[{"id":28355,"web_url":"https://patchwork.libcamera.org/comment/28355/","msgid":"<20231225212636.GA1494@pendragon.ideasonboard.com>","date":"2023-12-25T21:26:36","subject":"Re: [libcamera-devel] [PATCH] meson: enable IPA signing only if\n\tboth libcrypto and openssl are present","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Subhaditya,\n\nThank you for the patch.\n\nOn Mon, Dec 25, 2023 at 10:48:24PM +0530, Subhaditya Nath via libcamera-devel wrote:\n> Before this commit, if the build host had openssl installed, but had\n> neither openssl-dev nor gnutls-dev installed, then the IPA modules would\n> be signed and ipa_pub_key.cpp would contain the pubkey, but the function\n> PubKey::PubKey() would've been left empty, thereby valid_ being set to\n> false, rendering the pubkey unusable for verification purposes.\n> \n> This commit checks for the availability of both the openssl executable\n> and either of the gnutls and libcrypto libraries before enabling signing\n> of the IPA modules. Either both HAVE_IPA_PUBKEY and HAVE_(CRYPTO|GNUTLS)\n> are defined, or neither is defined. This mitigates situations like the\n> one mentioned above.\n\nWhat problem does this fix ? If the signature is present but can't be\nverified, won't libcamera just isolate IPA modules at runtime ? Is\nsomething currently broken ?\n\n> This commit leverages the multi-name dependency feature introduced in\n> meson 0.60.0 to select between gnutls and libcrypto. The behaviour is\n> unchanged – gnutls is used if found, else libcrypto is used (if found).\n> \n> Signed-off-by: Subhaditya Nath \n> ---\n> src/libcamera/meson.build | 19 -------------------\n> src/meson.build | 26 ++++++++++++++++++++------\n> 2 files changed, 20 insertions(+), 25 deletions(-)\n> \n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index 45f63e93..9d17c9f1 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -80,25 +80,6 @@ endif\n> libudev = dependency('libudev', required : get_option('udev'))\n> libyaml = dependency('yaml-0.1', required : false)\n> \n> -# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> -libcrypto = dependency('gnutls', required : false)\n> -if libcrypto.found()\n> - config_h.set('HAVE_GNUTLS', 1)\n> -else\n> - libcrypto = dependency('libcrypto', required : false)\n> - if libcrypto.found()\n> - config_h.set('HAVE_CRYPTO', 1)\n> - endif\n> -endif\n> -\n> -if not libcrypto.found()\n> - warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> - summary({'IPA modules signed with': 'None (modules will run isolated)'},\n> - section : 'Configuration')\n> -else\n> - summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration')\n> -endif\n> -\n> if liblttng.found()\n> tracing_enabled = true\n> config_h.set('HAVE_TRACING', 1)\n> diff --git a/src/meson.build b/src/meson.build\n> index 165a77bb..208cd760 100644\n> --- a/src/meson.build\n> +++ b/src/meson.build\n> @@ -15,16 +15,30 @@ summary({\n> }, section : 'Paths')\n> \n> # Module Signing\n> +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.\n> +libcrypto = dependency('gnutls', 'libcrypto', required : false)\n> openssl = find_program('openssl', required : false)\n> -if openssl.found()\n> +if not libcrypto.found()\n> + ipa_sign_module = false\n> + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> + summary({'IPA modules signed with': 'None (modules will run isolated)'},\n> + section : 'Configuration')\n> +elif not openssl.found()\n> + ipa_sign_module = false\n> + warning('openssl not found, all IPA modules will be isolated')\n> + ipa_sign_module = false\n> +else\n> + ipa_sign_module = true\n> + config_h.set('HAVE_IPA_PUBKEY', 1)\n> + if libcrypto.name() == 'gnutls'\n> + config_h.set('HAVE_GNUTLS', 1)\n> + else\n> + config_h.set('HAVE_CRYPTO', 1)\n> + endif\n> + summary({'IPA modules signed with' : libcrypto.name()}, section : 'Configuration')\n> ipa_priv_key = custom_target('ipa-priv-key',\n> output : ['ipa-priv-key.pem'],\n> command : [gen_ipa_priv_key, '@OUTPUT@'])\n> - config_h.set('HAVE_IPA_PUBKEY', 1)\n> - ipa_sign_module = true\n> -else\n> - warning('openssl not found, all IPA modules will be isolated')\n> - ipa_sign_module = false\n> endif\n> \n> # libcamera must be built first as a dependency to the other components.","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 07FF4BDB1D\n\tfor ;\n\tMon, 25 Dec 2023 21:26:33 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 3919262B40;\n\tMon, 25 Dec 2023 22:26:32 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 6605D62B32\n\tfor ;\n\tMon, 25 Dec 2023 22:26:30 +0100 (CET)","from pendragon.ideasonboard.com\n\t(117.145-247-81.adsl-dyn.isp.belgacom.be [81.247.145.117])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 496E010A;\n\tMon, 25 Dec 2023 22:25:36 +0100 (CET)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1703539592;\n\tbh=b4hABQSysyql0xJh7E3OS1iCH92vfkEmnBar6n3IkkY=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=av7g6k4l1lBOSQf3wzko04O/78qjNYVcdxyTNAbJlaW1Q4LkBDjc7xru4w2kSDey0\n\tJW6BLScwVfkgyFREtjInn3YpIWkdoTWg+pmkfQfTMFjTDF+6EzRH9B69ScZGe3gYS3\n\tsBQ2Rh2UFPP4EADZt8TlX4GLMnh/Cd6S2pyWouMS6pG5DrsDEWRj93VcIRi4tXjTYK\n\tPm7TcPN1cv0bhGX6nUHzTkXr+QLAsC3XilZQjc7JunhiQPqyo0wjJW2obHK40lX/W9\n\tfYD2dgLEZa4o1JuVCOhRxL6J1g1KIRU/f2foAu/gZwRXID9/KllIbtfvOUMAChOx5h\n\tmkAK926v0QATg==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1703539536;\n\tbh=b4hABQSysyql0xJh7E3OS1iCH92vfkEmnBar6n3IkkY=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=eGrnVVjjjtW3q/b9GAsGSquXnQJQq8iBTj15bGonQpvOZKsuCwjQu0E5cSHXnuSUm\n\tCOspbYXDIQOoG3J5xTivzMWnCVF/YD2xg/qG8wyGrfyWqL8inRV8l059Iv5Fb9WPze\n\to21FQ+R4AAMPSHGbOJbLRU/J7kzpmzPQcz+AvOjM="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"eGrnVVjj\"; dkim-atps=neutral","Date":"Mon, 25 Dec 2023 23:26:36 +0200","To":"Subhaditya Nath ","Message-ID":"<20231225212636.GA1494@pendragon.ideasonboard.com>","References":"<20231225171824.3776-1-sn03.general@gmail.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","Content-Transfer-Encoding":"8bit","In-Reply-To":"<20231225171824.3776-1-sn03.general@gmail.com>","Subject":"Re: [libcamera-devel] [PATCH] meson: enable IPA signing only if\n\tboth libcrypto and openssl are present","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Laurent Pinchart via libcamera-devel\n\t","Reply-To":"Laurent Pinchart ","Cc":"libcamera-devel@lists.libcamera.org","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]