[libcamera-devel] [PATCH 2/2] media-libs/libcamera: Do not strip IPA binaries

Tomasz Figa tfiga at chromium.org
Thu Nov 26 17:39:40 CET 2020 

On Fri, Nov 27, 2020 at 1:33 AM Laurent Pinchart
<laurent.pinchart at ideasonboard.com> wrote:
>
> Hi Tomasz,
>
> On Tue, Nov 10, 2020 at 07:08:53PM +0900, Tomasz Figa wrote:
> > On Mon, Nov 9, 2020 at 10:17 AM Niklas Söderlund wrote:
> > >
> > > Libcamera signs its IPA modules (.so files) after they are built. The
> > > signature is later verified when loading the IPA modules and if they do
> > > not match the IPA is treated as a untrusted module. The CrOS build
> > > system by default strips all binaries after the build step and modify
> > > the IPA .so files in so they fail the signature check.
> > >
> > > The build system inject hooks after the post_src_install hook that
> > > strips binaries and creates the packet that is installed on target. It
> > > is therefor not possible to to generate the IPA module signature for the
> > > stripped modules without also packeting the private key and doing so in
> > > pre_pkg_preinst. Stripping and generating signatures for the IPA .so
> > > files in src_install is not possible as the exact method for stripping
> > > them may differ between the ebuild and the build system hook.
> > >
> > > Safest route is to never stripp the IPA modules. Instead of restricting
> > > stripping of all libcamera binaries use dostrip to only disable
> > > stripping of the IPA modules. The EAPI needs to be increased to version
> > > 7 to support dostrip.
> >
> > Could we just disable the extra signing and signature verification on
> > Chrome OS? We have integrity enforced for the whole file system by
> > dm-verity, so there is no need to verify anything in particular
> > components of the stack anymore.
>
> The signature mechanism is how we decide if an IPA module has to be
> isolated. Once Paul's IPA IPC series gets merged, we could disable it
> indeed, which would force isolation of all IPA modules, even the
> open-source ones. Is that desired though ?

Could you elaborate a bit more how we decide whether to isolate or not
based on this? I'd assume there would be integrators willing to run
out of tree IPAs (which could be still open source) without isolation.

>
> > > Signed-off-by: Niklas Söderlund <niklas.soderlund at ragnatech.se>
> > > ---
> > >  media-libs/libcamera/libcamera-9999.ebuild | 4 +++-
> > >  1 file changed, 3 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/media-libs/libcamera/libcamera-9999.ebuild b/media-libs/libcamera/libcamera-9999.ebuild
> > > index 57ff00337309f30c..ce4183a89ef095de 100644
> > > --- a/media-libs/libcamera/libcamera-9999.ebuild
> > > +++ b/media-libs/libcamera/libcamera-9999.ebuild
> > > @@ -1,7 +1,7 @@
> > >  # Copyright 2019 The Chromium OS Authors. All rights reserved.
> > >  # Distributed under the terms of the GNU General Public License v2
> > >
> > > -EAPI=6
> > > +EAPI=7
> > >
> > >  CROS_WORKON_PROJECT="chromiumos/third_party/libcamera"
> > >  CROS_WORKON_INCREMENTAL_BUILD="1"
> > > @@ -49,4 +49,6 @@ src_install() {
> > >         meson_src_install
> > >
> > >         dosym ../libcamera.so "/usr/$(get_libdir)/camera_hal/libcamera.so"
> > > +
> > > +       dostrip -x /usr/$(get_libdir)/libcamera/
> > >  }
>
> --
> Regards,
>
> Laurent Pinchart

More information about the libcamera-devel mailing list