From: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com,
eddyz87@gmail.com, Mykyta Yatsenko <yatsenko@meta.com>
Subject: Re: [PATCH bpf-next] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies
Date: Thu, 12 Mar 2026 23:49:22 +0000 [thread overview]
Message-ID: <87ikb0a9rx.fsf@gmail.com> (raw)
In-Reply-To: <CAEf4Bza9U5yftY0CCLv28K_rjw7ATsQeDh6S-2gHCz0eSdH0mg@mail.gmail.com>
Andrii Nakryiko <andrii.nakryiko@gmail.com> writes:
> On Thu, Mar 12, 2026 at 10:13 AM Mykyta Yatsenko
> <mykyta.yatsenko5@gmail.com> wrote:
>>
>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>
>> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
>> users build bpftool without these optional dependencies.
>>
>> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
>> libbfd JIT disassembly fallback when LLVM is absent. Together, they
>> produce a bpftool with no disassembly support.
>>
>> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
>> Inline stubs in main.h return errors with a clear message if signing
>> functions are called at runtime.
>>
>> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
>> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
>> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
>> proper feature detection in the future.
>>
>> All three flags are propagated through the selftests Makefile to bpftool
>> sub-builds.
>>
>> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
>> ---
>> tools/bpf/bpftool/Makefile | 29 +++++++++++++++++++++++++----
>> tools/bpf/bpftool/main.c | 7 +++++++
>> tools/bpf/bpftool/main.h | 14 ++++++++++++++
>> tools/testing/selftests/bpf/Makefile | 8 ++++++++
>> 4 files changed, 54 insertions(+), 4 deletions(-)
>>
>> diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
>> index 519ea5cb8ab1..4f83a7ec81a5 100644
>> --- a/tools/bpf/bpftool/Makefile
>> +++ b/tools/bpf/bpftool/Makefile
>> @@ -97,6 +97,12 @@ RM ?= rm -f
>>
>> FEATURE_USER = .bpftool
>>
>> +# Skip optional dependencies: LLVM (JIT disasm), libbfd (fallback
>> +# disasm), libcrypto (program signing).
>> +SKIP_LLVM ?=
>> +SKIP_LIBBFD ?=
>> +SKIP_CRYPTO ?=
>> +
>> FEATURE_TESTS := clang-bpf-co-re
>> FEATURE_TESTS += llvm
>> FEATURE_TESTS += libcap
>> @@ -130,8 +136,8 @@ include $(FEATURES_DUMP)
>> endif
>> endif
>>
>> -LIBS = $(LIBBPF) -lelf -lcrypto -lz
>> -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lcrypto -lz
>> +LIBS = $(LIBBPF) -lelf $(CRYPTO_LIBS) -lz
>> +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf $(CRYPTO_LIBS) -lz
>
> you use CRYPTO_LIBS here, but actually set it much later. It works
> because of lazy LIBS_BOOSTRAP definition with '=', right?
yes, that's because =
> But maybe we
> can move LIBS/LIBS_BOOSTRAP to later when all the stuff is well
> defined?
Let me try.
>
>>
>> ifeq ($(feature-libelf-zstd),1)
>> LIBS += -lzstd
>> @@ -150,7 +156,12 @@ all: $(OUTPUT)bpftool
>> SRCS := $(wildcard *.c)
>>
>> ifeq ($(feature-llvm),1)
>> - # If LLVM is available, use it for JIT disassembly
>> +ifneq ($(SKIP_LLVM),1)
>> +HAS_LLVM := 1
>> +endif
>> +endif
>> +
>> +ifeq ($(HAS_LLVM),1)
>> CFLAGS += -DHAVE_LLVM_SUPPORT
>> LLVM_CONFIG_LIB_COMPONENTS := mcdisassembler all-targets
>> # llvm-config always adds -D_GNU_SOURCE, however, it may already be in CFLAGS
>> @@ -165,6 +176,7 @@ ifeq ($(feature-llvm),1)
>> endif
>> LDFLAGS += $(shell $(LLVM_CONFIG) --ldflags)
>> else
>> + ifneq ($(SKIP_LIBBFD),1)
>> # Fall back on libbfd
>> ifeq ($(feature-libbfd),1)
>> LIBS += -lbfd -ldl -lopcodes
>> @@ -186,15 +198,24 @@ else
>> CFLAGS += -DDISASM_INIT_STYLED
>> endif
>> endif
>> + endif # SKIP_LIBBFD
>> endif
>> ifeq ($(filter -DHAVE_LLVM_SUPPORT -DHAVE_LIBBFD_SUPPORT,$(CFLAGS)),)
>> # No support for JIT disassembly
>> SRCS := $(filter-out jit_disasm.c,$(SRCS))
>> endif
>>
>> +ifeq ($(SKIP_CRYPTO),1)
>> + CFLAGS += -DBPFTOOL_WITHOUT_CRYPTO
>> + HOST_CFLAGS += -DBPFTOOL_WITHOUT_CRYPTO
>> + SRCS := $(filter-out sign.c,$(SRCS))
>> +else
>> + CRYPTO_LIBS := -lcrypto
>> +endif
>> +
>> BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
>>
>> -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
>> +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o $(if $(CRYPTO_LIBS),sign.o))
>> $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
>>
>> OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
>> diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
>> index a829a6a49037..c91e1a6e1a1e 100644
>> --- a/tools/bpf/bpftool/main.c
>> +++ b/tools/bpf/bpftool/main.c
>> @@ -131,6 +131,11 @@ static int do_version(int argc, char **argv)
>> const bool has_skeletons = false;
>> #else
>> const bool has_skeletons = true;
>> +#endif
>> +#ifdef BPFTOOL_WITHOUT_CRYPTO
>> + const bool has_crypto = false;
>> +#else
>> + const bool has_crypto = true;
>> #endif
>> bool bootstrap = false;
>> int i;
>> @@ -163,6 +168,7 @@ static int do_version(int argc, char **argv)
>> jsonw_start_object(json_wtr); /* features */
>> jsonw_bool_field(json_wtr, "libbfd", has_libbfd);
>> jsonw_bool_field(json_wtr, "llvm", has_llvm);
>> + jsonw_bool_field(json_wtr, "crypto", has_crypto);
>> jsonw_bool_field(json_wtr, "skeletons", has_skeletons);
>> jsonw_bool_field(json_wtr, "bootstrap", bootstrap);
>> jsonw_end_object(json_wtr); /* features */
>> @@ -181,6 +187,7 @@ static int do_version(int argc, char **argv)
>> printf("features:");
>> print_feature("libbfd", has_libbfd, &nb_features);
>> print_feature("llvm", has_llvm, &nb_features);
>> + print_feature("crypto", has_crypto, &nb_features);
>> print_feature("skeletons", has_skeletons, &nb_features);
>> print_feature("bootstrap", bootstrap, &nb_features);
>> printf("\n");
>> diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
>> index 1130299cede0..169392a4552d 100644
>> --- a/tools/bpf/bpftool/main.h
>> +++ b/tools/bpf/bpftool/main.h
>> @@ -293,6 +293,20 @@ struct kernel_config_option {
>> int read_kernel_config(const struct kernel_config_option *requested_options,
>> size_t num_options, char **out_values,
>> const char *define_prefix);
>> +#ifndef BPFTOOL_WITHOUT_CRYPTO
>> int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
>> __u32 register_session_key(const char *key_der_path);
>> +#else
>> +static inline int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
>> +{
>> + p_err("program signing requires libcrypto");
>
> we should probably say that "bpftool was built without signing
> support". It could be confusing to end-user as they might have
> libcrypto installed on their system, but this functionality will still
> not work
Agree
>
>> + return -ENOTSUP;
>> +}
>> +
>> +static inline __u32 register_session_key(const char *key_der_path)
>> +{
>> + p_err("program signing requires libcrypto");
>> + return -1;
>> +}
>> +#endif
>> #endif
>> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
>> index 869b582b1d1f..e27501c06b56 100644
>> --- a/tools/testing/selftests/bpf/Makefile
>> +++ b/tools/testing/selftests/bpf/Makefile
>> @@ -41,6 +41,8 @@ LIBELF_LIBS := $(shell $(PKG_CONFIG) libelf --libs 2>/dev/null || echo -lelf)
>>
>> SKIP_DOCS ?=
>> SKIP_LLVM ?=
>> +SKIP_LIBBFD ?=
>> +SKIP_CRYPTO ?=
>>
>> ifeq ($(srctree),)
>> srctree := $(patsubst %/,%,$(dir $(CURDIR)))
>> @@ -333,6 +335,9 @@ $(DEFAULT_BPFTOOL): $(wildcard $(BPFTOOLDIR)/*.[ch] $(BPFTOOLDIR)/Makefile) \
>> OUTPUT=$(HOST_BUILD_DIR)/bpftool/ \
>> LIBBPF_OUTPUT=$(HOST_BUILD_DIR)/libbpf/ \
>> LIBBPF_DESTDIR=$(HOST_SCRATCH_DIR)/ \
>> + SKIP_LLVM=$(SKIP_LLVM) \
>> + SKIP_LIBBFD=$(SKIP_LIBBFD) \
>> + SKIP_CRYPTO=$(SKIP_CRYPTO) \
>> prefix= DESTDIR=$(HOST_SCRATCH_DIR)/ install-bin
>>
>> ifneq ($(CROSS_COMPILE),)
>> @@ -345,6 +350,9 @@ $(CROSS_BPFTOOL): $(wildcard $(BPFTOOLDIR)/*.[ch] $(BPFTOOLDIR)/Makefile) \
>> OUTPUT=$(BUILD_DIR)/bpftool/ \
>> LIBBPF_OUTPUT=$(BUILD_DIR)/libbpf/ \
>> LIBBPF_DESTDIR=$(SCRATCH_DIR)/ \
>> + SKIP_LLVM=$(SKIP_LLVM) \
>> + SKIP_LIBBFD=$(SKIP_LIBBFD) \
>> + SKIP_CRYPTO=$(SKIP_CRYPTO) \
>> prefix= DESTDIR=$(SCRATCH_DIR)/ install-bin
>> endif
>>
>>
>> ---
>> base-commit: ca0f39a369c5f927c3d004e63a5a778b08a9df94
>> change-id: 20260312-b4-bpftool_build-fe7d37d535bd
>>
>> Best regards,
>> --
>> Mykyta Yatsenko <yatsenko@meta.com>
>>
prev parent reply other threads:[~2026-03-12 23:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 17:13 [PATCH bpf-next] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies Mykyta Yatsenko
2026-03-12 20:33 ` Andrii Nakryiko
2026-03-12 23:49 ` Mykyta Yatsenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ikb0a9rx.fsf@gmail.com \
--to=mykyta.yatsenko5@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kafai@meta.com \
--cc=kernel-team@meta.com \
--cc=yatsenko@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.