Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>]

Quentin Monnet <qmo@kernel.org> writes:

> 2026-03-17 10:29 UTC+0000 ~ Quentin Monnet <qmo@kernel.org>
>> 2026-03-12 17:03 UTC-0700 ~ Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
>>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>>
>>> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
>>> users build bpftool without these optional dependencies.
>>>
>>> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
>>> libbfd JIT disassembly fallback when LLVM is absent. Together, they
>>> produce a bpftool with no disassembly support.
>>>
>>> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
>>> Inline stubs in main.h return errors with a clear message if signing
>>> functions are called at runtime.
>>>
>>> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
>>> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
>>> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
>>> proper feature detection in the future.
>>>
>>> All three flags are propagated through the selftests Makefile to bpftool
>>> sub-builds.
>>>
>>> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
>> 
>> 
>> Sorry I'm late for this one, I see Andrii applied it - I just wanted to
>> say thank you for this!
>
>
> Mykyta, Andrii,
>
> Apologies again for missing the review on this series. I'm realising
> only now that it goes beyond what we initially discussed: It adds a way
> to turn off the optional dependencies related to the disassemblers,
> which is what we agreed on, but it also makes libcrypto optional.
>
> There were previous discussions where I pushed back against making
> program signing optional in bpftool. It's one thing to have the JIT
> disassembler unavailable on a machine; but it's going to be a pain if a
> policy requires signed programs on a system, but the bpftool version
> available does not support signing. Are you really sure you want to make
> it optional? My preference would be to keep program signing a mandatory
> feature for bpftool going forward.
>
> Best regards,
> Quentin

Hi,
Thanks for reaching out! The patch indeed went beyond what we discussed
in v1, because we've ran into a problem, where some users could not
build bpftool, because their openssl was built with no CMS support. It
turns out openssl allows OPENSSL_NO_CMS which disables some functions
that bpftool/sign.c relies on. So to support this usecase, we decided to
increase the scope of this change. I'm not sure, though, how common it
is to find openssl with no CMS in the wild. Let me know what you think
about this.

Regards