[{"id":28496,"web_url":"https://patchwork.libcamera.org/comment/28496/","msgid":"","date":"2024-01-21T14:09:52","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","submitter":{"id":159,"url":"https://patchwork.libcamera.org/api/people/159/","name":"Elias Naur","email":"mail@eliasnaur.com"},"content":"Hi Arnout,\n\n> The motivation behind adding this mechanism is that this allows rebuilding the\n> library and getting a bit-by-bit identical result, without having to share the\n> keys with which to sign the trusted modules. This is known as 'Reproducible\n> Builds', and you can read more about its advantages on\n> https://reproducible-builds.org/. With this feature, packagers that care about\n> reproducible builds can disable the module signing, and enjoy equivalent\n> security and performance while also allowing independent rebuilds.\n\nThanks for working on reproducible builds. I locally hack libcamera\nto achieve bit-for-bit reproducible builds, and look forward to no longer needing\nthat hack.\n\nI think the feature would even more useful if it were always enabled. In particular,\nI propose to:\n\n- Always enable checksums.\n- Embed the known checksums into the binary, not in a separate configuration file.\n- Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).\n - In your patch, I believe this is equivalent to \"ipa_sign_modules\" always being false.\n\nOptionally,\n\n- Avoid duplicating the SHA256 digest by re-using the digest done in libcamera/pub_key.cpp.\n\nThanks,\nElias","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 2CAC5C323E\n\tfor ;\n\tSun, 21 Jan 2024 14:09:59 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 6D5356291F;\n\tSun, 21 Jan 2024 15:09:58 +0100 (CET)","from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com\n\t[IPv6:2607:f8b0:4864:20::72c])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 5AD0E61D46\n\tfor ;\n\tSun, 21 Jan 2024 15:09:56 +0100 (CET)","by mail-qk1-x72c.google.com with SMTP id\n\taf79cd13be357-7838d13395dso139825185a.1\n\tfor ;\n\tSun, 21 Jan 2024 06:09:56 -0800 (PST)","from localhost ([189.174.206.139]) by smtp.gmail.com with ESMTPSA\n\tid\n\th3-20020a05610202c300b004695ead0cbdsm715600vsh.15.2024.01.21.06.09.53\n\t(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n\tSun, 21 Jan 2024 06:09:54 -0800 (PST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1705846198;\n\tbh=vcG92CGKwY2reT8X/gP+jEjkz4LK6rla4Jwu/RXLGjU=;\n\th=Date:In-Reply-To:To:Subject:List-Id:List-Unsubscribe:List-Archive:\n\tList-Post:List-Help:List-Subscribe:From:Reply-To:Cc:From;\n\tb=ka4n4xrBCOBgzFXngpqlMwTBoIqykZEEvjII94RxHkB9ZbJvEahvHkvZpuFL5C48Y\n\tQm17uYyVZ0N9zCtXHB9MdcF8Egk/soeXD6MSO50zvK32CTDD6JiBkexBcTFSzo651Q\n\tPBAWhkDft3XAjONSGRAomrIBOW9dlVy0iiZd4d9993yPg7hRLgZwKmRrn4jLXSOIwm\n\txcvGkkYltroNLS7B5Xr+BYtoOqbqbMxIrNcyTH/3uWNHDVNJjh2s8Rtbi9q2Vp47J+\n\tiU2aaMDCqhy7w7eK2AnMDByvvmMaOdLOsOtr8II6cBhyzh3miEKYL9+rK/08nOJpME\n\t6ruXY1CGxCkAw==","v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=eliasnaur.com; s=google; t=1705846194; x=1706450994;\n\tdarn=lists.libcamera.org; \n\th=to:from:subject:in-reply-to:cc:message-id:date\n\t:content-transfer-encoding:mime-version:from:to:cc:subject:date\n\t:message-id:reply-to;\n\tbh=yp87ROQudhpcHVugRj2gtI9jv4ABGSJI8FXrY8Co5Yw=;\n\tb=EnaaUShyHCeB2QLmc12H1rdJ4w1AxYoJD4JY7+H+rOH1QxIlQVC/pRE3FbDvlOSiPS\n\tc5nZkKgHkiTYURZLUCZU95FSo+qD8XtNvblvqCymzIs8NmFrrI+QREmje5dYz3S9b+YN\n\tm6blfuXFMxgbwcljuwqbAT/kQTq5SJlfRKt7geLfIRdQpP2mSLfMUa8DymyYoLfDJuK8\n\t4ZkUldoMpr3RhNLWjT0SaUXpPcn2qXNiHH8ZDme4D/dzZzR+A+4lb0vrnArEvPQWIZFB\n\tcPtTTBbyB8Mcq1xFWZqaWYTXCyOyybU7htSEpjBbr5AmmSjaOP0F/GB/DWuTmi5q8/Sl\n\tkvuQ=="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (2048-bit