[libcamera-devel] [PATCH] libcamera: ipa: allow trusting modules by checksum
Kieran Bingham
kieran.bingham at ideasonboard.com
Sun Jan 21 17:32:06 CET 2024
Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)
> Hi Arnout,
>
> > The motivation behind adding this mechanism is that this allows rebuilding the
> > library and getting a bit-by-bit identical result, without having to share the
> > keys with which to sign the trusted modules. This is known as 'Reproducible
> > Builds', and you can read more about its advantages on
> > https://reproducible-builds.org/. With this feature, packagers that care about
> > reproducible builds can disable the module signing, and enjoy equivalent
> > security and performance while also allowing independent rebuilds.
>
> Thanks for working on reproducible builds. I locally hack libcamera
> to achieve bit-for-bit reproducible builds, and look forward to no longer needing
> that hack.
I agree, finding a solution to handle reproducible builds is a good
goal.
> I think the feature would even more useful if it were always enabled. In particular,
> I propose to:
>
> - Always enable checksums.
> - Embed the known checksums into the binary, not in a separate configuration file.
I think this is a fairly important requirement to be able to upstream a
reproducilble builds solution. The checksums should be stored within the
libcamera binary so the configuration file can not be amended after the
fact, which would otherwise defeat the purpose.
But this makes things much more difficult I believe...
The tricky parts here will be handling how to verify the checksum of the
modules while distributions do actions such as stripping symbols. There
are legitimate modifications that can be made to the module as part of
the installation process which would then break the checksum
verifications.
> - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).
> - In your patch, I believe this is equivalent to "ipa_sign_modules" always being false.
Would there be a mix of signed+checksummed modules in a given
distribution?
>
> Optionally,
>
> - Avoid duplicating the SHA256 digest by re-using the digest done in libcamera/pub_key.cpp.
>
> Thanks,
> Elias
More information about the libcamera-devel
mailing list