From: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
daniel@iogearbox.net, kafai@meta.com, kernel-team@meta.com,
eddyz87@gmail.com, Mykyta Yatsenko <yatsenko@meta.com>
Subject: Re: [PATCH bpf-next] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies
Date: Thu, 12 Mar 2026 23:49:22 +0000 [thread overview]
Message-ID: <87ikb0a9rx.fsf@gmail.com> (raw)
In-Reply-To: <CAEf4Bza9U5yftY0CCLv28K_rjw7ATsQeDh6S-2gHCz0eSdH0mg@mail.gmail.com>
Andrii Nakryiko <andrii.nakryiko@gmail.com> writes:
> On Thu, Mar 12, 2026 at 10:13 AM Mykyta Yatsenko
> <mykyta.yatsenko5@gmail.com> wrote:
>>
>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>
>> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
>> users build bpftool without these optional dependencies.
>>
>> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
>> libbfd JIT disassembly fallback when LLVM is absent. Together, they
>> produce a bpftool with no disassembly support.
>>
>> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
>> Inline stubs in main.h return errors with a clear message if signing
>> functions are called at runtime.
>>
>> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
>> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
>> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
>> proper feature detection in the future.
>>
>> All three flags are propagated through the selftests Makefile to bpftool
>> sub-builds.
>>
>> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
>> ---
>> tools/bpf/bpftool/Makefile | 29 +++++++++++++++++++++++++----
>> tools/bpf/bpftool/main.c | 7 +++++++
>> tools/bpf/bpftool/main.h | 14 ++++++++++++++
>> tools/testing/selftests/bpf/Makefile | 8 ++++++++
>> 4 files changed, 54 insertions(+), 4 deletions(-)
>>
>> diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
>> index 519ea5cb8ab1..4f83a7ec81a5 100644
>> --- a/tools/bpf/bpftool/Makefile
>> +++ b/tools/bpf/bpftool/Makefile
>> @@ -97,6 +97,12 @@ RM ?= rm -f
>>
>> FEATURE_USER = .bpftool
>>
>> +# Skip optional dependencies: LLVM (JIT disasm), libbfd (fallback
>> +# disasm), libcrypto (program signing).
>> +SKIP_LLVM ?=
>> +SKIP_LIBBFD ?=
>> +SKIP_CRYPTO ?=
>> +
>> FEATURE_TESTS := clang-bpf-co-re
>> FEATURE_TESTS += llvm
>> FEATURE_TESTS += libcap
>> @@ -130,8 +136,8 @@ include $(FEATURES_DUMP)
>> endif
>> endif
>>
>> -LIBS = $(LIBBPF) -lelf -lcrypto -lz
>> -LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lcrypto -lz
>> +LIBS = $(LIBBPF) -lelf $(CRYPTO_LIBS) -lz
>> +LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf $(CRYPTO_LIBS) -lz
>
> you use CRYPTO_LIBS here, but actually set it much later. It works
> because of lazy LIBS_BOOSTRAP definition with '=', right?
yes, that's because =
> But maybe we
> can move LIBS/LIBS_BOOSTRAP to later when all the stuff is well
> defined?
Let me try.
>
>>
>> ifeq ($(feature-libelf-zstd),1)
>> LIBS += -lzstd
>> @@ -150,7 +156,12 @@ all: $(OUTPUT)bpftool
>> SRCS := $(wildcard *.c)
>>
>> ifeq ($(feature-llvm),1)
>> - # If LLVM is available, use it for JIT disassembly
>> +ifneq ($(SKIP_LLVM),1)
>> +HAS_LLVM := 1
>> +endif
>> +endif
>> +
>> +ifeq ($(HAS_LLVM),1)
>> CFLAGS += -DHAVE_LLVM_SUPPORT
>> LLVM_CONFIG_LIB_COMPONENTS := mcdisassembler all-targets
>> # llvm-config always adds -D_GNU_SOURCE, however, it may already be in CFLAGS
>> @@ -165,6 +176,7 @@ ifeq ($(feature-llvm),1)
>> endif
>> LDFLAGS += $(shell $(LLVM_CONFIG) --ldflags)
>> else
>> + ifneq ($(SKIP_LIBBFD),1)
>> # Fall back on libbfd
>> ifeq ($(feature-libbfd),1)
>> LIBS += -lbfd -ldl -lopcodes
>> @@ -186,15 +198,24 @@ else
>> CFLAGS += -DDISASM_INIT_STYLED
>> endif
>> endif
>> + endif # SKIP_LIBBFD
>> endif
>> ifeq ($(filter -DHAVE_LLVM_SUPPORT -DHAVE_LIBBFD_SUPPORT,$(CFLAGS)),)
>> # No support for JIT disassembly
>> SRCS := $(filter-out jit_disasm.c,$(SRCS))
>> endif
>>
>> +ifeq ($(SKIP_CRYPTO),1)
>> + CFLAGS += -DBPFTOOL_WITHOUT_CRYPTO
>> + HOST_CFLAGS += -DBPFTOOL_WITHOUT_CRYPTO
>> + SRCS := $(filter-out sign.c,$(SRCS))
>> +else
>> + CRYPTO_LIBS := -lcrypto
>> +endif
>> +
>> BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
>>
>> -BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
>> +BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o $(if $(CRYPTO_LIBS),sign.o))
>> $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
>>
>> OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
>> diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
>> index a829a6a49037..c91e1a6e1a1e 100644
>> --- a/tools/bpf/bpftool/main.c
>> +++ b/tools/bpf/bpftool/main.c
>> @@ -131,6 +131,11 @@ static int do_version(int argc, char **argv)
>> const bool has_skeletons = false;
>> #else
>> const bool has_skeletons = true;
>> +#endif
>> +#ifdef BPFTOOL_WITHOUT_CRYPTO
>> + const bool has_crypto = false;
>> +#else
>> + const bool has_crypto = true;
>> #endif
>> bool bootstrap = false;
>> int i;
>> @@ -163,6 +168,7 @@ static int do_version(int argc, char **argv)
>> jsonw_start_object(json_wtr); /* features */
>> jsonw_bool_field(json_wtr, "libbfd", has_libbfd);
>> jsonw_bool_field(json_wtr, "llvm", has_llvm);
>> + jsonw_bool_field(json_wtr, "crypto", has_crypto);
>> jsonw_bool_field(json_wtr, "skeletons", has_skeletons);
>> jsonw_bool_field(json_wtr, "bootstrap", bootstrap);
>> jsonw_end_object(json_wtr); /* features */
>> @@ -181,6 +187,7 @@ static int do_version(int argc, char **argv)
>> printf("features:");
>> print_feature("libbfd", has_libbfd, &nb_features);
>> print_feature("llvm", has_llvm, &nb_features);
>> + print_feature("crypto", has_crypto, &nb_features);
>> print_feature("skeletons", has_skeletons, &nb_features);
>> print_feature("bootstrap", bootstrap, &nb_features);
>> printf("\n");
>> diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
>> index 1130299cede0..169392a4552d 100644
>> --- a/tools/bpf/bpftool/main.h
>> +++ b/tools/bpf/bpftool/main.h
>> @@ -293,6 +293,20 @@ struct kernel_config_option {
>> int read_kernel_config(const struct kernel_config_option *requested_options,
>> size_t num_options, char **out_values,
>> const char *define_prefix);
>> +#ifndef BPFTOOL_WITHOUT_CRYPTO
>> int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
>> __u32 register_session_key(const char *key_der_path);
>> +#else
>> +static inline int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
>> +{
>> + p_err("program signing requires libcrypto");
>
> we should probably say that "bpftool was built without signing
> support". It could be confusing to end-user as they might have
> libcrypto installed on their system, but this functionality will still
> not work
Agree
>
>> + return -ENOTSUP;
>> +}
>> +
>> +static inline __u32 register_session_key(const char *key_der_path)
>> +{
>> + p_err("program signing requires libcrypto");
>> + return -1;
>> +}
>> +#endif
>> #endif
>> diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
>> index 869b582b1d1f..e27501c06b56 100644
>> --- a/tools/testing/selftests/bpf/Makefile
>> +++ b/tools/testing/selftests/bpf/Makefile
>> @@ -41,6 +41,8 @@ LIBELF_LIBS := $(shell $(PKG_CONFIG) libelf --libs 2>/dev/null || echo -lelf)
>>
>> SKIP_DOCS ?=
>> SKIP_LLVM ?=
>> +SKIP_LIBBFD ?=
>> +SKIP_CRYPTO ?=
>>
>> ifeq ($(srctree),)
>> srctree := $(patsubst %/,%,$(dir $(CURDIR)))
>> @@ -333,6 +335,9 @@ $(DEFAULT_BPFTOOL): $(wildcard $(BPFTOOLDIR)/*.[ch] $(BPFTOOLDIR)/Makefile) \
>> OUTPUT=$(HOST_BUILD_DIR)/bpftool/ \
>> LIBBPF_OUTPUT=$(HOST_BUILD_DIR)/libbpf/ \
>> LIBBPF_DESTDIR=$(HOST_SCRATCH_DIR)/ \
>> + SKIP_LLVM=$(SKIP_LLVM) \
>> + SKIP_LIBBFD=$(SKIP_LIBBFD) \
>> + SKIP_CRYPTO=$(SKIP_CRYPTO) \
>> prefix= DESTDIR=$(HOST_SCRATCH_DIR)/ install-bin
>>
>> ifneq ($(CROSS_COMPILE),)
>> @@ -345,6 +350,9 @@ $(CROSS_BPFTOOL): $(wildcard $(BPFTOOLDIR)/*.[ch] $(BPFTOOLDIR)/Makefile) \
>> OUTPUT=$(BUILD_DIR)/bpftool/ \
>> LIBBPF_OUTPUT=$(BUILD_DIR)/libbpf/ \
>> LIBBPF_DESTDIR=$(SCRATCH_DIR)/ \
>> + SKIP_LLVM=$(SKIP_LLVM) \
>> + SKIP_LIBBFD=$(SKIP_LIBBFD) \
>> + SKIP_CRYPTO=$(SKIP_CRYPTO) \
>> prefix= DESTDIR=$(SCRATCH_DIR)/ install-bin
>> endif
>>
>>
>> ---
>> base-commit: ca0f39a369c5f927c3d004e63a5a778b08a9df94
>> change-id: 20260312-b4-bpftool_build-fe7d37d535bd
>>
>> Best regards,
>> --
>> Mykyta Yatsenko <yatsenko@meta.com>
>>
prev parent reply other threads:[~2026-03-12 23:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-12 17:13 [PATCH bpf-next] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies Mykyta Yatsenko
2026-03-12 20:33 ` Andrii Nakryiko
2026-03-12 23:49 ` Mykyta Yatsenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ikb0a9rx.fsf@gmail.com \
--to=mykyta.yatsenko5@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kafai@meta.com \
--cc=kernel-team@meta.com \
--cc=yatsenko@meta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox