Patch Detail
Show a patch.
GET /api/1.1/patches/18608/?format=api
{ "id": 18608, "url": "https://patchwork.libcamera.org/api/1.1/patches/18608/?format=api", "web_url": "https://patchwork.libcamera.org/patch/18608/", "project": { "id": 1, "url": "https://patchwork.libcamera.org/api/1.1/projects/1/?format=api", "name": "libcamera", "link_name": "libcamera", "list_id": "libcamera_core", "list_email": "libcamera-devel@lists.libcamera.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20230506111025.18669-3-laurent.pinchart@ideasonboard.com>", "date": "2023-05-06T11:10:25", "name": "[libcamera-devel,v1,2/2] apps: Add ipa-verify application", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "d347ba301d5424bf2b429725b8b116d6295116af", "submitter": { "id": 2, "url": "https://patchwork.libcamera.org/api/1.1/people/2/?format=api", "name": "Laurent Pinchart", "email": "laurent.pinchart@ideasonboard.com" }, "delegate": null, "mbox": "https://patchwork.libcamera.org/patch/18608/mbox/", "series": [ { "id": 3868, "url": "https://patchwork.libcamera.org/api/1.1/series/3868/?format=api", "web_url": "https://patchwork.libcamera.org/project/libcamera/list/?series=3868", "date": "2023-05-06T11:10:23", "name": "libcamera: Add an application to verify IPA module signatures", "version": 1, "mbox": "https://patchwork.libcamera.org/series/3868/mbox/" } ], "comments": "https://patchwork.libcamera.org/api/patches/18608/comments/", "check": "pending", "checks": "https://patchwork.libcamera.org/api/patches/18608/checks/", "tags": {}, "headers": { "Return-Path": "<libcamera-devel-bounces@lists.libcamera.org>", "X-Original-To": "parsemail@patchwork.libcamera.org", "Delivered-To": "parsemail@patchwork.libcamera.org", "Received": [ "from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 9F62DC0DA4\n\tfor <parsemail@patchwork.libcamera.org>;\n\tSat, 6 May 2023 11:10:26 +0000 (UTC)", "from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 5FF7E633B6;\n\tSat, 6 May 2023 13:10:26 +0200 (CEST)", "from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 8A5FE633B7\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tSat, 6 May 2023 13:10:24 +0200 (CEST)", "from pendragon.ideasonboard.com\n\t(133-32-181-51.west.xps.vectant.ne.jp [133.32.181.51])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 31CE7800;\n\tSat, 6 May 2023 13:10:18 +0200 (CEST)" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1683371426;\n\tbh=9Sj3uq4t8/OCeIITS4eByka7FgoQBqN0P+ieilYVgYk=;\n\th=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\tFrom;\n\tb=LtGGJq9AfSI05TrixkkK+4+I9Q2AAk3pZw5UuyYhq0GmsZOppW5R0ZS2pD0I0Ef+Q\n\t9b9M9REp/flgbndcIplmEOwkPAzmjECWOzCjkTpNVcqSJgCThRbKtHi9EDqHR8J1NL\n\tLw00i8Vt9lnDShZG5heJoFp0KgQYhRzlyjkq2tPv4hRGrP3ZM1TBaBhxI93+QHRL2H\n\tqxgtGhHHGjteuBpT1oBf6/gtdfdrn20L201Jy47gRVOyZH5zna2qFbPHO0NDAVxFof\n\tsyCU+QcIuWdJH7cTaZV5X53Ti0l+nTvoUqSq91z+rMWget1bLFyTnMwaoKp8dl2vSY\n\tsGMvs9ncCpa7g==", "v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1683371420;\n\tbh=9Sj3uq4t8/OCeIITS4eByka7FgoQBqN0P+ieilYVgYk=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=RDRJs5IDE7KYrKjJ/LoO8kppXLECoYkofnQr21rqz6QUhhVjwiM9Cyir6Xrjt9kBD\n\tgyMGvHg6Vry3xX2yJxvcC6yIlJVNks4+rZxspre0q6UHd8S0ZVUS1g0wKu6TGKAhZw\n\t5hSk+5ljWONU3P9e8+8U0F/J4J7MFZ+sUZnr5ydM=" ], "Authentication-Results": "lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"RDRJs5ID\"; dkim-atps=neutral", "To": "libcamera-devel@lists.libcamera.org", "Date": "Sat, 