[libcamera-devel] [PATCH] meson: enable IPA signing only if both libcrypto and openssl are present

Mon Dec 25 22:26:36 CET 2023

Hi Subhaditya,

Thank you for the patch.

On Mon, Dec 25, 2023 at 10:48:24PM +0530, Subhaditya Nath via libcamera-devel wrote:
> Before this commit, if the build host had openssl installed, but had
> neither openssl-dev nor gnutls-dev installed, then the IPA modules would
> be signed and ipa_pub_key.cpp would contain the pubkey, but the function
> PubKey::PubKey() would've been left empty, thereby valid_ being set to
> false, rendering the pubkey unusable for verification purposes.
> 
> This commit checks for the availability of both the openssl executable
> and either of the gnutls and libcrypto libraries before enabling signing
> of the IPA modules. Either both HAVE_IPA_PUBKEY and HAVE_(CRYPTO|GNUTLS)
> are defined, or neither is defined. This mitigates situations like the
> one mentioned above.

What problem does this fix ? If the signature is present but can't be
verified, won't libcamera just isolate IPA modules at runtime ? Is
something currently broken ?

> This commit leverages the multi-name dependency feature introduced in
> meson 0.60.0 to select between gnutls and libcrypto. The behaviour is
> unchanged – gnutls is used if found, else libcrypto is used (if found).
> 
> Signed-off-by: Subhaditya Nath <sn03.general at gmail.com>
> ---
>  src/libcamera/meson.build | 19 -------------------
>  src/meson.build           | 26 ++++++++++++++++++++------
>  2 files changed, 20 insertions(+), 25 deletions(-)
> 
> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
> index 45f63e93..9d17c9f1 100644
> --- a/src/libcamera/meson.build
> +++ b/src/libcamera/meson.build
> @@ -80,25 +80,6 @@ endif
>  libudev = dependency('libudev', required : get_option('udev'))
>  libyaml = dependency('yaml-0.1', required : false)
>  
> -# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
> -libcrypto = dependency('gnutls', required : false)
> -if libcrypto.found()
> -    config_h.set('HAVE_GNUTLS', 1)
> -else
> -    libcrypto = dependency('libcrypto', required : false)
> -    if libcrypto.found()
> -        config_h.set('HAVE_CRYPTO', 1)
> -    endif
> -endif
> -
> -if not libcrypto.found()
> -    warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
> -    summary({'IPA modules signed with': 'None (modules will run isolated)'},
> -            section : 'Configuration')
> -else
> -    summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration')
> -endif
> -
>  if liblttng.found()
>      tracing_enabled = true
>      config_h.set('HAVE_TRACING', 1)
> diff --git a/src/meson.build b/src/meson.build
> index 165a77bb..208cd760 100644
> --- a/src/meson.build
> +++ b/src/meson.build
> @@ -15,16 +15,30 @@ summary({
>           }, section : 'Paths')
>  
>  # Module Signing
> +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
> +libcrypto = dependency('gnutls', 'libcrypto', required : false)
>  openssl = find_program('openssl', required : false)
> -if openssl.found()
> +if not libcrypto.found()
> +    ipa_sign_module = false
> +    warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
> +    summary({'IPA modules signed with': 'None (modules will run isolated)'},
> +            section : 'Configuration')
> +elif not openssl.found()
> +    ipa_sign_module = false
> +    warning('openssl not found, all IPA modules will be isolated')
> +    ipa_sign_module = false
> +else
> +    ipa_sign_module = true
> +    config_h.set('HAVE_IPA_PUBKEY', 1)
> +    if libcrypto.name() == 'gnutls'
> +        config_h.set('HAVE_GNUTLS', 1)
> +    else
> +        config_h.set('HAVE_CRYPTO', 1)
> +    endif
> +    summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration')
>      ipa_priv_key = custom_target('ipa-priv-key',
>                                   output : ['ipa-priv-key.pem'],
>                                   command : [gen_ipa_priv_key, '@OUTPUT@'])
> -    config_h.set('HAVE_IPA_PUBKEY', 1)
> -    ipa_sign_module = true
> -else
> -    warning('openssl not found, all IPA modules will be isolated')
> -    ipa_sign_module = false
>  endif
>  
>  # libcamera must be built first as a dependency to the other components.

-- 
Regards,

Laurent Pinchart