key; \n\tunprotected) header.d=eliasnaur.com\n\theader.i=@eliasnaur.com\n\theader.b=\"EnaaUShy\"; dkim-atps=neutral","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20230601; t=1705846194; x=1706450994;\n\th=to:from:subject:in-reply-to:cc:message-id:date\n\t:content-transfer-encoding:mime-version:x-gm-message-state:from:to\n\t:cc:subject:date:message-id:reply-to;\n\tbh=yp87ROQudhpcHVugRj2gtI9jv4ABGSJI8FXrY8Co5Yw=;\n\tb=C95USu/Fg3WTXTNDgjkYGuAmch3t6tSoN7aJASIXpyeijPD+E3VpUjGfbDc4mCx7CU\n\tiqmqB7RMv6RN9uAfJ23rBZBSJOj0GTmTeIu4KN9ku64yyR4XonpqTkV7W3q/4Y2x+aDn\n\t0/Cyn1U3qhc8MWooBXoKx0grN6ymcG3UrXtoqiB4dtGnRSY3lY8WEGRHpMD5kZJCEKMP\n\t5r0Kj4kSB7Y0iUgSI04L2SleZLS7EeOBa9Qi4Q2qNygVu3JQPXmlSafPUgpmYfuPNsiK\n\tWd+4TgNSkA4SRkKr5GGAtZg/rz27NMVyhiUpIyo4bHEoT9KGjWEJ5qgfeKDQuxl7BGcI\n\t4bBg==","X-Gm-Message-State":"AOJu0Yy7zUJoeWWDurdWNFRuiyI96lMsy2ovFqtEkOuAGvN+LbxYKVlw\n\tUxrraWlXIMWWuNo3dZ3jVIZd48S+qHqKV8NzFnjyO7AjroYl7ffyi4/RD8AoBW/r9DabmMvRK7v\n\twzg==","X-Google-Smtp-Source":"AGHT+IHP14afwWE6sQ6nUQ1II2uLdTPY0i+/WOnMWu9zjwuSC/acSZqkQJfSz/KFAzNLV+ykbl5V8A==","X-Received":"by 2002:a05:620a:124f:b0:783:8c8d:d9d0 with SMTP id\n\ta15-20020a05620a124f00b007838c8dd9d0mr3452867qkl.99.1705846194579; \n\tSun, 21 Jan 2024 06:09:54 -0800 (PST)","Mime-Version":"1.0","Content-Transfer-Encoding":"quoted-printable","Content-Type":"text/plain; charset=UTF-8","Date":"Sun, 21 Jan 2024 09:09:52 -0500","Message-Id":"","In-Reply-To":"<20240120143742.1302914-1-arnout@bzzt.net>","To":"","X-Mailer":"aerc 0.15.2","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Elias Naur via libcamera-devel ","Reply-To":"Elias Naur ","Cc":"Arnout Engelen ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":28497,"web_url":"https://patchwork.libcamera.org/comment/28497/","msgid":"<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>","date":"2024-01-21T16:32:06","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","submitter":{"id":4,"url":"https://patchwork.libcamera.org/api/people/4/","name":"Kieran Bingham","email":"kieran.bingham@ideasonboard.com"},"content":"Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)\n> Hi Arnout,\n> \n> > The motivation behind adding this mechanism is that this allows rebuilding the\n> > library and getting a bit-by-bit identical result, without having to share the\n> > keys with which to sign the trusted modules. This is known as 'Reproducible\n> > Builds', and you can read more about its advantages on\n> > https://reproducible-builds.org/. With this feature, packagers that care about\n> > reproducible builds can disable the module signing, and enjoy equivalent\n> > security and performance while also allowing independent rebuilds.\n> \n> Thanks for working on reproducible builds. I locally hack libcamera\n> to achieve bit-for-bit reproducible builds, and look forward to no longer needing\n> that hack.\n\nI agree, finding a solution to handle reproducible builds is a good\ngoal.\n\n\n> I think the feature would even more useful if it were always enabled. In particular,\n> I propose to:\n> \n> - Always enable checksums.\n> - Embed the known checksums into the binary, not in a separate configuration file.\n\nI think this is a fairly important requirement to be able to upstream a\nreproducilble builds solution. The checksums should be stored within the\nlibcamera binary so the configuration file can not be amended after the\nfact, which would otherwise defeat the purpose. \n\nBut this makes things much more difficult I believe...