6 May 2023 14:10:25 +0300", "Message-Id": "<20230506111025.18669-3-laurent.pinchart@ideasonboard.com>", "X-Mailer": "git-send-email 2.39.3", "In-Reply-To": "<20230506111025.18669-1-laurent.pinchart@ideasonboard.com>", "References": "<20230506111025.18669-1-laurent.pinchart@ideasonboard.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[libcamera-devel] [PATCH v1 2/2] apps: Add ipa-verify application", "X-BeenThere": "libcamera-devel@lists.libcamera.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "<libcamera-devel.lists.libcamera.org>", "List-Unsubscribe": "<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>", "List-Archive": "<https://lists.libcamera.org/pipermail/libcamera-devel/>", "List-Post": "<mailto:libcamera-devel@lists.libcamera.org>", "List-Help": "<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>", "List-Subscribe": "<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>", "From": "Laurent Pinchart via libcamera-devel\n\t<libcamera-devel@lists.libcamera.org>", "Reply-To": "Laurent Pinchart <laurent.pinchart@ideasonboard.com>", "Errors-To": "libcamera-devel-bounces@lists.libcamera.org", "Sender": "\"libcamera-devel\" <libcamera-devel-bounces@lists.libcamera.org>" }, "content": "When packaging libcamera, distributions may break IPA module signatures\nif the packaging process strips binaries. This can be fixed by resigning\nthe modules, but the process is error-prone.\n\nAdd a command line ipa-verify utility that tests the signature on an IPA\nmodule to help packagers. The tool takes a single argument, the path to\nan IPA module shared object, and expects the signature file (.sign) to\nbe in the same directory.\n\nIn order to access the public key needed for signature verification, add\na static function to the IPAManager class. As the class is internal to\nlibcamera, this doesn't affect the public API.\n\nSigned-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n---\n include/libcamera/internal/ipa_manager.h | 7 +++\n src/apps/ipa-verify/main.cpp | 64 ++++++++++++++++++++++++\n src/apps/ipa-verify/meson.build | 15 ++++++\n src/apps/meson.build | 2 +\n src/libcamera/ipa_manager.cpp | 13 +++++\n 5 files changed, 101 insertions(+)\n create mode 100644 src/apps/ipa-verify/main.cpp\n create mode 100644 src/apps/ipa-verify/meson.build", "diff": "diff --git a/include/libcamera/internal/ipa_manager.h b/include/libcamera/internal/ipa_manager.h\nindex 7f36e58e8bfa..bf823563c91c 100644\n--- a/include/libcamera/internal/ipa_manager.h\n+++ b/include/libcamera/internal/ipa_manager.h\n@@ -47,6 +47,13 @@ public:\n \t\treturn proxy;\n \t}\n \n+#if HAVE_IPA_PUBKEY\n+\tstatic const PubKey &pubKey()\n+\t{\n+\t\treturn pubKey_;\n+\t}\n+#endif\n+\n private:\n \tstatic IPAManager *self_;\n \ndiff --git a/src/apps/ipa-verify/main.cpp b/src/apps/ipa-verify/main.cpp\nnew file mode 100644\nindex 000000000000..76ba5073d25a\n--- /dev/null\n+++ b/src/apps/ipa-verify/main.cpp\n@@ -0,0 +1,64 @@\n+/* SPDX-License-Identifier: GPL-2.0-or-later */\n+/*\n+ * Copyright (C) 2023, Ideas on Board Oy\n+ *\n+ * ipa_verify.cpp - Verify signature on an IPA module\n+ */\n+\n+#include <iostream>\n+#include <libgen.h>\n+\n+#include <libcamera/base/file.h>\n+#include <libcamera/base/span.h>\n+\n+#include \"libcamera/internal/ipa_manager.h\"\n+#include \"libcamera/internal/ipa_module.h\"\n+\n+using namespace libcamera;\n+\n+namespace {\n+\n+bool isSignatureValid(IPAModule *ipa)\n+{\n+\tFile file{ ipa->path() };\n+\tif (!file.open(File::OpenModeFlag::ReadOnly))\n+\t\treturn false;\n+\n+\tSpan<uint8_t> data = file.map();\n+\tif (data.empty())\n+\t\treturn false;\n+\n+\treturn IPAManager::pubKey().verify(data, ipa->signature());\n+}\n+\n+void usage(char *argv0)\n+{\n+\tstd::cout << \"Usage: \" << basename(argv0) << \" ipa_name.so\" << std::endl;\n+\tstd::cout << std::endl;\n+\tstd::cout << \"Verify the signature of an IPA module. The signature file ipa_name.so.sign is\" << std::endl;\n+\tstd::cout << \"expected to be in the same directory as the IPA module.\" << std::endl;\n+}\n+\n+} /* namespace */\n+\n+int main(int argc, char **argv)\n+{\n+\tif (argc != 2) {\n+\t\tusage(argv[0]);\n+\t\treturn EXIT_FAILURE;\n+\t}\n+\n+\tIPAModule module{ argv[1] };\n+\tif (!module.isValid()) {\n+\t\tstd::cout << \"Invalid IPA module \" << argv[1] << std::endl;\n+\t\treturn EXIT_FAILURE;\n+\t}\n+\n+\tif (!isSignatureValid(&module)) {\n+\t\tstd::cout << \"IPA module signature is invalid\" << std::endl;\n+\t\treturn EXIT_FAILURE;\n+\t}\n+\n+\tstd::cout << \"IPA module signature is valid\" << std::endl;\n+\treturn 0;\n+}\ndiff --git a/src/apps/ipa-verify/meson.build b/src/apps/ipa-verify/meson.build\nnew file mode 100644\nindex 000000000000..7fdda3b9af4b\n--- /dev/null\n+++ b/src/apps/ipa-verify/meson.build\n@@ -0,0 +1,15 @@\n+# SPDX-License-Identifier: CC0-1.0\n+\n+if not ipa_sign_module\n+ subdir_done()\n+endif\n+\n+ipa_verify_sources = files([\n+ 'main.cpp',\n+])\n+\n+ipa_verify = executable('ipa_verify', ipa_verify_sources,\n+ dependencies : [\n+ libcamera_private,\n+ ],\n+ install : false)\ndiff --git a/src/apps/meson.build b/src/apps/meson.build\nindex 099876356bd1..af632b9a7b0b 100644\n--- a/src/apps/meson.build\n+++ b/src/apps/meson.build\n@@ -18,3 +18,5 @@ subdir('lc-compliance')\n \n subdir('cam')\n subdir('qcam')\n+\n+subdir('ipa-verify')\ndiff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp\nindex 030ef43fb994..6d18d09b019c 100644\n--- a/src/libcamera/ipa_manager.cpp\n+++ b/src/libcamera/ipa_manager.cpp\n@@ -279,6 +279,19 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,\n * found or if the IPA proxy fails to initialize\n */\n \n+#if HAVE_IPA_PUBKEY\n+/**\n+ * \\fn IPAManager::pubKey()\n+ * \\brief Retrieve the IPA module signing public key\n+ *\n+ * IPA module signature verification is normally handled internally by the\n+ * IPAManager class. This function is meant to be used by utilities that need to\n+ * verify signatures externally.\n+ *\n+ * \\return The IPA module signing public key\n+ */\n+#endif\n+\n bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const\n {\n #if HAVE_IPA_PUBKEY\n", "prefixes": [ "libcamera-devel", "v1", "2/2" ] }