qt5 version link to this? If yes, wich file? I only have > Qt 5.15 here right now (should hit master soon) and that only needs libnss3 > and nssutil3. > > > > In general, I'm not convinced that this whole thing is a good idea. > We're possibly skipping plugins that are usually always available, so the > error paths are probably not very well tested. And this is security related > stuff. To be honest, after looking at it again and trying to research answers to your questions, I'm also no longer convinced. (I know that I had researched the dependencies of libsoftokn in the NSS documentation online during v1 of the patch, but I can no longer find it… and the code itself also doesn't make it easy to find that out.) v1 of the patch was also made under the false assumption that ecryptfs-utils only linked to libssl and libsmime, but since it loads libsoftokn as well at runtime, the space savings in the rootfs are only down to only about 300 kiB instead of 1 MiB. So I think we should leave the NSS rule as-is, unless the need arises again, and someone more versed in NSS internals can say more about it. - Roland -- Roland Hieber, Pengutronix e.K. | r.hieber@pengutronix.de | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2020-06-22 10:02 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-09-24 15:14 [ptxdist] [PATCH v1] nss: make installed libraries configurable Roland Hieber 2019-09-30 9:33 ` Roland Hieber 2020-06-19 12:31 ` [ptxdist] [PATCH] " Roland Hieber 2020-06-19 12:33 ` [ptxdist] [PATCH v2] " Roland Hieber 2020-06-19 13:44 ` [ptxdist] [PATCH v3 1/2] " Roland Hieber 2020-06-19 13:44 ` [ptxdist] [PATCH v3 2/2] nss: install all libraries into the sysroot Roland Hieber 2020-06-19 14:15 ` Michael Olbrich 2020-06-19 15:04 ` [ptxdist] [PATCH v3 1/2] nss: make installed libraries configurable Michael Olbrich 2020-06-19 15:30 ` Michael Olbrich 2020-06-22 10:02 ` Roland Hieber
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox