[libcamera-devel] [PATCH 2/2] media-libs/libcamera: Do not strip IPA binaries

Tue Nov 10 11:08:53 CET 2020

Hi Niklas,

On Mon, Nov 9, 2020 at 10:17 AM Niklas Söderlund
<niklas.soderlund at ragnatech.se> wrote:
>
> Libcamera signs its IPA modules (.so files) after they are built. The
> signature is later verified when loading the IPA modules and if they do
> not match the IPA is treated as a untrusted module. The CrOS build
> system by default strips all binaries after the build step and modify
> the IPA .so files in so they fail the signature check.
>
> The build system inject hooks after the post_src_install hook that
> strips binaries and creates the packet that is installed on target. It
> is therefor not possible to to generate the IPA module signature for the
> stripped modules without also packeting the private key and doing so in
> pre_pkg_preinst. Stripping and generating signatures for the IPA .so
> files in src_install is not possible as the exact method for stripping
> them may differ between the ebuild and the build system hook.
>
> Safest route is to never stripp the IPA modules. Instead of restricting
> stripping of all libcamera binaries use dostrip to only disable
> stripping of the IPA modules. The EAPI needs to be increased to version
> 7 to support dostrip.
>

Could we just disable the extra signing and signature verification on
Chrome OS? We have integrity enforced for the whole file system by
dm-verity, so there is no need to verify anything in particular
components of the stack anymore.

Best regards,
Tomasz

> Signed-off-by: Niklas Söderlund <niklas.soderlund at ragnatech.se>
> ---
>  media-libs/libcamera/libcamera-9999.ebuild | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/media-libs/libcamera/libcamera-9999.ebuild b/media-libs/libcamera/libcamera-9999.ebuild
> index 57ff00337309f30c..ce4183a89ef095de 100644
> --- a/media-libs/libcamera/libcamera-9999.ebuild
> +++ b/media-libs/libcamera/libcamera-9999.ebuild
> @@ -1,7 +1,7 @@
>  # Copyright 2019 The Chromium OS Authors. All rights reserved.
>  # Distributed under the terms of the GNU General Public License v2
>
> -EAPI=6
> +EAPI=7
>
>  CROS_WORKON_PROJECT="chromiumos/third_party/libcamera"
>  CROS_WORKON_INCREMENTAL_BUILD="1"
> @@ -49,4 +49,6 @@ src_install() {
>         meson_src_install
>
>         dosym ../libcamera.so "/usr/$(get_libdir)/camera_hal/libcamera.so"
> +
> +       dostrip -x /usr/$(get_libdir)/libcamera/
>  }
> --
> 2.25.1
>