Ah, that was supposed to be -v2, of course. - Roland
On Fri, Jun 19, 2020 at 02:31:31PM +0200, Roland Hieber wrote: > Most NSS modules are only needed if any software links to them, or loads > them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can > slim down the installation by more than 1 MiB, and also get rid of the > SQLite dependency. > > Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin > down their respective sub-dependencies. > > Signed-off-by: Roland Hieber <[email protected]> > --- > v1 -> v2: > - rebase to current master > - fix ecryptfs depedency, only libsoftokn is needed > - format libsoftokn help text a bit nicer > > Range-diff: > 1: 6fc40ec92172 ! 772: a2711cfe218b nss: make installed libraries > configurable > @@ Commit message > > Signed-off-by: Roland Hieber <[email protected]> > > ## rules/ecryptfs-utils.in ## > @@ rules/ecryptfs-utils.in: menuconfig ECRYPTFS_UTILS > prompt "ecryptfs-utils " > select KEYUTILS > select NSS > -+ select NSS_INSTALL_LIBSSL > -+ select NSS_INSTALL_LIBSMIME > ++ select NSS_INSTALL_LIBSOFTOKN > select HOST_INTLTOOL > select BASH if ECRYPTFS_UTILS_TESTS > select COREUTILS if ECRYPTFS_UTILS_TESTS > @@ rules/nss.in > + additional dependency on SQLite. > + > + FreeBL is a base library providing hash functions, big number > -+ calculations, and cryptographic algorithms. DBM is a legacy > library > -+ providing database storage. Softoken is an NSS module that > exposes > -+ most FreeBL functionality as a PKCS#11 module, and can make > use of DBM > -+ or SQLite at runtime. > ++ calculations, and cryptographic algorithms. > ++ > ++ DBM is a legacy library providing database storage. > ++ > ++ Softoken is an NSS module that exposes most FreeBL > functionality as a > ++ PKCS#11 module, and can make use of DBM or SQLite at runtime. > + > +endif > > @@ rules/nss.make: NSS_MAKE_ENV := \ > NSS_ENABLE_ECC=1 \ > NSS_DISABLE_GTESTS=1 \ > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > - USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) > + USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > + USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > +# unless needed, prevent an additional runtime dependency by using the > bundled, > +# statically-linked sqlite, but not installing anything that links to it > > rules/ecryptfs-utils.in | 1 + > rules/nss.in | 58 ++++++++++++++++++++++++++++++++++++++--- > rules/nss.make | 22 +++++++++------- > rules/qt5.in | 2 ++ > 4 files changed, 71 insertions(+), 12 deletions(-) > > diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in > index 5087f79d3ca2..8a62443bdddb 100644 > --- a/rules/ecryptfs-utils.in > +++ b/rules/ecryptfs-utils.in > @@ -5,6 +5,7 @@ menuconfig ECRYPTFS_UTILS > prompt "ecryptfs-utils " > select KEYUTILS > select NSS > + select NSS_INSTALL_LIBSOFTOKN > select HOST_INTLTOOL > select BASH if ECRYPTFS_UTILS_TESTS > select COREUTILS if ECRYPTFS_UTILS_TESTS > diff --git a/rules/nss.in b/rules/nss.in > index 3e4a07a75404..799bd5a73ae0 100644 > --- a/rules/nss.in > +++ b/rules/nss.in > @@ -1,13 +1,65 @@ > ## SECTION=networking > > -config NSS > +menuconfig NSS > tristate > - prompt "nss" > + prompt "nss " > select NSPR > - select SQLITE > + select SQLITE if NSS_INSTALL_LIBSOFTOKN > help > Network Security Services (NSS) is a set of libraries designed to > support cross-platform development of security-enabled client and > server applications. Applications built with NSS can support > SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, > X.509 v3 certificates, and other security standards. > + > +if NSS > + > +config NSS_INSTALL_LIBSMIME > + bool > + prompt "install libsmime" > + default y > + help > + Install libsmime3.so, which adds about ~90 kiB to the footprint. > + > + libsmime provides functionality related to S/MIME (Cryptographic > + Message Syntax, PKCS#7) used by secure email and some instant > + messaging implementations. > + > +config NSS_INSTALL_LIBSSL > + bool > + prompt "install libssl" > + default y > + help > + Install libssl3.so, which adds about ~200 kiB to the footprint. > + > + libssl implements the Secure Sockets Layer/Transport Layer Security > + network protocols. > + > +config NSS_INSTALL_LIBNSSCKBI > + bool > + prompt "install libnssckbi" > + default y > + help > + Install libnssckbi.so, which adds about ~350 kiB to the footprint. > + > + CKBI is a PKCS#11 module which provides a set of trust anchors (Root > + CAs) and their trust assignments. > + > +config NSS_INSTALL_LIBSOFTOKN > + bool > + prompt "install libsoftokn" > + default y > + help > + Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and > + libnssdbm3.so, which add about ~530 kB to the footprint, as well as an > + additional dependency on SQLite. > + > + FreeBL is a base library providing hash functions, big number > + calculations, and cryptographic algorithms. > + > + DBM is a legacy library providing database storage. > + > + Softoken is an NSS module that exposes most FreeBL functionality as a > + PKCS#11 module, and can make use of DBM or SQLite at runtime. > + > +endif > diff --git a/rules/nss.make b/rules/nss.make > index 44febc416711..6a003dd1743f 100644 > --- a/rules/nss.make > +++ b/rules/nss.make > @@ -48,13 +48,18 @@ NSS_MAKE_ENV := \ > BUILD_OPT=1 \ > MOZILLA_CLIENT=1 \ > NS_USE_GCC=1 \ > - NSS_USE_SYSTEM_SQLITE=1 \ > NSS_ENABLE_ECC=1 \ > NSS_DISABLE_GTESTS=1 \ > NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \ > USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1) \ > USE_NEON=$(call ptx/ifdef, PTXCONF_ARCH_ARM_NEON,1) > > +# unless needed, prevent an additional runtime dependency by using the > bundled, > +# statically-linked sqlite, but not installing anything that links to it > +ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN > +NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1 > +endif > + > NSS_MAKE_PAR := NO > NSS_MAKE_OPT := \ > OS_ARCH=Linux \ > @@ -72,14 +77,13 @@ NSS_INSTALL_OPT := \ > NSS_LIBS := \ > libnss3 \ > libnssutil3 \ > - libsmime3 \ > - libssl3 \ > - libfreebl3 \ > - libfreeblpriv3 \ > - libnssckbi \ > - libnssdbm3 \ > - libsoftokn3 > - > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \ > + $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,) > > $(STATEDIR)/nss.install: > @$(call targetinfo) > diff --git a/rules/qt5.in b/rules/qt5.in > index 162ea8b9beba..a5f8f3b94c4b 100644 > --- a/rules/qt5.in > +++ b/rules/qt5.in > @@ -59,6 +59,8 @@ menuconfig QT5 > select NSPR if QT5_MODULE_QTWEBENGINE > select HOST_NSPR if QT5_MODULE_QTWEBENGINE > select NSS if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBNSSCKBI if QT5_MODULE_QTWEBENGINE > + select NSS_INSTALL_LIBSMIME if QT5_MODULE_QTWEBENGINE > select HOST_NSS if QT5_MODULE_QTWEBENGINE > select HOST_NINJA if QT5_MODULE_QTWEBENGINE > select ALSA_LIB if QT5_MODULE_QTMULTIMEDIA || > QT5_MODULE_QTWEBENGINE_MEDIA > -- > 2.27.0 > > > _______________________________________________ > ptxdist mailing list > [email protected] > To unsubscribe, send a mail with subject "unsubscribe" to > [email protected] > -- Roland Hieber, Pengutronix e.K. | [email protected] | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list [email protected] To unsubscribe, send a mail with subject "unsubscribe" to [email protected]