\n\nThe tricky parts here will be handling how to verify the checksum of the\nmodules while distributions do actions such as stripping symbols. There\nare legitimate modifications that can be made to the module as part of\nthe installation process which would then break the checksum\nverifications.\n\n\n\n> - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).\n> - In your patch, I believe this is equivalent to \"ipa_sign_modules\" always being false.\n\nWould there be a mix of signed+checksummed modules in a given\ndistribution?\n\n> \n> Optionally,\n> \n> - Avoid duplicating the SHA256 digest by re-using the digest done in libcamera/pub_key.cpp.\n> \n> Thanks,\n> Elias","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id C5CF0BDB1C\n\tfor ;\n\tSun, 21 Jan 2024 16:32:11 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 033336291F;\n\tSun, 21 Jan 2024 17:32:11 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id C23A161D46\n\tfor ;\n\tSun, 21 Jan 2024 17:32:09 +0100 (CET)","from pendragon.ideasonboard.com\n\t(aztw-30-b2-v4wan-166917-cust845.vm26.cable.virginm.net\n\t[82.37.23.78])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 45135BB2;\n\tSun, 21 Jan 2024 17:30:57 +0100 (CET)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1705854731;\n\tbh=gJn3de8Ifj0cYQQKIl4XkTbDijEj9FeUvyqElQkZWZY=;\n\th=In-Reply-To:References:To:Date:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=lrXZuq6eViJi22gNTxyQfaDtqLsEX3PM4lmpnkeO8LoWNToZMKh67ny1zIEdyHj63\n\tpVW1vUan0twLh4egzGkUffMIHgY9i2ePpPcKAuvlWgc1ZQ8f24CgqcwaMu9LpfRED5\n\tzVeq6B1SxeQCtd9ms5Tu/c+sdmPsxknJKe4gq0+KAifr4dj3TvkQDEHaFKZFnwsiyu\n\tESFCb6s/GOm/NMZQwb0SrTscsq+8rMWcjQsk/kxE6NT8Lds8GoODSuKJ3T9Ub3Bzg1\n\tg6Ii8VdLA1VVBP6XBbx8IA6yBG85jbcRmPHTOJBGMIJCnzGS4vZJeLG6mqGrOeGv8y\n\tGL7F0sP/6gJ+g==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1705854657;\n\tbh=gJn3de8Ifj0cYQQKIl4XkTbDijEj9FeUvyqElQkZWZY=;\n\th=In-Reply-To:References:Subject:From:Cc:To:Date:From;\n\tb=fdWmXaKqDvZXNQvrbysE41/CKU7Mvks/ZU5MkJydDbMl/ML44msm4jfQHytCfvs90\n\tBoBCegFQyuBADQbIN6UeFQEpaLlYWm9Cuol2svpR3XMw090y6s1VzZrLEEj89sPEXL\n\tffE2vvz4TQERlaOcK7PljQD8JIabWGo1YyVRXSXc="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"fdWmXaKq\"; dkim-atps=neutral","Content-Type":"text/plain; charset=\"utf-8\"","MIME-Version":"1.0","Content-Transfer-Encoding":"quoted-printable","In-Reply-To":"","References":"","To":"Elias Naur , libcamera-devel@lists.libcamera.org","Date":"Sun, 21 Jan 2024 16:32:06 +0000","Message-ID":"<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>","User-Agent":"alot/0.10","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Kieran Bingham via libcamera-devel\n\t","Reply-To":"Kieran Bingham ","Cc":"Arnout Engelen ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":28498,"web_url":"https://patchwork.libcamera.org/comment/28498/","msgid":"","date":"2024-01-21T17:33:24","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","submitter":{"id":159,"url":"https://patchwork.libcamera.org/api/people/159/","name":"Elias Naur","email":"mail@eliasnaur.com"},"content":"On Sun, 21 Jan 2024 at 11:32, Kieran Bingham\n wrote:\n>\n> Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)\n> > Hi Arnout,\n> >\n>\n> > I think the feature would even more useful if it were always enabled. In particular,\n> > I propose to:\n> >\n> > - Always enable checksums.\n> > - Embed the known checksums into the binary, not in a separate configuration file.\n>\n> I think this is a fairly important requirement to be able to upstream a\n> reproducilble builds solution. The checksums should be stored within the\n> libcamera binary so the configuration file can not be amended after the\n> fact, which would otherwise defeat the purpose.