[{"id":24466,"web_url":"https://patchwork.libcamera.org/comment/24466/","msgid":"","date":"2022-08-09T10:46:26","subject":"Re: [libcamera-devel] [PATCH v2 4/4] libcamera: Make IPA module\n\tsigning recommended instead of mandatory","submitter":{"id":101,"url":"https://patchwork.libcamera.org/api/people/101/","name":"Eric Curtin","email":"ecurtin@redhat.com"},"content":"On Tue, 9 Aug 2022 at 00:08, Laurent Pinchart\n wrote:\n>\n> Commit b382f67c833d (\"libcamera: Make IPA module signing mandatory for\n> the meantime\") made openssl and gnutls dependencies mandatory to work\n> around the lack of proper IPA module isolation support, which broke\n> operation without module signatures. This has now been fixed, so IPA\n> module isolation isn't strictly required anymore.\n>\n> There are few use cases for disabling module signing completely, given\n> that the openssl or gnutls dependencies are available on the vast\n> majority of systems and the overheard introduced by isolating all IPA\n> modules when signatures are not available is better avoided.\n> Nonetheless, libcamera should operate properly with forced IPA module\n> isolation, so we can support those use cases.\n>\n> Adopt a middle-ground approach to avoid unintentional isolation by\n> documenting the dependencies as recommended, and warn at meson setup\n> time if they are not found.\n>\n> Signed-off-by: Laurent Pinchart \n\nLGTM.\n\nReviewed-by: Eric Curtin \n\n> ---\n> README.rst | 5 ++++-\n> src/libcamera/meson.build | 10 ++++++++--\n> src/meson.build | 3 ++-\n> 3 files changed, 14 insertions(+), 4 deletions(-)\n>\n> diff --git a/README.rst b/README.rst\n> index 3bf4685b0e15..e9dd4207ae55 100644\n> --- a/README.rst\n> +++ b/README.rst\n> @@ -60,9 +60,12 @@ Meson Build system: [required]\n> for the libcamera core: [required]\n> libyaml-dev python3-yaml python3-ply python3-jinja2\n>\n> -for IPA module signing: [required]\n> +for IPA module signing: [recommended]\n> Either libgnutls28-dev or libssl-dev, openssl\n>\n> + Without IPA module signing, all IPA modules will be isolated in a\n> + separate process. This adds an unnecessary extra overhead at runtime.\n> +\n> for improved debugging: [optional]\n> libdw-dev libunwind-dev\n>\n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index 401fc498cfbc..0efa8fd5df7f 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -73,8 +73,14 @@ libcrypto = dependency('gnutls2', required : false)\n> if libcrypto.found()\n> config_h.set('HAVE_GNUTLS', 1)\n> else\n> - libcrypto = dependency('libcrypto', required : true)\n> - config_h.set('HAVE_CRYPTO', 1)\n> + libcrypto = dependency('libcrypto', required : false)\n> + if libcrypto.found()\n> + config_h.set('HAVE_CRYPTO', 1)\n> + endif\n> +endif\n> +\n> +if not libcrypto.found()\n> + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> endif\n>\n> if liblttng.found()\n> diff --git a/src/meson.build b/src/meson.build\n> index 34663a6f134d..f37c44ca9f60 100644\n> --- a/src/meson.build\n> +++ b/src/meson.build\n> @@ -14,7 +14,7 @@ summary({\n> }, section : 'Paths')\n>\n> # Module Signing\n> -openssl = find_program('openssl', required : true)\n> +openssl = find_program('openssl', required : false)\n> if openssl.found()\n> ipa_priv_key = custom_target('ipa-priv-key',\n> output : ['ipa-priv-key.pem'],\n> @@ -22,6 +22,7 @@ if openssl.found()\n> config_h.set('HAVE_IPA_PUBKEY', 1)\n> ipa_sign_module = true\n> else\n> + warning('openssl not found, all IPA modules will be isolated')\n> ipa_sign_module = false\n> endif\n>\n> --\n> Regards,\n>\n> Laurent Pinchart\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 660CBC3272\n\tfor ;\n\tTue, 9 Aug 2022 10:46:47 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 2B6666332A;\n\tTue, 9 Aug 2022 12:46:47 +0200 (CEST)","from us-smtp-delivery-124.mimecast.com\n\t(us-smtp-delivery-124.mimecast.com [170.10.129.124])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 25FE0603EA\n\tfor ;\n\tTue, 9 Aug 2022 12:46:45 +0200 (CEST)","from mail-qk1-f197.google.com (mail-qk1-f197.google.com\n\t[209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS\n\t(version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n\tus-mta-219-5ATDl8C4P0mBPF4JEq0SaA-1; Tue, 09 Aug 2022 06:46:43 -0400","by mail-qk1-f197.google.com with SMTP id\n\ty17-20020a05620a25d100b006b66293d75aso9965402qko.17\n\tfor ;\n\tTue, 09 Aug 2022 03:46:43 -0700 (PDT)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660042007;\n\tbh=MO6uJWNWXTCfU77Qc30VeXs6cHTnFjrlzAhAp1lgWNo=;\n\th=References:In-Reply-To:Date:To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=VB9WI/GHrFbXNZsbg6Ag5lyuxU7pdAhaodtStqkjZTIvM/Sm3VfloRRUk6eN4Iu/4\n\t4nMGyIXkWYG6L8SLY4VALUdQlqs/zrO0bVwjnqj0sxkyqfQsodGUPb2BuwRf77/PUs\n\tJcrxzICWypNqd8N9zjnwlzR3/wwkp0gJEBpibpg3s1qR4ZIQrenxC2CO+ZZg5aFiL4\n\tkH2DkKMGcKSloNOsPXdbWvf75RC19qc/pr02h1rz8ro/SVRSAz8Upf4rcJCZjLfese\n\tE4McNDLAB9jsYU88+R+GMi5CXgtJ1XOwwT+S1h+AJE7WvH109HoDRgP3uZERJXdpY2\n\tLMHzlPO8vhMHw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1660042004;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\tto:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\tin-reply-to:in-reply-to:references:references;\n\tbh=H3jvLAhIQIR12UOVgfrfZXnuAbknHfH/0/XoLIp5eIg=;\n\tb=IHlm6Co6TVFaA7YsRNN5pivLoM+5CQiF/VJUSU8+PNUq7oRzOPtr70ppdYbXP6oMmcpxBi\n\tHqyDrg9f7OXdKhSl9BlLF4sBk4LgMWrzsetPOkLQulES51jOfvMHKrC4kcmoNnBkAP9hK4\n\t8eRGFH/BoUt42OBy51BtxrI4aaSFeuY="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=redhat.com\n\theader.i=@redhat.com header.b=\"IHlm6Co6\"; \n\tdkim-atps=neutral","X-MC-Unique":"5ATDl8C4P0mBPF4JEq0SaA-1","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20210112;\n\th=x-gm-message-state:mime-version:references:in-reply-to:from:date\n\t:message-id:subject:to:cc;\n\tbh=H3jvLAhIQIR12UOVgfrfZXnuAbknHfH/0/XoLIp5eIg=;\n\tb=sI2JV+SbBvtYtjyUonXdYGDwTPkY+y3SVnXU9H3EV+JHUQXZA8fAXK4/IKOru9M2My\n\tmPuh3R22azvZhr4znH0N+7c5RyfrRL2l/5C14ANcpVGIaPzV8J2eQYM1/klTS/LYnSIk\n\tsI1Kc1BPWS535GasPeseGFVPexCmXRKoWdxow5/cMCxHHE8+O4r+gI9gthqiSi59+20d\n\tJ4rG1DmX/1cXh3La70WKqwM/bcPnKkw1w4SmgHsJ2qG20xmbcoxGG4l6F4WBPU0/5s8Y\n\tHjpA4ft3+b4SsMucIW/KCSG6mgv7ZM7Hmrv9idgfVVCyKWgGk/72uS9nuYa+rgY2z3MR\n\t0lNA==","X-Gm-Message-State":"ACgBeo1dooC7Ze7TqnslUZzDXT+2Hk2/v1H1qVj2d6NW5O+qwHVKAe/x\n\tjyCCuuxLYYUFRmHFLBxDqqCSVbcwvivSxsKCgbtFLef75Zo33mG20sZXhHK5DBkHnsli96ajzMh\n\tTgsB3/imBt/S+ogznhLj/PplooS7QZ8rr4w7o1fkNLIdGBdcgXw==","X-Received":["by 2002:ac8:5cd0:0:b0:342:eb4f:6e36 with SMTP id\n\ts16-20020ac85cd0000000b00342eb4f6e36mr11574297qta.638.1660042002281; \n\tTue, 09 Aug 2022 03:46:42 -0700 (PDT)","by 2002:ac8:5cd0:0:b0:342:eb4f:6e36 with SMTP id\n\ts16-20020ac85cd0000000b00342eb4f6e36mr11574282qta.638.1660042002054;\n\tTue, 09 Aug 2022 03:46:42 -0700 (PDT)"],"X-Google-Smtp-Source":"AA6agR4UFD0qs/z1+wAUTdZskigUaBv2ZkKGHWp+W7vZ9OZ8Bp2uH0ppe+CmssXdmKFqBpSlp5VjyQgOr6YMSu4eCUQ=","MIME-Version":"1.0","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-5-laurent.pinchart@ideasonboard.com>","In-Reply-To":"<20220808230833.16275-5-laurent.pinchart@ideasonboard.com>","Date":"Tue, 9 Aug 2022 11:46:26 +0100","Message-ID":"","To":"Laurent Pinchart ","X-Mimecast-Spam-Score":"0","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain; charset=\"UTF-8\"","Subject":"Re: [libcamera-devel] [PATCH v2 4/4] libcamera: Make IPA module\n\tsigning recommended instead of mandatory","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Eric Curtin via libcamera-devel ","Reply-To":"Eric Curtin ","Cc":"libcamera devel ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":24471,"web_url":"https://patchwork.libcamera.org/comment/24471/","msgid":"<166004801318.2190824.10943816626798012803@Monstersaurus>","date":"2022-08-09T12:26:53","subject":"Re: [libcamera-devel] [PATCH v2 4/4] libcamera: Make IPA module\n\tsigning recommended instead of mandatory","submitter":{"id":4,"url":"https://patchwork.libcamera.org/api/people/4/","name":"Kieran Bingham","email":"kieran.bingham@ideasonboard.com"},"content":"Quoting Laurent Pinchart via libcamera-devel (2022-08-09 00:08:33)\n> Commit b382f67c833d (\"libcamera: Make IPA module signing mandatory for\n> the meantime\") made openssl and gnutls dependencies mandatory to work\n> around the lack of proper IPA module isolation support, which broke\n> operation without module signatures. This has now been fixed, so IPA\n> module isolation isn't strictly required anymore.\n> \n> There are few use cases for disabling module signing completely, given\n> that the openssl or gnutls dependencies are available on the vast\n> majority of systems and the overheard introduced by isolating all IPA\n> modules when signatures are not available is better avoided.\n> Nonetheless, libcamera should operate properly with forced IPA module\n> isolation, so we can support those use cases.\n> \n> Adopt a middle-ground approach to avoid unintentional isolation by\n> documenting the dependencies as recommended, and warn at meson setup\n> time if they are not found.\n\nSounds fine to me. It might be worthwhile making sure we test IPA\nisolation more (on all platforms), as opposed to just our virtual IPA...\n\n\nReviewed-by: Kieran Bingham \n\n> \n> Signed-off-by: Laurent Pinchart \n> ---\n> README.rst | 5 ++++-\n> src/libcamera/meson.build | 10 ++++++++--\n> src/meson.build | 3 ++-\n> 3 files changed, 14 insertions(+), 4 deletions(-)\n> \n> diff --git a/README.rst b/README.rst\n> index 3bf4685b0e15..e9dd4207ae55 100644\n> --- a/README.rst\n> +++ b/README.rst\n> @@ -60,9 +60,12 @@ Meson Build system: [required]\n> for the libcamera core: [required]\n> libyaml-dev python3-yaml python3-ply python3-jinja2\n> \n> -for IPA module signing: [required]\n> +for IPA module signing: [recommended]\n> Either libgnutls28-dev or libssl-dev, openssl\n> \n> + Without IPA module signing, all IPA modules will be isolated in a\n> + separate process. This adds an unnecessary extra overhead at runtime.\n> +\n> for improved debugging: [optional]\n> libdw-dev libunwind-dev\n> \n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index 401fc498cfbc..0efa8fd5df7f 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -73,8 +73,14 @@ libcrypto = dependency('gnutls2', required : false)\n> if libcrypto.found()\n> config_h.set('HAVE_GNUTLS', 1)\n> else\n> - libcrypto = dependency('libcrypto', required : true)\n> - config_h.set('HAVE_CRYPTO', 1)\n> + libcrypto = dependency('libcrypto', required : false)\n> + if libcrypto.found()\n> + config_h.set('HAVE_CRYPTO', 1)\n> + endif\n> +endif\n> +\n> +if not libcrypto.found()\n> + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> endif\n> \n> if liblttng.found()\n> diff --git a/src/meson.build b/src/meson.build\n> index 34663a6f134d..f37c44ca9f60 100644\n> --- a/src/meson.build\n> +++ b/src/meson.build\n> @@ -14,7 +14,7 @@ summary({\n> }, section : 'Paths')\n> \n> # Module Signing\n> -openssl = find_program('openssl', required : true)\n> +openssl = find_program('openssl', required : false)\n> if openssl.found()\n> ipa_priv_key = custom_target('ipa-priv-key',\n> output : ['ipa-priv-key.pem'],\n> @@ -22,6 +22,7 @@ if openssl.found()\n> config_h.set('HAVE_IPA_PUBKEY', 1)\n> ipa_sign_module = true\n> else\n> + warning('openssl not found, all IPA modules will be isolated')\n> ipa_sign_module = false\n> endif\n> \n> -- \n> Regards,\n> \n> Laurent Pinchart\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id CA148C3272\n\tfor ;\n\tTue, 9 Aug 2022 12:26:58 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 567A26332B;\n\tTue, 9 Aug 2022 14:26:58 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 8DD4D61FAA\n\tfor ;\n\tTue, 9 Aug 2022 14:26:56 +0200 (CEST)","from pendragon.ideasonboard.com\n\t(cpc89244-aztw30-2-0-cust3082.18-1.cable.virginm.net [86.31.172.11])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 196A0481;\n\tTue, 9 Aug 2022 14:26:56 +0200 (CEST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1660048018;\n\tbh=xftmAm1eukD/hf8npjkpDyHumjiLGXQNaMRG+tP0Ik4=;\n\th=In-Reply-To:References:To:Date:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\tFrom;\n\tb=0eBoxaQ3+Px7JadY/cd0ez+2DlSC3CJRCEv+HhBWoGCD9qsvUuiqY5dK7k6XZ6oyi\n\tXjpeIQP+YkCP7G3Grv7Qmc0sbkdP9nVt/TPe7lSKWlNWaqwV6ekdtXOQs+DtowPpAs\n\tKRPTk3p6tkrJcXoHsvN+dmmT/qwYFumTk6ZbIdPL1GHGqZU86BBvF2+9KWNkd71AFQ\n\tyc+0ixhUIxSh0LpGuUi0aSfFLnTc6yq/nhDZKchiFs1HZdF2ylTN1C9Y4zRJ314ZRS\n\tu3uoAo1qenYUnxKrqIC1yrNz4iurgyLXrM7FPj/ke8O3ArtV504OmYSCr5kylWdp/r\n\twWFQDcgcNp26Q==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1660048016;\n\tbh=xftmAm1eukD/hf8npjkpDyHumjiLGXQNaMRG+tP0Ik4=;\n\th=In-Reply-To:References:Subject:From:To:Date:From;\n\tb=P9K5fPqEn3yUPp6U74U29tEm5wo13Sshp5aw/s62I9nMCwtSvSg0fW48VSG5Visvw\n\tJIb8Jp3vJDIF75TMc2ggCeOzrYf/V/fnN4h2mvySL2QotIGnW0oWuh5iS8oVoT+vWa\n\tX2nPFKKcLbvFbAUXxRICpzVVb+4zVZgHlr/bSn18="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"P9K5fPqE\"; dkim-atps=neutral","Content-Type":"text/plain; charset=\"utf-8\"","MIME-Version":"1.0","Content-Transfer-Encoding":"quoted-printable","In-Reply-To":"<20220808230833.16275-5-laurent.pinchart@ideasonboard.com>","References":"<20220808230833.16275-1-laurent.pinchart@ideasonboard.com>\n\t<20220808230833.16275-5-laurent.pinchart@ideasonboard.com>","To":"Laurent Pinchart ,\n\tlibcamera-devel@lists.libcamera.org","Date":"Tue, 09 Aug 2022 13:26:53 +0100","Message-ID":"<166004801318.2190824.10943816626798012803@Monstersaurus>","User-Agent":"alot/0.10","Subject":"Re: [libcamera-devel] [PATCH v2 4/4] libcamera: Make IPA module\n\tsigning recommended instead of mandatory","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Kieran Bingham via libcamera-devel\n\t","Reply-To":"Kieran Bingham ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]