[libcamera-devel] [PATCH 10/11] libcamera: ipa_manager: Verify IPA module signature

Niklas Söderlund niklas.soderlund at ragnatech.se
Tue Apr 7 22:37:41 CEST 2020 

Hi Laurent,

Thanks for your patch.

On 2020-04-04 04:56:23 +0300, Laurent Pinchart wrote:
> Decide whether to isolate the IPA module using the module signature
> instead of its license.
> 
> Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>

Reviewed-by: Niklas Söderlund <niklas.soderlund at ragnatech.se>

> ---
>  src/libcamera/include/ipa_manager.h |  2 ++
>  src/libcamera/include/ipa_module.h  |  2 --
>  src/libcamera/ipa_manager.cpp       | 22 +++++++++++++++++++++-
>  src/libcamera/ipa_module.cpp        | 25 -------------------------
>  4 files changed, 23 insertions(+), 28 deletions(-)
> 
> diff --git a/src/libcamera/include/ipa_manager.h b/src/libcamera/include/ipa_manager.h
> index 26edf087461e..0b5fd2ac1f12 100644
> --- a/src/libcamera/include/ipa_manager.h
> +++ b/src/libcamera/include/ipa_manager.h
> @@ -38,6 +38,8 @@ private:
>  		      std::vector<std::string> &files);
>  	unsigned int addDir(const char *libDir, unsigned int maxDepth = 0);
>  
> +	bool isSignatureValid(IPAModule *ipa) const;
> +
>  	static const uint8_t publicKeyData_[];
>  	static const PubKey pubKey_;
>  };
> diff --git a/src/libcamera/include/ipa_module.h b/src/libcamera/include/ipa_module.h
> index ec3671857a61..a9a3511701d4 100644
> --- a/src/libcamera/include/ipa_module.h
> +++ b/src/libcamera/include/ipa_module.h
> @@ -37,8 +37,6 @@ public:
>  	bool match(PipelineHandler *pipe,
>  		   uint32_t minVersion, uint32_t maxVersion) const;
>  
> -	bool isOpenSource() const;
> -
>  private:
>  	struct IPAModuleInfo info_;
>  	std::vector<uint8_t> signature_;
> diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
> index bcaae3564ea1..2b0112885274 100644
> --- a/src/libcamera/ipa_manager.cpp
> +++ b/src/libcamera/ipa_manager.cpp
> @@ -12,6 +12,7 @@
>  #include <string.h>
>  #include <sys/types.h>
>  
> +#include "file.h"
>  #include "ipa_context_wrapper.h"
>  #include "ipa_module.h"
>  #include "ipa_proxy.h"
> @@ -271,7 +272,7 @@ std::unique_ptr<IPAInterface> IPAManager::createIPA(PipelineHandler *pipe,
>  	if (!m)
>  		return nullptr;
>  
> -	if (!m->isOpenSource()) {
> +	if (!isSignatureValid(m)) {
>  		IPAProxyFactory *pf = nullptr;
>  		std::vector<IPAProxyFactory *> &factories = IPAProxyFactory::factories();
>  
> @@ -307,4 +308,23 @@ std::unique_ptr<IPAInterface> IPAManager::createIPA(PipelineHandler *pipe,
>  	return std::make_unique<IPAContextWrapper>(ctx);
>  }
>  
> +bool IPAManager::isSignatureValid(IPAModule *ipa) const
> +{
> +	File file{ ipa->path() };
> +	if (!file.open(File::ReadOnly))
> +		return false;
> +
> +	Span<uint8_t> data = file.map();
> +	if (data.empty())
> +		return false;
> +
> +	bool valid = pubKey_.verify(data, ipa->signature());
> +
> +	LOG(IPAManager, Debug)
> +		<< "IPA module " << ipa->path() << " signature is "
> +		<< (valid ? "valid" : "not valid");
> +
> +	return valid;
> +}
> +
>  } /* namespace libcamera */
> diff --git a/src/libcamera/ipa_module.cpp b/src/libcamera/ipa_module.cpp
> index 51b238a698f2..96b44f13192c 100644
> --- a/src/libcamera/ipa_module.cpp
> +++ b/src/libcamera/ipa_module.cpp
> @@ -472,29 +472,4 @@ bool IPAModule::match(PipelineHandler *pipe,
>  	       !strcmp(info_.pipelineName, pipe->name());
>  }
>  
> -/**
> - * \brief Verify if the IPA module is open source
> - *
> - * \sa IPAModuleInfo::license
> - */
> -bool IPAModule::isOpenSource() const
> -{
> -	static const char *osLicenses[] = {
> -		"GPL-2.0-only",
> -		"GPL-2.0-or-later",
> -		"GPL-3.0-only",
> -		"GPL-3.0-or-later",
> -		"LGPL-2.1-only",
> -		"LGPL-2.1-or-later",
> -		"LGPL-3.0-only",
> -		"LGPL-3.0-or-later",
> -	};
> -
> -	for (unsigned int i = 0; i < ARRAY_SIZE(osLicenses); i++)
> -		if (!strcmp(osLicenses[i], info_.license))
> -			return true;
> -
> -	return false;
> -}
> -
>  } /* namespace libcamera */
> -- 
> Regards,
> 
> Laurent Pinchart
> 
> _______________________________________________
> libcamera-devel mailing list
> libcamera-devel at lists.libcamera.org
> https://lists.libcamera.org/listinfo/libcamera-devel

-- 
Regards,
Niklas Söderlund

More information about the libcamera-devel mailing list