\n>\n> But this makes things much more difficult I believe...\n>\n> The tricky parts here will be handling how to verify the checksum of the\n> modules while distributions do actions such as stripping symbols. There\n> are legitimate modifications that can be made to the module as part of\n> the installation process which would then break the checksum\n> verifications.\n>\n>\n\nI don't know the relative difficulty level, but I just want to throw\nout another possibility\nthat completely sidesteps verification: linking the modules directly\ninto libcamera. That would\nalso move libcamera closer to being statically linkable into\nexecutables. FWIW, libcamera is\nthe only blocker to a completely static build of my project.\n\n>\n> > - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).\n> > - In your patch, I believe this is equivalent to \"ipa_sign_modules\" always being false.\n>\n> Would there be a mix of signed+checksummed modules in a given\n> distribution?\n>\n\nAs far as I understand, the signing feature is only for out-of-tree\n(closed source?) modules.\nAssuming a Linux distribution without such modules, I see no use for signing.\n\nElias","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 9BCA2C323E\n\tfor ;\n\tSun, 21 Jan 2024 17:33:39 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id CDE26628B7;\n\tSun, 21 Jan 2024 18:33:38 +0100 (CET)","from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com\n\t[IPv6:2607:f8b0:4864:20::52b])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id F06D961D46\n\tfor ;\n\tSun, 21 Jan 2024 18:33:36 +0100 (CET)","by mail-pg1-x52b.google.com with SMTP id\n\t41be03b00d2f7-5c66b093b86so2450648a12.0\n\tfor ;\n\tSun, 21 Jan 2024 09:33:36 -0800 (PST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1705858418;\n\tbh=0ohem1aFbVIosMa1DxRMe1Uq2SY8rXQPm5MA3c8exvM=;\n\th=References:In-Reply-To:Date:To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=SzEw9AqftDch+QphcSXOqkHg+VHy+l21Q/T+rbZuHWyXdyy13JcS5K6f2cyalAr+u\n\trzTz3nF1yy4iitsZ6hFK+v6MgXjg8Be2sbTz6XFwCOfuKqnxvci4vWUFOn7ShUQbbz\n\tA2v3A4hJPXuKWLtYFGk6Eec775Xl6VicMbqkzjpTKfKNzqp+cO9Dkh1kgRjHPMzO2C\n\txWIyUI9bVZjsVfgQ/XFW4RqYRvOZj63IqwjrCq040is3JXPGK+bIKvFkAGvEBL/GCr\n\tv9vp8roHuv8HS0mUOpAXg4Wbfk0gWQbxrT5qdqRAS63vdTs8h1V9pRL/VSXDjZRs4Q\n\t9xWlviKM2PYAw==","v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=eliasnaur.com; s=google; t=1705858415; x=1706463215;\n\tdarn=lists.libcamera.org; \n\th=cc:to:subject:message-id:date:from:in-reply-to:references\n\t:mime-version:from:to:cc:subject:date:message-id:reply-to;\n\tbh=K2d3bVpGwxjHTbzA89cg8Qq6leV3c36uIC8B45kZIkE=;\n\tb=zSMODxXxU73imWBCMQZ3hz6Urf95qNlAfkTKo4yL3eiBhcgEb/cXq0cns9SEd5B2DJ\n\t9urshSm/eeME+VBTwET5QtfcER5QtIMS2zf/vqrnc7bV1zZ5W8YtmUXkqRZCkmOCkZ05\n\tw1TVzLri/mUwZ3z89Go+FS+0MGPkoMDek8pdo9WTLsFtOW6kDQzlGeHFkFsr+qHjymV0\n\t/sa+UBI0tyHm76nmrZS+FtQVLLkaXq6tYrQ+JMjFSjc6EmwbK/XXHIQ0QG6HrVLhhtLe\n\t3e2LR14It4grefNjlHIDwv0WgkwxlGBUXY+GVz+HNK6DUMF7KiukCWXLId9WccvQnzfJ\n\t71PQ=="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (2048-bit key; \n\tunprotected) header.d=eliasnaur.com\n\theader.i=@eliasnaur.com\n\theader.b=\"zSMODxXx\"; dkim-atps=neutral","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20230601; t=1705858415; x=1706463215;\n\th=cc:to:subject:message-id:date:from:in-reply-to:references\n\t:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id\n\t:reply-to;\n\tbh=K2d3bVpGwxjHTbzA89cg8Qq6leV3c36uIC8B45kZIkE=;\n\tb=qb6j7zdu3Evc/zKm4ZQHaEFNWsn+u9WQAWmhurAhDG6okbrAprapwR5Ddo2bZi2Wev\n\tooxUN/FEUokO/O8mklY01uLKLFuA+LAu3ACBRWET1tA8dZOdz/4LRA0/ieTYUavKSXKZ\n\tdvyFzMGgWMnTxBe7etenH9fLKdfFTTLySikzlJsgEqJxQQ62rRWJfBRDnVmGXhj0SDoR\n\tVhxz3GAdC51i9hOdSSzGdjzk4acazb8oQYnRXeXoYjucq5hpxs67+Ab1iv9eZSu8SJz2\n\tgh7secYO4vmShObbYBtpzWl4y/62WB75q3Qkkustm0O0odW5cIvTQyRpSjU+vnVpi3FW\n\tI1VQ==","X-Gm-Message-State":"AOJu0Yz7cdELQhYwdlrwWMXp6o1ADlb31iYO8vB8bWM+kmOqCRHhM2bD\n\tieZKTbeIcqpEtFEtC3Bzv9lzsp6wLEltZT0Jm04uyZmr9YDTheRdUF73hdpVx6Iaj9bBAwd9B0R\n\tEkamCVvraTH2Sey/TMjKOGTwqD0x3bF7c1nNJ","X-Google-Smtp-Source":"AGHT+IEEtJ7odVUEEaJfzBcwIySCWv5XldOCUmvlGBZLqktW1ZbcqJjJtKj9FgwZtJ6mKUvSn+yfAWyqRit21+3CBGg=","X-Received":"by 