[Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional

[Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional

[Florian Larysch]

The network-manager package currently pulls in either gnutls or libnss,
neither of which are very common and it might be the only reason why
they are present on a system.

However, most of NetworkManager works just fine without any cryptography
support, it only seems to be used in test cases and 802.1X support code.

Make the crypto backend configurable and optional to make it possible to
avoid this dependency while keeping the default behavior the same.

Signed-off-by: Florian Larysch <fl@n621.de>
---

The select vs depends on thing is a bit hacky because I've tried to set
it up in a way that keeps the existing behavior for backwards
compatibility. I'm not even sure if this is the best way to go about it
or if all the options should maybe just depend on the respective
libraries to make it less implicit.

 package/network-manager/Config.in          | 22 +++++++++++++++++++++-
 package/network-manager/network-manager.mk |  6 ++++--
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/package/network-manager/Config.in b/package/network-manager/Config.in
index b388c573fe..4557174b7d 100644
--- a/package/network-manager/Config.in
+++ b/package/network-manager/Config.in
@@ -10,7 +10,6 @@ config BR2_PACKAGE_NETWORK_MANAGER
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
 	depends on BR2_USE_WCHAR # libglib2
 	select BR2_PACKAGE_DBUS
-	select BR2_PACKAGE_GNUTLS if !BR2_PACKAGE_LIBNSS
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_LIBNDP
 	select BR2_PACKAGE_UTIL_LINUX
@@ -58,6 +57,27 @@ config BR2_PACKAGE_NETWORK_MANAGER_OVS
 	select BR2_PACKAGE_JANSSON
 	help
 	  This option enables support for OpenVSwitch
+
+choice
+	prompt "Crypto backend"
+	default BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_GNUTLS if !BR2_PACKAGE_LIBNSS
+	default BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_LIBNSS if BR2_PACKAGE_LIBNSS
+	help
+	  Select which library (if any) is used to provide cryptographic
+	  operations for 802.1X, for example.
+
+config BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_GNUTLS
+	bool "gnutls"
+	select BR2_PACKAGE_GNUTLS
+
+config BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_LIBNSS
+	bool "libnss"
+	depends on BR2_PACKAGE_LIBNSS
+
+config BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_NONE
+	bool "none"
+
+endchoice
 endif
 
 comment "NetworkManager needs udev /dev management and a glibc or musl toolchain w/ headers >= 5.4, dynamic library, wchar, threads, gcc >= 4.9"
diff --git a/package/network-manager/network-manager.mk b/package/network-manager/network-manager.mk
index ab3a437838..14119f8fa2 100644
--- a/package/network-manager/network-manager.mk
+++ b/package/network-manager/network-manager.mk
@@ -76,12 +76,14 @@ else
 NETWORK_MANAGER_CONF_OPTS += -Dconcheck=false
 endif
 
-ifeq ($(BR2_PACKAGE_LIBNSS),y)
+ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_LIBNSS),y)
 NETWORK_MANAGER_DEPENDENCIES += libnss
 NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
-else
+else ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_GNUTLS),y)
 NETWORK_MANAGER_DEPENDENCIES += gnutls
 NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
+else ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_NONE),y)
+NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
 endif
 
 ifeq ($(BR2_PACKAGE_LIBPSL),y)
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional

[Thomas Petazzoni via buildroot]

Hello Florian,

Thanks for the patch!

On Tue, 27 May 2025 17:23:38 +0200
Florian Larysch <fl@n621.de> wrote:

> The network-manager package currently pulls in either gnutls or libnss,
> neither of which are very common and it might be the only reason why
> they are present on a system.
> 
> However, most of NetworkManager works just fine without any cryptography
> support, it only seems to be used in test cases and 802.1X support code.
> 
> Make the crypto backend configurable and optional to make it possible to
> avoid this dependency while keeping the default behavior the same.
> 
> Signed-off-by: Florian Larysch <fl@n621.de>
> ---
> 
> The select vs depends on thing is a bit hacky because I've tried to set
> it up in a way that keeps the existing behavior for backwards
> compatibility. I'm not even sure if this is the best way to go about it
> or if all the options should maybe just depend on the respective
> libraries to make it less implicit.

In this kind of situation, I'm not sure keeping backward compatibility
is really a good idea. Indeed, we have two conflicting goals:

(1) Not break backward compatibility. This would encourage in
continuing to automatically select gnutls as a dependency of
network-manager, like your patch does

(2) Have minimal dependencies by default, which is one of the great
things about Buildroot: it doesn't pull in needless stuff for no
reason. This would encourage NOT automatically selecting any crypto
library by default.

And I think my preference goes to (2) in this situation.

