On 5/15/19 9:53 AM, Daniel P. Berrangé wrote: > On Tue, May 14, 2019 at 12:16:30PM -0700, Richard Henderson wrote: >> For user-only, we require only the random number bits of the >> crypto subsystem. >> >> We need to preserve --static linking, which for many recent Linux >> distributions precludes using GnuTLS or GCrypt. Instead, use our >> random-platform module unconditionally. > > I don't think we need to special case in this way. > > Today if you do a default build with all targets & tools and want > to use --static, but don't have static libs available for some > things you can achieve that > > ./configure --static --disable-gnutls --disable-gcrypt --disable-nettle
But we don't really want all of those --disable arguments by default. It would be one thing if one explicitly used --enable-gnutls and got link errors. We must preserve --static working all by itself. > Previously if you took care to disable system emulators & tools > you could avoid the need to pass the --disable-* args, but I > think that's fairly minor. Well, no, you get link errors. (As an aside, IMO pkg-config is stupid in being only able to ask "is version X installed" without also being about to ask "is a static version of X installed". pkg-config has a --static option, it just doesn't use it.) But suppose we add back the patch for --static sanity check from v6. What are we left with? No crypto libraries remain on Fedora 30. It appears that Ubuntu Bionic ships a static version of nettle, but nothing else. Is that useful on its own? > So I think we should just use $(crypto-obj-y) unconditionally in > the user emulators, and get rid of crypto-aes-obj-y too. > > This will give a consistent crypto story across all the things we > build with no special cases. Well, maybe. But what are we trying to accomplish? What use is crypto to the host side of linux-user? In general, all the crypto that the application will do is on the guest side, within guest versions of gnutls etc. All crypto that the guest expects of its kernel is done passing off the syscall to the host kernel. That's why, here in v7, I began to think that perhaps all the faffing about with pkg-config vs --static was just a waste of time. Have I missed something? r~