[libcamera-devel] [PATCH 10/11] Adds a flag to disable IPA isolation, necessary for Android.
nicholas at rothemail.net
nicholas at rothemail.net
Mon Oct 24 07:55:42 CEST 2022
From: Nicholas Roth <nicholas at rothemail.net>
---
meson.build | 4 ++++
meson_options.txt | 5 +++++
src/libcamera/ipa_manager.cpp | 11 +++++++++++
3 files changed, 20 insertions(+)
diff --git a/meson.build b/meson.build
index 7d0588d2..2303f752 100644
--- a/meson.build
+++ b/meson.build
@@ -74,6 +74,10 @@ if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR
config_h.set('HAVE_SECURE_GETENV', 1)
endif
+if get_option('allow_unsigned_ipas_in_process')
+ config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1)
+endif
+
common_arguments = [
'-Wshadow',
'-include', meson.current_build_dir() / 'config.h',
diff --git a/meson_options.txt b/meson_options.txt
index f1d67808..77b21b9a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -64,3 +64,8 @@ option('pycamera',
type : 'feature',
value : 'disabled',
description : 'Enable libcamera Python bindings (experimental)')
+
+option('allow_unsigned_ipas_in_process',
+ type : 'boolean',
+ value : false,
+ description : 'Allow unsigned IPAs to run in libcamera\'s address space')
diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
index 030ef43f..403cc42a 100644
--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
@@ -114,6 +114,14 @@ IPAManager::IPAManager()
LOG(IPAManager, Warning) << "Public key not valid";
#endif
+#if ALLOW_UNSIGNED_IPAS_IN_PROCESS
+ LOG(IPAManager, Warning)
+ << "All IPAs running in-process without signature verification."
+ << " This is recommended only for tightly-managed installs"
+ << " in contexts where both signature verification and out-of-process"
+ << " execution are infeasible, such as Android HALs.";
+#endif
+
unsigned int ipaCount = 0;
/* User-specified paths take precedence. */
@@ -281,6 +289,9 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
{
+#if ALLOW_UNSIGNED_IPAS_IN_PROCESS
+ return true;
+#endif
#if HAVE_IPA_PUBKEY
char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
if (force && force[0] != '\0') {
--
2.34.1
More information about the libcamera-devel
mailing list