> -ifeq ($(BR2_PACKAGE_LIBNSS),y)
> +ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_LIBNSS),y)
>  NETWORK_MANAGER_DEPENDENCIES += libnss
>  NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
> -else
> +else ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_GNUTLS),y)
>  NETWORK_MANAGER_DEPENDENCIES += gnutls
>  NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
> +else ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_NONE),y)
> +NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
>  endif

So the change would be just:

ifeq ($(BR2_PACKAGE_LIBNSS),y)
NETWORK_MANAGER_DEPENDENCIES += libnss
NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
else
else ifeq ($(BR2_PACKAGE_GNUTLS),y)
NETWORK_MANAGER_DEPENDENCIES += gnutls
NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
else
NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
endif

and of course drop the select in Config.in. We might discuss whether
gnutls should take priority on libnss if both are available. Maybe NM
documents that one is "better" over the other?

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional

[Florian Larysch]

Hi Thomas,

thank you for your comments!

On Fri, May 30, 2025 at 10:01:25PM +0200, Thomas Petazzoni wrote:
> Indeed, we have two conflicting goals:
> (1) Not break backward compatibility. [...] 
> (2) Have minimal dependencies by default [...]
> And I think my preference goes to (2) in this situation.

Okay great, I think that's the preferable option too if breaking
compatibility is fine. I'll send a new version of the patch.

Is there a list of breaking changes I should add to?

> We might discuss whether gnutls should take priority on libnss if both
> are available. Maybe NM documents that one is "better" over the other?

I haven't found any explicit statements to either effect. Support for
both libraries has been present from day one back in 2007.

Data points in favor of libnss:

 - It's the default value in the NM build system, so it would be the
   preferred backend if both are available

 - It's probably the more mature of the two, given that it's being used
   in Mozilla products

Data points in favor of gnutls:

 - While both backends seem feature-equivalent, the
   _nm_crypto_verify_pkcs8 function is stubbed out in the libnss code[1]

 - Both Debian and Fedora explicitly select gnutls in their packages. I
   can't find the reasoning for Debian but at least for Fedora it seems
   to have been a conscious choice[2].

Given what it's actually used for in the code base, I don't think the
choice really matters much when both options are available. I'd slightly
lean towards gnutls just because it's marginally more feature-complete.
How do you feel about this?

Florian

[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/36f8de25c487fe1570a19fe917c85ec065b0339e/src/libnm-crypto/nm-crypto-nss.c#L523-540
[2] https://src.fedoraproject.org/rpms/NetworkManager/c/29a9c41beafb5e549c10bfb50ee23ee47bdbc42f?branch=rawhide
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional

[Thomas Petazzoni via buildroot]

Hello Florian,

On Sat, 31 May 2025 00:11:36 +0200
Florian Larysch <fl@n621.de> wrote:

> Okay great, I think that's the preferable option too if breaking
> compatibility is fine. I'll send a new version of the patch.
> 
> Is there a list of breaking changes I should add to?

You can add it to:

  docs/manual/migrating.adoc

in a new section "Migration to 2025.08", since your change will be
applied to "next", which will only appear in the 2025.08 release.

> > We might discuss whether gnutls should take priority on libnss if both
> > are available. Maybe NM documents that one is "better" over the other?  
> 
> I haven't found any explicit statements to either effect. Support for
> both libraries has been present from day one back in 2007.
> 
> Data points in favor of libnss:
> 
>  - It's the default value in the NM build system, so it would be the
>    preferred backend if both are available
> 
>  - It's probably the more mature of the two, given that it's being used
>    in Mozilla products
> 
> Data points in favor of gnutls:
> 
>  - While both backends seem feature-equivalent, the
>    _nm_crypto_verify_pkcs8 function is stubbed out in the libnss code[1]
> 
>  - Both Debian and Fedora explicitly select gnutls in their packages. I
>    can't find the reasoning for Debian but at least for Fedora it seems
>    to have been a conscious choice[2].
> 
> Given what it's actually used for in the code base, I don't think the
> choice really matters much when both options are available. I'd slightly
> lean towards gnutls just because it's marginally more feature-complete.
> How do you feel about this?

Wow, thanks for this super comprehensive research. I'm totally fine
with your reasoning. Make sure to copy/paste this whole research into
your commit log as the justification of why gnutls has been chosen as
the default.

Thanks a lot!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 0/2] package/network-manager: make crypto library optional

[Florian Larysch]

This is v2 of the patch that removes the dependency of NetworkManager on
a crypto library.

As discussed, I've done away with the Kconfig options - the package will
now use a library if and only if it is already present. That breaking
change is also documented in the manual now.

Also, I've changed the package from linking against libnss to gnutls if
both are present. I've split this out into a separate patch since this
is a somewhat unrelated change after all. Even after reasoning through
it, I'm not sure if this is worth the churn though. Feel free to drop
that particular change if you feel the same.

