| Message ID | 20210706095924.764117-14-berrange@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | crypto: misc cleanup and introduce gnutls backend driver | expand |
On Tue, Jul 06, 2021 at 10:59:19AM +0100, Daniel P. Berrangé wrote: > This introduces the build logic needed to decide whether we can > use gnutls as a crypto driver backend. The actual implementations > will be introduced in following patches. We only wish to use > gnutls if it has version 3.6.14 or newer, because that is what > finally brings HW accelerated AES-XTS mode for x86_64. > > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> > --- > meson.build | 36 ++++++++++++++++++++++++++++++++---- > 1 file changed, 32 insertions(+), 4 deletions(-) Again, take this with a grain of salt, since my meson skills are near zero. But the comments do a good job, and it looks sane. > diff --git a/meson.build b/meson.build > index 51b8f4ab75..6031f4f0b1 100644 > --- a/meson.build > +++ b/meson.build > @@ -811,11 +811,34 @@ if 'CONFIG_OPENGL' in config_host > endif > > gnutls = not_found > +gnutls_crypto = not_found > if not get_option('gnutls').auto() or have_system > - gnutls = dependency('gnutls', version: '>=3.5.18', > - method: 'pkg-config', > - required: get_option('gnutls'), > - kwargs: static_kwargs) > + # For general TLS support our min gnutls matches > + # that implied by our platform support matrix > + # > + # For the crypto backends, we look for a newer > + # gnutls: > + # > + # Version 3.6.8 is needed to get XTS > + # Version 3.6.13 is needed to get PBKDF > + # Version 3.6.14 is needed to get HW accelerated XTS > + # > + # If newer enough gnutls isn't available, we can > + # still use a different crypto backend to satisfy > + # the platform support requirements > + gnutls_crypto = dependency('gnutls', version: '>=3.6.14', > + method: 'pkg-config', > + required: get_option('gnutls'), > + kwargs: static_kwargs) > + if gnutls_crypto.found() > + gnutls = gnutls_crypto > + else > + # Our min version if all we need is TLS > + gnutls = dependency('gnutls', version: '>=3.5.18', > + method: 'pkg-config', > + required: get_option('gnutls'), > + kwargs: static_kwargs) TAB damage. With that fixed, Reviewed-by: Eric Blake <eblake@redhat.com>
diff --git a/meson.build b/meson.build index 51b8f4ab75..6031f4f0b1 100644 --- a/meson.build +++ b/meson.build @@ -811,11 +811,34 @@ if 'CONFIG_OPENGL' in config_host endif gnutls = not_found +gnutls_crypto = not_found if not get_option('gnutls').auto() or have_system - gnutls = dependency('gnutls', version: '>=3.5.18', - method: 'pkg-config', - required: get_option('gnutls'), - kwargs: static_kwargs) + # For general TLS support our min gnutls matches + # that implied by our platform support matrix + # + # For the crypto backends, we look for a newer + # gnutls: + # + # Version 3.6.8 is needed to get XTS + # Version 3.6.13 is needed to get PBKDF + # Version 3.6.14 is needed to get HW accelerated XTS + # + # If newer enough gnutls isn't available, we can + # still use a different crypto backend to satisfy + # the platform support requirements + gnutls_crypto = dependency('gnutls', version: '>=3.6.14', + method: 'pkg-config', + required: get_option('gnutls'), + kwargs: static_kwargs) + if gnutls_crypto.found() + gnutls = gnutls_crypto + else + # Our min version if all we need is TLS + gnutls = dependency('gnutls', version: '>=3.5.18', + method: 'pkg-config', + required: get_option('gnutls'), + kwargs: static_kwargs) + endif endif # Gcrypt has priority over nettle @@ -847,6 +870,9 @@ if (not get_option('nettle').auto() or have_system) and not gcrypt.found() xts = 'private' endif endif +if gcrypt.found() or nettle.found() + gnutls_crypto = not_found +endif gtk = not_found gtkx11 = not_found @@ -1219,6 +1245,7 @@ config_host_data.set('CONFIG_XKBCOMMON', xkbcommon.found()) config_host_data.set('CONFIG_KEYUTILS', keyutils.found()) config_host_data.set('CONFIG_GETTID', has_gettid) config_host_data.set('CONFIG_GNUTLS', gnutls.found()) +config_host_data.set('CONFIG_GNUTLS_CRYPTO', gnutls_crypto.found()) config_host_data.set('CONFIG_GCRYPT', gcrypt.found()) config_host_data.set('CONFIG_NETTLE', nettle.found()) config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private') @@ -2719,6 +2746,7 @@ summary(summary_info, bool_yn: true, section: 'Block layer support') summary_info = {} summary_info += {'TLS priority': config_host['CONFIG_TLS_PRIORITY']} summary_info += {'GNUTLS support': gnutls.found()} +summary_info += {'GNUTLS crypto': gnutls_crypto.found()} # TODO: add back version summary_info += {'libgcrypt': gcrypt.found()} # TODO: add back version
This introduces the build logic needed to decide whether we can use gnutls as a crypto driver backend. The actual implementations will be introduced in following patches. We only wish to use gnutls if it has version 3.6.14 or newer, because that is what finally brings HW accelerated AES-XTS mode for x86_64. Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> --- meson.build | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-)