[libcamera-devel] [PATCH] libcamera: ipa: allow trusting modules by checksum
Laurent Pinchart
laurent.pinchart at ideasonboard.com
Sun Jan 21 19:54:42 CET 2024
On Sun, Jan 21, 2024 at 04:32:06PM +0000, Kieran Bingham via libcamera-devel wrote:
> Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)
> > Hi Arnout,
> >
> > > The motivation behind adding this mechanism is that this allows rebuilding the
> > > library and getting a bit-by-bit identical result, without having to share the
> > > keys with which to sign the trusted modules. This is known as 'Reproducible
> > > Builds', and you can read more about its advantages on
> > > https://reproducible-builds.org/. With this feature, packagers that care about
> > > reproducible builds can disable the module signing, and enjoy equivalent
> > > security and performance while also allowing independent rebuilds.
> >
> > Thanks for working on reproducible builds. I locally hack libcamera
> > to achieve bit-for-bit reproducible builds, and look forward to no longer needing
> > that hack.
>
> I agree, finding a solution to handle reproducible builds is a good
> goal.
>
> > I think the feature would even more useful if it were always enabled. In particular,
> > I propose to:
> >
> > - Always enable checksums.
> > - Embed the known checksums into the binary, not in a separate configuration file.
>
> I think this is a fairly important requirement to be able to upstream a
> reproducilble builds solution. The checksums should be stored within the
> libcamera binary so the configuration file can not be amended after the
> fact, which would otherwise defeat the purpose.
>
> But this makes things much more difficult I believe...
>
> The tricky parts here will be handling how to verify the checksum of the
> modules while distributions do actions such as stripping symbols. There
> are legitimate modifications that can be made to the module as part of
> the installation process which would then break the checksum
> verifications.
Checksums in a configuration file is a no-go I'm afraid, as it means
anyone could ship a closed-source IPA module and instruct users to add
an entry to the configuration file, circumventing IPA module isolation.
> > - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).
> > - In your patch, I believe this is equivalent to "ipa_sign_modules" always being false.
>
> Would there be a mix of signed+checksummed modules in a given
> distribution?
>
> > Optionally,
> >
> > - Avoid duplicating the SHA256 digest by re-using the digest done in libcamera/pub_key.cpp.
--
Regards,
Laurent Pinchart
More information about the libcamera-devel
mailing list