2002:a17:90a:ba85:b0:28f:f863:76d0 with SMTP id\n\tt5-20020a17090aba8500b0028ff86376d0mr4725836pjr.39.1705858415089;\n\tSun, 21 Jan 2024 09:33:35 -0800 (PST)","MIME-Version":"1.0","References":"\n\t<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>","In-Reply-To":"<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>","Date":"Sun, 21 Jan 2024 12:33:24 -0500","Message-ID":"","To":"Kieran Bingham ","Content-Type":"text/plain; charset=\"UTF-8\"","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Elias Naur via libcamera-devel ","Reply-To":"Elias Naur ","Cc":"Arnout Engelen , libcamera-devel@lists.libcamera.org","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":28499,"web_url":"https://patchwork.libcamera.org/comment/28499/","msgid":"<20240121185442.GC4378@pendragon.ideasonboard.com>","date":"2024-01-21T18:54:42","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"On Sun, Jan 21, 2024 at 04:32:06PM +0000, Kieran Bingham via libcamera-devel wrote:\n> Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)\n> > Hi Arnout,\n> > \n> > > The motivation behind adding this mechanism is that this allows rebuilding the\n> > > library and getting a bit-by-bit identical result, without having to share the\n> > > keys with which to sign the trusted modules. This is known as 'Reproducible\n> > > Builds', and you can read more about its advantages on\n> > > https://reproducible-builds.org/. With this feature, packagers that care about\n> > > reproducible builds can disable the module signing, and enjoy equivalent\n> > > security and performance while also allowing independent rebuilds.\n> > \n> > Thanks for working on reproducible builds. I locally hack libcamera\n> > to achieve bit-for-bit reproducible builds, and look forward to no longer needing\n> > that hack.\n> \n> I agree, finding a solution to handle reproducible builds is a good\n> goal.\n> \n> > I think the feature would even more useful if it were always enabled. In particular,\n> > I propose to:\n> > \n> > - Always enable checksums.\n> > - Embed the known checksums into the binary, not in a separate configuration file.\n> \n> I think this is a fairly important requirement to be able to upstream a\n> reproducilble builds solution. The checksums should be stored within the\n> libcamera binary so the configuration file can not be amended after the\n> fact, which would otherwise defeat the purpose. \n> \n> But this makes things much more difficult I believe...\n> \n> The tricky parts here will be handling how to verify the checksum of the\n> modules while distributions do actions such as stripping symbols. There\n> are legitimate modifications that can be made to the module as part of\n> the installation process which would then break the checksum\n> verifications.\n\nChecksums in a configuration file is a no-go I'm afraid, as it means\nanyone could ship a closed-source IPA module and instruct users to add\nan entry to the configuration file, circumventing IPA module isolation.\n\n> > - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).\n> > - In your patch, I believe this is equivalent to \"ipa_sign_modules\" always being false.