Florian Larysch (2):
  package/network-manager: make crypto library optional
  package/network-manager: switch default crypto provider to gnutls

 docs/manual/migrating.adoc                 | 8 ++++++++
 package/network-manager/Config.in          | 1 -
 package/network-manager/network-manager.mk | 8 +++++---
 3 files changed, 13 insertions(+), 4 deletions(-)

-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 1/2] package/network-manager: make crypto library optional

[Florian Larysch]

The network-manager package currently pulls in either gnutls or libnss,
neither of which are very common and it might be the only reason why
they are present on a system.

However, most of NetworkManager works just fine without any cryptography
support, it only seems to be used in test cases and 802.1X support code.

Remove the dependency but use a library if it is present.

Note that this changes the default behavior. If network-manager was the
only package pulling in gnutls, it won't do this anymore and use the
"null" backend. Add a note about this to the manual.

Signed-off-by: Florian Larysch <fl@n621.de>
---
 docs/manual/migrating.adoc                 | 8 ++++++++
 package/network-manager/Config.in          | 1 -
 package/network-manager/network-manager.mk | 4 +++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/docs/manual/migrating.adoc b/docs/manual/migrating.adoc
index ac40197147..d5e13b1081 100644
--- a/docs/manual/migrating.adoc
+++ b/docs/manual/migrating.adoc
@@ -215,3 +215,11 @@ Cargo.lock file mandatory and the change from +.cargo/config+ to
 +.cargo/config.toml+, tarballs generated by Cargo-fetched packages
 have changed. Therefore the suffix of such tarballs has been changed
 from +-cargo2+ to +-cargo4+.
+
+[[migrating-2025.08]]
+=== Migrating to 2025.08
+
+In 2025.08, the network-manager package stopped selecting the gnutls package as
+a cryptography backend automatically. Manually enable the gnutls or libnss
+package if you require features that depend on a cryptography backend, such as
+certificate-based authentication.
diff --git a/package/network-manager/Config.in b/package/network-manager/Config.in
index b388c573fe..c3d9f7b655 100644
--- a/package/network-manager/Config.in
+++ b/package/network-manager/Config.in
@@ -10,7 +10,6 @@ config BR2_PACKAGE_NETWORK_MANAGER
 	depends on BR2_TOOLCHAIN_HAS_THREADS # libglib2
 	depends on BR2_USE_WCHAR # libglib2
 	select BR2_PACKAGE_DBUS
-	select BR2_PACKAGE_GNUTLS if !BR2_PACKAGE_LIBNSS
 	select BR2_PACKAGE_LIBGLIB2
 	select BR2_PACKAGE_LIBNDP
 	select BR2_PACKAGE_UTIL_LINUX
diff --git a/package/network-manager/network-manager.mk b/package/network-manager/network-manager.mk
index ab3a437838..4192f121c0 100644
--- a/package/network-manager/network-manager.mk
+++ b/package/network-manager/network-manager.mk
@@ -79,9 +79,11 @@ endif
 ifeq ($(BR2_PACKAGE_LIBNSS),y)
 NETWORK_MANAGER_DEPENDENCIES += libnss
 NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
-else
+else ifeq ($(BR2_PACKAGE_GNUTLS),y)
 NETWORK_MANAGER_DEPENDENCIES += gnutls
 NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
+else
+NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
 endif
 
 ifeq ($(BR2_PACKAGE_LIBPSL),y)
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] package/network-manager: switch default crypto provider to gnutls

[Florian Larysch]

Currently, when both libnss and GnuTLS are present, NetworkManager will
get linked to libnss.

The NetworkManager project doesn't recommend one over the other
officially and has supported both from day one back in 2007.

Arguments which one to prefer can be made in either direction:

Points in favor of libnss:

 - It's the default value in the NM build system, so it would be the
   preferred backend if both are available and we didn't supply any
   options to the build process

 - It's probably the more mature of the two, given that it's being used
   in Mozilla products

Points in favor of GnuTLS:

 - While both backends seem feature-equivalent, the
   _nm_crypto_verify_pkcs8 function is stubbed out in the libnss
   code[1].

 - Both Debian and Fedora explicitly select GnuTLS in their packages. At
   least in the case of Fedora it seems to have been a conscious
   choice[2].

Given what it's actually used for in the code base, the choice does not
matter a lot. However, since it is marginally more feature-complete and
seems to be preferred by other distributions, let's switch to GnuTLS.

