Bump openssl to 3.0 and dlopen it#420
Closed
evelikov wants to merge 5 commits into
Closed
Conversation
Codecov Report❌ Patch coverage is
... and 5 files with indirect coverage changes 🚀 New features to boost your workflow:
|
Collaborator
Author
|
v2: Add/install a valgrind suppression file, to silence (most of) the complaints brought by using dlopen. |
evelikov
force-pushed
the
dlopen-openssl
branch
from
d80d222 to
24ba5dd
Compare
Collaborator
Author
|
v3:
|
evelikov
added
the
for-lucas
lucasdemarchi
approved these changes
Apr 23, 2026
lucasdemarchi
added
the
status:reviewed
OpenSSL 3.0 introduces semantic versioning, thus one can reason about
the supported (and/or broken) API/ABI by glancing at the number.
Version 3.0 was released in late 2021 and is adopted by, at least:
- CentOS Stream 9
- Debian 11 aka oldoldstable
- Fedora 38
- openSUSE Leap 15.5
- Ubuntu 22.04
This means that some older, yet maintained, enterprise-y linuxes will be
left in the dark. Namely:
- RHEL 6,7
- SLES 11,12,15?
- Ubuntu {14,16,18,20}.04
To the best of my knowledge, all of them are in deep maintenance mode
and do not target latest kmod releases.
Bumping the requirement, allows us to focus on a single DSO and its API,
as we move to dlopen(libcrypto.so) with the next commit(s).
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
Use dlfcn helpers to load libcrypto once it's needed. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
Follow the new spec for ELF notes as detailed in https://systemd.io/ELF_PACKAGE_METADATA/. We can copy mostly verbatim the macros from systemd codebase. Example output: $ meson setup --native-file build-dev.ini -Ddlopen=openssl build ... dlopen : openssl features : +ZSTD +XZ +ZLIB +OPENSSL $ dlopen-notes.py build/libkmod.so.2 # build/libkmod.so.2 [ { "feature": "openssl", "description": "Support for reading module signatures", "priority": "suggested", "soname": [ "libcrypto.so.3" ] } ] Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
As of earlier commit, all dependencies can be dlopen'd on demand. Do that for all optional libraries by default, but still allow it to be overridden during build. Example numbers/benefits taken from `modprobe --show-depends nouveau`: - fewer instr - 50% reduction, 1.2M -> 0.5M - less memory use - Rss by ~33%, 3M -> 2M - reduced attack surface Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
We're leaking some dlopen handles, by design. It is cleaned up when the process is closed and there is no reason to be concerned/alarmed. To indicate that, let's ship a valgrind suppression file. Admittedly these are not 100% enough since depending on the c runtime and/or version it can leak some global state, which gets caught. The newer the glibc version, the more likely it is to exbibit such behaviour. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
lucasdemarchi
force-pushed
the
dlopen-openssl
branch
from
24ba5dd to
947e140
Compare
lucasdemarchi
pushed a commit
that referenced
this pull request
May 7, 2026
OpenSSL 3.0 introduces semantic versioning, thus one can reason about
the supported (and/or broken) API/ABI by glancing at the number.
Version 3.0 was released in late 2021 and is adopted by, at least:
- CentOS Stream 9
- Debian 11 aka oldoldstable
- Fedora 38
- openSUSE Leap 15.5
- Ubuntu 22.04
This means that some older, yet maintained, enterprise-y linuxes will be
left in the dark. Namely:
- RHEL 6,7
- SLES 11,12,15?
- Ubuntu {14,16,18,20}.04
To the best of my knowledge, all of them are in deep maintenance mode
and do not target latest kmod releases.
Bumping the requirement, allows us to focus on a single DSO and its API,
as we move to dlopen(libcrypto.so) with the next commit(s).
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: #420
Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
lucasdemarchi
pushed a commit
that referenced
this pull request
May 7, 2026
Use dlfcn helpers to load libcrypto once it's needed. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> Link: #420 Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
lucasdemarchi
pushed a commit
that referenced
this pull request
May 7, 2026
Follow the new spec for ELF notes as detailed in https://systemd.io/ELF_PACKAGE_METADATA/. We can copy mostly verbatim the macros from systemd codebase. Example output: $ meson setup --native-file build-dev.ini -Ddlopen=openssl build ... dlopen : openssl features : +ZSTD +XZ +ZLIB +OPENSSL $ dlopen-notes.py build/libkmod.so.2 # build/libkmod.so.2 [ { "feature": "openssl", "description": "Support for reading module signatures", "priority": "suggested", "soname": [ "libcrypto.so.3" ] } ] Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> Link: #420 Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
lucasdemarchi
added a commit
that referenced
this pull request
May 7, 2026
As of earlier commit, all dependencies can be dlopen'd on demand. Do that for all optional libraries by default, but still allow it to be overridden during build. Example numbers/benefits taken from `modprobe --show-depends nouveau`: - fewer instr - 50% reduction, 1.2M -> 0.5M - less memory use - Rss by ~33%, 3M -> 2M - reduced attack surface Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com> Link: #420 Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
lucasdemarchi
pushed a commit
that referenced
this pull request
May 7, 2026
We're leaking some dlopen handles, by design. It is cleaned up when the process is closed and there is no reason to be concerned/alarmed. To indicate that, let's ship a valgrind suppression file. Admittedly these are not 100% enough since depending on the c runtime and/or version it can leak some global state, which gets caught. The newer the glibc version, the more likely it is to exbibit such behaviour. Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com> Link: #420 Signed-off-by: Lucas De Marchi <demarchi@kernel.org>
Contributor
|
Applied, thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bit of a follow-up to #47, this allows us to dlopen the final dependency - openssl.
Due their unique versioning for 1.0/1.1 and extensive use of macros/inline functions in their API, I've bumped the requirement to 3.0 as a prep. This should be fine for anything but the deep maintenance more enterprise linuxes, which are not targeting the latest kmod AFAICT.
With that done, recommend the use of
-D dlopen=allsince it can bring measurable/noticable perf/memory improvements.NOTE: while the compression libraries are tagged "recommended", libcrypto is only a suggested since the only user that I could find is
modinfo.