\n> \n> Would there be a mix of signed+checksummed modules in a given\n> distribution?\n> \n> > Optionally,\n> > \n> > - Avoid duplicating the SHA256 digest by re-using the digest done in libcamera/pub_key.cpp.","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id BA8BEBDB1C\n\tfor ;\n\tSun, 21 Jan 2024 18:54:39 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id ECA406291F;\n\tSun, 21 Jan 2024 19:54:38 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id EC65C61D46\n\tfor ;\n\tSun, 21 Jan 2024 19:54:37 +0100 (CET)","from pendragon.ideasonboard.com (89-27-53-110.bb.dnainternet.fi\n\t[89.27.53.110])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 1F15FBB2;\n\tSun, 21 Jan 2024 19:53:25 +0100 (CET)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1705863279;\n\tbh=VWnANLLL//HF7qpj4GAS47t3b4DZFKrbHyFqwt9jw/g=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=rREBSYIsC69NNRofPWteVbcj02wZ0jJ4qFImU9oPtesh/qzwWeft0Do3vLfL1EVpC\n\t/b3nK4GUg6PaIKZcGdN7W332CE6pNx0qvwE3WUCDN2bIBRudwm3DnySDqLDHIgdWDX\n\tj+MyX0OPWrtrgbWIOowKdAi3KsL21YxWIrqFsjRd1lrgN0yiovh+E+Z5IaGHCAbHUM\n\tQ4Fc6XY7dixys72sdH2/0rNnMLd9Ys6Ac1Yzk9KJhWybnmghoDJ4XkgznQxkPFo4Ae\n\t6Rw72gzws/Pzp4EC9sVisH5eKqDpo0xQ7bxD1IHv+scGNHMCz+dcIjeLRQ9OpFadFg\n\t7qeXEGClfnkzw==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1705863205;\n\tbh=VWnANLLL//HF7qpj4GAS47t3b4DZFKrbHyFqwt9jw/g=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=MOP3Urer22GfPWhfQ16MfznXVRJL83zedsUW7cQ0Weo7YiTCk8Ob0PeZoynQh7qGX\n\tzh9VS83R24oZitghcaR6lqLLVvomwo89mxn128+eSCmJkCVWLHnlIOkeR7r55f/6R6\n\tR1gfbe6B1VT4RiNmnITg4Ng6MoDDnCQP6Z7nVErA="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"MOP3Urer\"; dkim-atps=neutral","Date":"Sun, 21 Jan 2024 20:54:42 +0200","To":"Kieran Bingham ","Message-ID":"<20240121185442.GC4378@pendragon.ideasonboard.com>","References":"\n\t<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Laurent Pinchart via libcamera-devel\n\t","Reply-To":"Laurent Pinchart ","Cc":"Arnout Engelen , libcamera-devel@lists.libcamera.org,\n\tElias Naur ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":28506,"web_url":"https://patchwork.libcamera.org/comment/28506/","msgid":"","date":"2024-01-22T08:50:02","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","submitter":{"id":182,"url":"https://patchwork.libcamera.org/api/people/182/","name":"Arnout Engelen","email":"libcamera@bzzt.net"},"content":"Hi all,\n\nOn Sun, Jan 21, 2024, at 19:54, Laurent Pinchart wrote:\n> On Sun, Jan 21, 2024 at 04:32:06PM +0000, Kieran Bingham via libcamera-devel wrote:\n> > Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)\n> > > Hi Arnout,\n> > > \n> > > > The motivation behind adding this mechanism is that this allows rebuilding the\n> > > > library and getting a bit-by-bit identical result, without having to share the\n> > > > keys with which to sign the trusted modules. This is known as 'Reproducible\n> > > > Builds', and you can read more about its advantages on\n> > > > https://reproducible-builds.org/. With this feature, packagers that care about\n> > > > reproducible builds can disable the module signing, and enjoy equivalent\n> > > > security and performance while also allowing independent rebuilds.\n> > > \n> > > Thanks for working on reproducible builds. I locally hack libcamera\n> > > to achieve bit-for-bit reproducible builds, and look forward to no longer needing\n> > > that hack.\n> > \n> > I agree, finding a solution to handle reproducible builds is a good\n> > goal.\n\nThanks for the encouragement!\n\n> > > I think the feature would even more useful if it were always enabled. In particular,\n> > > I propose to:\n> > > \n> > > - Always enable checksums.