[libcamera-devel] [PATCH] libcamera: ipa: allow trusting modules by checksum

[Elias Naur]

On Sun, 21 Jan 2024 at 11:32, Kieran Bingham
<kieran.bingham at ideasonboard.com> wrote:
>
> Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)
> > Hi Arnout,
> >
>
> > I think the feature would even more useful if it were always enabled. In particular,
> > I propose to:
> >
> > - Always enable checksums.
> > - Embed the known checksums into the binary, not in a separate configuration file.
>
> I think this is a fairly important requirement to be able to upstream a
> reproducilble builds solution. The checksums should be stored within the
> libcamera binary so the configuration file can not be amended after the
> fact, which would otherwise defeat the purpose.
>
> But this makes things much more difficult I believe...
>
> The tricky parts here will be handling how to verify the checksum of the
> modules while distributions do actions such as stripping symbols. There
> are legitimate modifications that can be made to the module as part of
> the installation process which would then break the checksum
> verifications.
>
>

I don't know the relative difficulty level, but I just want to throw
out another possibility
that completely sidesteps verification: linking the modules directly
into libcamera. That would
also move libcamera closer to being statically linkable into
executables. FWIW, libcamera is
the only blocker to a completely static build of my project.

>
> > - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).
> >   - In your patch, I believe this is equivalent to "ipa_sign_modules" always being false.
>
> Would there be a mix of signed+checksummed modules in a given
> distribution?
>

As far as I understand, the signing feature is only for out-of-tree
(closed source?) modules.
Assuming a Linux distribution without such modules, I see no use for signing.

Elias