Google Git
Sign in
nest-open-source / manifest_repos / nss / 4c27b2c95aa58cee220d6d993f969b63a7261e83 / . / build.sh
blob: a143eeefa5890da3b8efc2dcca513ddefb3cdb7e [file] [log] [blame]
#!/bin/bash
# Script to build NSS and NSPR for a target architecture. Requires that
# we also build on our host and use some of the resulting binaries.
set -o errtrace
trap 'echo Fatal error: script $0 aborting at line $LINENO, command \"$BASH_COMMAND\" returned $?; exit 1' ERR
readonly LOCAL_PATH=$(dirname $0)
echo '################## NSS ENVIRONMENT ##########################'
echo export TARGET_CC=${TARGET_CC}
echo export TARGET_CFLAGS=${TARGET_CFLAGS}
echo export TARGET_LDFLAGS=${TARGET_LDFLAGS}
echo export TARGET_AR=${TARGET_AR}
echo export TARGET_OUT=${TARGET_OUT}
echo export TARGET_ARCH=${TARGET_ARCH}
echo export HOST_OUT=${HOST_OUT}
echo export NSS_SRC_TAR_GZ=${NSS_SRC_TAR_GZ}
echo export NSS_TOP_DIR=${NSS_TOP_DIR}
echo export CURDIR=${CURDIR}
echo export INSTALL_SYSROOT=${INSTALL_SYSROOT}
echo '################## END NSS ENVIRONMENT #######################'
# Check to make sure we have everything we need for both builds.
if [ -z "${TARGET_CC}" -o -z "${TARGET_CFLAGS}" -o -z "${TARGET_LDFLAGS}" -o \
-z "${TARGET_AR}" -o -z "${TARGET_OUT}" -o \
-z "${TARGET_ARCH}" -o -z "${HOST_OUT}" -o -z "${NSS_SRC_TAR_GZ}" -o \
-z "${NSS_TOP_DIR}" -o -z "${CURDIR}" ]; then
echo "$0: Missing environment variables needed for build"
exit 1
fi
# Derive the NSS flags from the target cflags with exceptions
# noted below:
#
# 1) -Ox: we only support optimized target builds
# (see BUILD_OPT, enable/disable switches below).
# 2) -fpic won't work, upgrade to -fPIC.
# 3) NSS has some questionable string literal comparisons, we
# need to disable error=address or it won't compile.
# 4) Remove ANDROID defines, includes, DEBUG settings, etc.
# (NSS configure script should figure out the right values).
# 5) Suppress warnings due to compiler bug
# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56273
readonly NSS_CFLAGS=$(echo ${TARGET_CFLAGS} \
-Wno-error=array-bounds \
-Wno-error=empty-body \
-Wno-error=old-style-declaration \
-Wno-error=switch \
-Wno-error=type-limits \
-Wno-missing-field-initializers \
-Wno-sign-compare \
| sed \
-e 's/ -O[s0123] / /g' \
-e 's/ -fpic / -fPIC /g' \
-e 's/ -Werror=address / /g' \
-e 's/ -Wstrict-aliasing=2 / /g' \
-e 's/ -DANDROID / /g' \
-e 's/ -D__ANDROID__ / /g' \
-e 's/ -DNDEBUG / /g' \
-e 's/ -UDEBUG / /g' \
-e 's/ -include .*\/AndroidConfig-glibc.h / /g' \
-e 's/ -I system\/.*\/arch-arm / /g' \
-e 's/ -I system\/.*\/linux-arm\/ / /g' \
-e 's/ -I system\/.*\/glibc_bridge\/include / /g')
# This still leaves us with lots of important flags which we will use
# to insure compatiblity with the other binaries we will link with
# (e.g. arm v.s. thumb, fixes for unwinding stacks, extra warning checks, etc).
test \! -z "${NSS_CFLAGS}"
# These are relative paths (from the android root).
readonly HOST_OUT_INTERMEDIATES=${HOST_OUT}/obj
readonly TARGET_OUT_INTERMEDIATES=${TARGET_OUT}/obj
# This needs to be an absolute path.
readonly TOP=${CURDIR}
# Top of our toolchain root. We need this to build
# and will be installing our headers & libs there.
readonly SYSROOT=${TOP}/${TARGET_OUT}/build_sysroot
# Sysroot to install nss files to
if [ -z "${INSTALL_SYSROOT}" ]; then
INSTALL_SYSROOT = ${SYSROOT}
fi
# Sub directory from which we build NSS.
readonly NSS_DIR=${NSS_TOP_DIR}/nss
# Setup any global NSS build parameters (for both host
# and target).
# Enable support for Elliptic curve cryptography (ECC).
# Some of the chrome unit tests use EC keys and will
# fail without this.
readonly NSS_ENABLE_ECC=1
export NSS_ENABLE_ECC
# First, build everything for the host. While only a few binaries
# are needed now, others might be useful later.
#
# Notes:
#
# We need nsinstall (for the target build).
# We need certutil (to create a system nssdb).
# We *may* need shlibsign (if we ever want to support FIPS 140).
# We need libraries associated with the above (certutil, shlibsign).
# Note: We make two copies of the source (for host and target)
# as the build process leaves build intermediates all over the
# place. It is simpler and cleaner to just keep two copies.
# Also by copying and building the sources in our intermediate
# directory, we keep from poluting our source tree.
# Untar host sources
rm -rf ${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}
mkdir -p ${HOST_OUT_INTERMEDIATES}
gunzip -dc ${NSS_SRC_TAR_GZ} | tar xfC - ${HOST_OUT_INTERMEDIATES}
# Do complete host build (assumes 64-bit)
pushd ${HOST_OUT_INTERMEDIATES}/${NSS_DIR}
make BUILD_OPT=1 CC=gcc USE_64=1 nss_build_all
popd
# Locate host commands.
readonly NSINSTALL=$(find \
${TOP}/${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/nss/coreconf/nsinstall/ \
-name nsinstall -type f | head -1)
readonly CERTUTIL=$(find \
${TOP}/${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/nss/ \
-name certutil -type f | head -1)
if [ \! -x "${NSINSTALL}" -o \! -x "${CERTUTIL}" ]; then
echo "$0: host commands not found"
exit 1
fi
# Now we are ready to build for the target, setup some variables
# we will need.
readonly TOOLCHAIN_PATH=$(dirname ${TARGET_CC})
readonly CC=$(basename ${TARGET_CC})
readonly AR=$(basename ${TARGET_AR})
export PATH=${PATH}:${TOP}/${TOOLCHAIN_PATH}
readonly TARGET=$(echo $CC | sed 's/-gcc$//')
# Untar target sources
rm -rf ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}
mkdir -p ${TARGET_OUT_INTERMEDIATES}
gunzip -dc ${NSS_SRC_TAR_GZ} | tar xfC - ${TARGET_OUT_INTERMEDIATES}
# Apply target patches, if any.
readonly PATCH_SRC=${TOP}/${LOCAL_PATH}/patches
pushd ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/
${PATCH_SRC}/applypatches.sh
popd
# We need to build the target in steps, and each of the build
# components require differnt hacks to get them to cross compile
# with our toolchain / environment.
pushd ${TARGET_OUT_INTERMEDIATES}/${NSS_DIR}
# We can't sign right now, at least until libs are stripped.
# Since we don't use FIPS 140, just disable signing entirely.
readonly SHLIBSIGN=cmd/shlibsign/sign.sh
mv ${SHLIBSIGN} ${SHLIBSIGN}-old
cp ${TOP}/${LOCAL_PATH}/dummy-sign.sh ${SHLIBSIGN}
chmod 755 ${SHLIBSIGN}
# Build NSPR.
make BUILD_OPT=1 \
NSPR_CONFIGURE_OPTS="--target=${TARGET} --disable-debug --enable-optimize" \
CC=${CC} DSO_CFLAGS="${NSS_CFLAGS}" LDFLAGS="${TARGET_LDFLAGS}" CPU_TAG=_${TARGET_ARCH} \
NSINSTALL=${NSINSTALL} build_nspr
# Note: we don't define NSS_USE_SYSTEM_SQLITE, see comments in our gyp
# files. It would be nice if we could do this.
# Build NSS (depends on our system zlib).
XCFLAGS=""
DSO_LDOPTS="-shared"
XCFLAGS+=" -I${TOP}/external/zlib --sysroot=${SYSROOT}"
DSO_LDOPTS+=" --sysroot=${SYSROOT} ${TARGET_LDFLAGS}"
make BUILD_OPT=1 CPU_TAG=_${TARGET_ARCH} OS_TEST=${TARGET_ARCH} CC=${CC} \
DSO_CFLAGS="${NSS_CFLAGS}" AR="${AR} cr \$@" NSINSTALL=${NSINSTALL} \
XCFLAGS="${XCFLAGS}" DSO_LDOPTS="${DSO_LDOPTS}" all
popd
# Now install the target headers and libs into our toolchain
# so we can build content_shell. Also install libs for our
# run-time.
mkdir -p ${INSTALL_SYSROOT}/usr/include/nspr \
${INSTALL_SYSROOT}/usr/include/nss \
${INSTALL_SYSROOT}/usr/lib \
${TARGET_OUT}/system/lib \
${TARGET_OUT}/symbols/system/lib \
# Install headers for NSPR + NSS.
mkdir -p ${INSTALL_SYSROOT}/usr/include/nspr
cp -rpL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/include/* \
${INSTALL_SYSROOT}/usr/include/nspr
mkdir -p ${INSTALL_SYSROOT}/usr/include/nss
cp -rpL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/public/nss/* \
${INSTALL_SYSROOT}/usr/include/nss
# Install libraries.
for i in libnss3.so libnssutil3.so libsmime3.so libplds4.so libplc4.so \
libnspr4.so libnssckbi.so libsqlite3.so libsoftokn3.so libfreebl3.so \
libfreeblpriv3.so; do
cp -pL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib/$i \
${INSTALL_SYSROOT}/usr/lib
cp -pL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib/$i \
${TARGET_OUT}/symbols/system/lib
# Note: this will get stripped during the build.
cp -pL ${TARGET_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib/$i \
${TARGET_OUT}/system/lib
done
# Create a system-level certificate database to augment the root
# certs stored in libnssckbi.so. This system DB will by loaded
# by nss_util.cc at NSS initialization time.
#
# Note: For Eureka devices, this replaces the per-user cert DB
# usually loaded by NSS.
# We use this read-only system-level database to add certs not
# delivered as part of NSS's root cert library as well as to
# potentially modify trust settings (e.g. disable certs no
# longer trusted).
# Note: there is a symlink from /etc to /system/etc.
readonly NSSDB=${TARGET_OUT}/system/etc/pki/nssdb
rm -rf ${NSSDB}
mkdir -p ${NSSDB}
# Note: We use an insecure password as we will not be storing
# or encrypting private keys in this system db. The
# password should not be needed (or used) by content_shell
# as it will simply be retrieving certificates.
readonly PWDFILE=${LOCAL_PATH}/insecure-certdb-password.txt
# Use the new sql sharable nssdb format
readonly SYSDB="sql:${NSSDB}"
HOST_LIBRARY_PATH=$(echo ${HOST_OUT_INTERMEDIATES}/${NSS_TOP_DIR}/dist/Linux*/lib)
# Create the empty DB
LD_LIBRARY_PATH=${HOST_LIBRARY_PATH} \
${CERTUTIL} -N -d ${SYSDB} -f ${PWDFILE}
# Add any needed certs
# Modify trust for any certs (if needed).
# Example only:
#
#LD_LIBRARY_PATH=${HOST_LIBRARY_PATH} \
# ${CERTUTIL} -A -d ${SYSDB} -f ${PWDFILE} -t T,, -n "evilco.com" \
# -i "vendor/eureka/ssl-certs/usr/share/ca-certificates/evilco.crt"
exit 0