[1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/36f8de25c487fe1570a19fe917c85ec065b0339e/src/libnm-crypto/nm-crypto-nss.c#L523-540
[2] https://src.fedoraproject.org/rpms/NetworkManager/c/29a9c41beafb5e549c10bfb50ee23ee47bdbc42f?branch=rawhide

Signed-off-by: Florian Larysch <fl@n621.de>
---
 package/network-manager/network-manager.mk | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/network-manager/network-manager.mk b/package/network-manager/network-manager.mk
index 4192f121c0..fff3f129ad 100644
--- a/package/network-manager/network-manager.mk
+++ b/package/network-manager/network-manager.mk
@@ -76,12 +76,12 @@ else
 NETWORK_MANAGER_CONF_OPTS += -Dconcheck=false
 endif
 
-ifeq ($(BR2_PACKAGE_LIBNSS),y)
-NETWORK_MANAGER_DEPENDENCIES += libnss
-NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
-else ifeq ($(BR2_PACKAGE_GNUTLS),y)
+ifeq ($(BR2_PACKAGE_GNUTLS),y)
 NETWORK_MANAGER_DEPENDENCIES += gnutls
 NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
+else ifeq ($(BR2_PACKAGE_LIBNSS),y)
+NETWORK_MANAGER_DEPENDENCIES += libnss
+NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
 else
 NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
 endif
-- 
2.49.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/network-manager: make crypto library optional

[Marcus Hoffmann via buildroot]

Hi Florian,

this is great, as it saves quite a bit of disk space by not requiring 
gnutls + dependency chain anymore :).

On 31.05.25 16:39, Florian Larysch wrote:
> The network-manager package currently pulls in either gnutls or libnss,
> neither of which are very common and it might be the only reason why
> they are present on a system.
> 
> However, most of NetworkManager works just fine without any cryptography
> support, it only seems to be used in test cases and 802.1X support code.
> 
> Remove the dependency but use a library if it is present.
> 
> Note that this changes the default behavior. If network-manager was the
> only package pulling in gnutls, it won't do this anymore and use the
> "null" backend. Add a note about this to the manual.
> 
> Signed-off-by: Florian Larysch <fl@n621.de>

Tested-by: Marcus Hoffmann <buildroot@bubu1.eu>
Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>

> ---
[...]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] package/network-manager: switch default crypto provider to gnutls

[Marcus Hoffmann via buildroot]

This looks sensible as well.

On 31.05.25 16:39, Florian Larysch wrote:
> Currently, when both libnss and GnuTLS are present, NetworkManager will
> get linked to libnss.
> 
> The NetworkManager project doesn't recommend one over the other
> officially and has supported both from day one back in 2007.
> 
> Arguments which one to prefer can be made in either direction:
> 
> Points in favor of libnss:
> 
>   - It's the default value in the NM build system, so it would be the
>     preferred backend if both are available and we didn't supply any
>     options to the build process
> 
>   - It's probably the more mature of the two, given that it's being used
>     in Mozilla products
> 
> Points in favor of GnuTLS:
> 
>   - While both backends seem feature-equivalent, the
>     _nm_crypto_verify_pkcs8 function is stubbed out in the libnss
>     code[1].
> 
>   - Both Debian and Fedora explicitly select GnuTLS in their packages. At
>     least in the case of Fedora it seems to have been a conscious
>     choice[2].
> 
> Given what it's actually used for in the code base, the choice does not
> matter a lot. However, since it is marginally more feature-complete and
> seems to be preferred by other distributions, let's switch to GnuTLS.
> 
> [1] https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/36f8de25c487fe1570a19fe917c85ec065b0339e/src/libnm-crypto/nm-crypto-nss.c#L523-540
> [2] https://src.fedoraproject.org/rpms/NetworkManager/c/29a9c41beafb5e549c10bfb50ee23ee47bdbc42f?branch=rawhide
> 
> Signed-off-by: Florian Larysch <fl@n621.de>
> ---

Reviewed-by: Marcus Hoffmann <buildroot@bubu1.eu>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 0/2] package/network-manager: make crypto library optional

[Florian Larysch]

Hi Thomas,

how do you feel about the v2 of this series? I've been carrying it in
our internal tree for a while now and I'd like to minimize the diffs to
upstream, so an ACK or NACK would help me to know whether I should keep
or drop it.

Thanks!

Florian
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] package/network-manager: make crypto library optional

[Marcus Hoffmann via buildroot]

On 5/31/25 16:39, Florian Larysch wrote:
> The network-manager package currently pulls in either gnutls or libnss,
> neither of which are very common and it might be the only reason why
> they are present on a system.
> 
> However, most of NetworkManager works just fine without any cryptography
> support, it only seems to be used in test cases and 802.1X support code.
> 
> Remove the dependency but use a library if it is present.
> 
> Note that this changes the default behavior. If network-manager was the
> only package pulling in gnutls, it won't do this anymore and use the
> "null" backend. Add a note about this to the manual.
> 
> Signed-off-by: Florian Larysch <fl@n621.de>
Series applied to master, thanks!

Marcus
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot