[libcamera-devel] [PATCH] libcamera: Regenerate IPA module signatures at install time
Kieran Bingham
kieran.bingham at ideasonboard.com
Wed Apr 29 10:43:19 CEST 2020
Hi Laurent,
On 29/04/2020 02:33, Laurent Pinchart wrote:
> When the IPA modules are installed, meson strips the DT_RPATH and
> DT_RUNPATH from the binaries. This invalidates the signatures. Disable
> installation of the .sign files and add an installation script to
> regenerate them directly in the target directory. The .sign files still
> need to be created at build time to support running IPA modules from the
> build tree.
>
Indeed, I think this is the best approach.
> Two alternative approaches have been considered:
>
> - meson could be taught a new target argument to preserve binary
> compatibility by skipping any operation that modifies files. This has
> been proposed in the #mesonbuild IRC channel. While this could be
> interesting in the longer term, we need to fix the issue now.>
> - The module signatures could be computed on selected sections only.
> While skipping the .dynamic section when signing may not cause
> security issues, it would make signature generation and verification
> more complex, and wasn't deemed worth it.
Agreed,
Reviewed-by: Kieran Bingham <kieran.bingham at ideasonboard.com>
Small points below:...
> Signed-off-by: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
> ---
> src/ipa/ipa-sign-install.sh | 18 ++++++++++++++++++
> src/ipa/meson.build | 9 +++++++++
> src/ipa/rkisp1/meson.build | 2 +-
> src/ipa/vimc/meson.build | 2 +-
> 4 files changed, 29 insertions(+), 2 deletions(-)
> create mode 100755 src/ipa/ipa-sign-install.sh
>
> diff --git a/src/ipa/ipa-sign-install.sh b/src/ipa/ipa-sign-install.sh
> new file mode 100755
> index 000000000000..5317a8a2042b
> --- /dev/null
> +++ b/src/ipa/ipa-sign-install.sh
> @@ -0,0 +1,18 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (C) 2020, Google Inc.
> +#
> +# Author: Laurent Pinchart <laurent.pinchart at ideasonboard.com>
> +#
> +# ipa-sign-install.sh - Regenerate IPA module signatures when installing
> +
> +libdir=$1
> +key=$2
> +
> +ipa_sign=$(dirname "$0")/ipa-sign.sh
> +
> +echo "Regenerating IPA modules signatures"
> +
> +for module in "${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}"/*.so ; do
> + "${ipa_sign}" "${key}" "${module}" "${module}.sign"
> +done
> diff --git a/src/ipa/meson.build b/src/ipa/meson.build
> index 145bf8105af7..56e65eaa7426 100644
> --- a/src/ipa/meson.build
> +++ b/src/ipa/meson.build
> @@ -25,3 +25,12 @@ foreach pipeline : get_option('pipelines')
> subdir(pipeline)
> endif
> endforeach
> +
> +if ipa_sign_module
> + # Regenerate the signatures for all IPA modules. We can't simply install the
> + # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at
> + # install time, which invalidates the signatures.
> + meson.add_install_script('ipa-sign-install.sh',
> + ipa_install_dir,
> + ipa_priv_key.full_path())
> +endif
> diff --git a/src/ipa/rkisp1/meson.build b/src/ipa/rkisp1/meson.build
> index 247d0429b49c..98dbbd632c12 100644
> --- a/src/ipa/rkisp1/meson.build
> +++ b/src/ipa/rkisp1/meson.build
> @@ -14,6 +14,6 @@ if ipa_sign_module
> input : mod,
> output : ipa_name + '.so.sign',
> command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],
> - install : true,
> + install : false,
> install_dir : ipa_install_dir)
Why are we providing an install_dir for something we won't install?
> endif
> diff --git a/src/ipa/vimc/meson.build b/src/ipa/vimc/meson.build
> index f8650ee80461..9d0760e57cc1 100644
> --- a/src/ipa/vimc/meson.build
> +++ b/src/ipa/vimc/meson.build
> @@ -14,7 +14,7 @@ if ipa_sign_module
> input : mod,
> output : ipa_name + '.so.sign',
> command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],
> - install : true,
> + install : false,
> install_dir : ipa_install_dir)
> endif
Hrm... that's going to be duplicated for every IPA. We can't do
functions in meson, but we could perhaps handle signing at the top level
src/ipa/meson.build in a single loop at the end. .. but then it feels
like fighting the tooling to keep things DRY. ho hum... Not something to
consider in this patch anyway.
--
Regards
--
Kieran
More information about the libcamera-devel
mailing list