[ptxdist] [PATCH v1] nss: make installed libraries configurable

Roland Hieber Tue, 24 Sep 2019 08:15:19 -0700

Most NSS modules are only needed if any software links to them, or loads
them at runtime (e.g. as a PKCS#11 module). In extreme cases, we can
slim down the installation by more than 1 MiB, and also get rid of the
SQLite dependency.


Qt5WebEngine and ecryptfs-utils are currently the only users of NSS, pin
down their respective sub-dependencies.

Signed-off-by: Roland Hieber <r...@pengutronix.de>
---
 rules/ecryptfs-utils.in |  2 ++
 rules/nss.in            | 56 ++++++++++++++++++++++++++++++++++++++---
 rules/nss.make          | 22 +++++++++-------
 rules/qt5.in            |  2 ++
 4 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/rules/ecryptfs-utils.in b/rules/ecryptfs-utils.in
index 5087f79d3ca2..7ac44e11bdf3 100644
--- a/rules/ecryptfs-utils.in
+++ b/rules/ecryptfs-utils.in
@@ -5,6 +5,8 @@ menuconfig ECRYPTFS_UTILS
        prompt "ecryptfs-utils                "
        select KEYUTILS
        select NSS
+       select NSS_INSTALL_LIBSSL
+       select NSS_INSTALL_LIBSMIME
        select HOST_INTLTOOL
        select BASH                     if ECRYPTFS_UTILS_TESTS
        select COREUTILS                if ECRYPTFS_UTILS_TESTS
diff --git a/rules/nss.in b/rules/nss.in
index 3e4a07a75404..0f44a2b7d1c8 100644
--- a/rules/nss.in
+++ b/rules/nss.in
@@ -1,13 +1,63 @@
 ## SECTION=networking
 
-config NSS
+menuconfig NSS
        tristate
-       prompt "nss"
+       prompt "nss                           "
        select NSPR
-       select SQLITE
+       select SQLITE   if NSS_INSTALL_LIBSOFTOKN
        help
          Network Security Services (NSS) is a set of libraries designed to
          support cross-platform development of security-enabled client and
          server applications. Applications built with NSS can support
          SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME,
          X.509 v3 certificates, and other security standards.
+
+if NSS
+
+config NSS_INSTALL_LIBSMIME
+       bool
+       prompt "install libsmime"
+       default y
+       help
+         Install libsmime3.so, which adds about ~90 kiB to the footprint.
+
+         libsmime provides functionality related to S/MIME (Cryptographic
+         Message Syntax, PKCS#7) used by secure email and some instant
+         messaging implementations.
+
+config NSS_INSTALL_LIBSSL
+       bool
+       prompt "install libssl"
+       default y
+       help
+         Install libssl3.so, which adds about ~200 kiB to the footprint.
+
+         libssl implements the Secure Sockets Layer/Transport Layer Security
+         network protocols.
+
+config NSS_INSTALL_LIBNSSCKBI
+       bool
+       prompt "install libnssckbi"
+       default y
+       help
+         Install libnssckbi.so, which adds about ~350 kiB to the footprint.
+
+         CKBI is a PKCS#11 module which provides a set of trust anchors (Root
+         CAs) and their trust assignments.
+
+config NSS_INSTALL_LIBSOFTOKN
+       bool
+       prompt "install libsoftokn"
+       default y
+       help
+         Install libfreebl3.so, libfreeblpriv3.so, libsoftokn3.so, and
+         libnssdbm3.so, which add about ~530 kB to the footprint, as well as an
+         additional dependency on SQLite.
+
+         FreeBL is a base library providing hash functions, big number
+         calculations, and cryptographic algorithms. DBM is a legacy library
+         providing database storage. Softoken is an NSS module that exposes
+         most FreeBL functionality as a PKCS#11 module, and can make use of DBM
+         or SQLite at runtime.
+
+endif
diff --git a/rules/nss.make b/rules/nss.make
index 49406fb956c7..f9f322d94179 100644
--- a/rules/nss.make
+++ b/rules/nss.make
@@ -45,12 +45,17 @@ NSS_MAKE_ENV := \
        BUILD_OPT=1 \
        MOZILLA_CLIENT=1 \
        NS_USE_GCC=1 \
-       NSS_USE_SYSTEM_SQLITE=1 \
        NSS_ENABLE_ECC=1 \
        NSS_DISABLE_GTESTS=1 \
        NSPR_INCLUDE_DIR=$(SYSROOT)/usr/include/nspr \
        USE_64=$(call ptx/ifdef, PTXCONF_ARCH_LP64,1)
 
+# unless needed, prevent an additional runtime dependency by using the bundled,
+# statically-linked sqlite, but not installing anything that links to it
+ifndef PTXCONF_NSS_INSTALL_LIBSOFTOKN
+NSS_MAKE_ENV += NSS_USE_SYSTEM_SQLITE=1
+endif
+
 NSS_MAKE_PAR := NO
 NSS_MAKE_OPT := \
        OS_ARCH=Linux \
@@ -68,14 +73,13 @@ NSS_INSTALL_OPT := \
 NSS_LIBS := \
        libnss3 \
        libnssutil3 \
-       libsmime3 \
-       libssl3 \
-       libfreebl3 \
-       libfreeblpriv3 \
-       libnssckbi \
-       libnssdbm3 \
-       libsoftokn3
-
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSMIME, libsmime3,) \
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSSL, libssl3,) \
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBNSSCKBI, libnssckbi,) \
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreebl3,) \
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libfreeblpriv3,) \
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libnssdbm3,) \
+       $(call ptx/ifdef, PTXCONF_NSS_INSTALL_LIBSOFTOKN, libsoftokn3,)
 
 $(STATEDIR)/nss.install:
        @$(call targetinfo)
diff --git a/rules/qt5.in b/rules/qt5.in
index 6c2de3cde04f..aa9b63f2fdf7 100644
--- a/rules/qt5.in
+++ b/rules/qt5.in
@@ -57,6 +57,8 @@ menuconfig QT5
        select NSPR                     if QT5_MODULE_QTWEBENGINE
        select HOST_NSPR                if QT5_MODULE_QTWEBENGINE
        select NSS                      if QT5_MODULE_QTWEBENGINE
+       select NSS_INSTALL_LIBNSSCKBI   if QT5_MODULE_QTWEBENGINE
+       select NSS_INSTALL_LIBSMIME     if QT5_MODULE_QTWEBENGINE
        select HOST_NSS                 if QT5_MODULE_QTWEBENGINE
        select HOST_NINJA               if QT5_MODULE_QTWEBENGINE
        select ALSA_LIB                 if QT5_MODULE_QTMULTIMEDIA || 
QT5_MODULE_QTWEBENGINE_MEDIA
-- 
2.23.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

[ptxdist] [PATCH v1] nss: make installed libraries configurable

Reply via email to