\n> > > - Embed the known checksums into the binary, not in a separate configuration file.\n> > \n> > I think this is a fairly important requirement to be able to upstream a\n> > reproducilble builds solution. The checksums should be stored within the\n> > libcamera binary so the configuration file can not be amended after the\n> > fact, which would otherwise defeat the purpose. \n> > \n> > But this makes things much more difficult I believe...\n> > \n> > The tricky parts here will be handling how to verify the checksum of the\n> > modules while distributions do actions such as stripping symbols. There\n> > are legitimate modifications that can be made to the module as part of\n> > the installation process which would then break the checksum\n> > verifications.\n\nIndeed: embedding the checksums in the binary was my initial approach, but it's tricky given the legitimate use cases for modifying the objects in the install phase.\n\n> Checksums in a configuration file is a no-go I'm afraid, as it means\n> anyone could ship a closed-source IPA module and instruct users to add\n> an entry to the configuration file, circumventing IPA module isolation.\n\nIt depends on your threat model / risk appetite, of course - it's hard to protect against users that are happy to explicitly trust such a third-party module. Going to extremes, someone could even try to convince such users to load a version of libcamera that trusts their module, or other terrible hacks. I guess we don't want to make it too easy, though.\n\nI'd be happy to provide a version of this patch with the 'LIBCAMERA_IPA_TRUSTED_MODULE_CHECKSUMS_FILE' environment variable support removed, and a meson option to enable/disable trusting checksums - default value up to you. That may increase the barrier and give distributions a chance to make their own trade-off?\n\n(I also like Elias' idea of statically linking the in-tree modules, but I don't think I'm comfortable enough with the codebase to take that on)\n\n> > > - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).\n> > > - In your patch, I believe this is equivalent to \"ipa_sign_modules\" always being false.\n> > \n> > Would there be a mix of signed+checksummed modules in a given\n> > distribution?\n\nI don't see an obvious use case for having both, but I don't see a reason to restrict it either.\n\n\nKind regards,\n\nArnout","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id A03EFC323E\n\tfor ;\n\tMon, 22 Jan 2024 08:52:39 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id D3DE262936;\n\tMon, 22 Jan 2024 09:52:38 +0100 (CET)","from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com\n\t[66.111.4.28])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id DD44E628AD\n\tfor ;\n\tMon, 22 Jan 2024 09:52:35 +0100 (CET)","from compute3.internal (compute3.nyi.internal [10.202.2.43])\n\tby mailout.nyi.internal (Postfix) with ESMTP id 2B03F5C00D5;\n\tMon, 22 Jan 2024 03:52:32 -0500 (EST)","from imap52 ([10.202.2.102])\n\tby compute3.internal (MEProxy); Mon, 22 Jan 2024 03:52:32 -0500","by mailuser.nyi.internal (Postfix, from userid 501)\n\tid D4901C60091; Mon, 22 Jan 2024 03:52:31 -0500 (EST)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1705913558;\n\tbh=U0s7NDxm6xuziXcn/+MISfuUiyt1s0AUfxKeJHfkqEs=;\n\th=In-Reply-To:References:Date:To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=iXFoiNNBD98XCZBl16104J56PNFjeQb+EPbWI7wdcJkxkjIh5uH/ZH5kengBLlUan\n\te87xXS4bg3/3KLXhOC86iQ39hZYKdBz/+w6iiYUrLRHaQ+RJ2ufxH4w3OIseOYBuaJ\n\tiY74FCT7+f0/mDoYewhlrT8RI36EhcVCALgsle/jKAECQsdiPrC8KX3k709HYNt3SB\n\tRIMlu4Ta+gGgrNZPyMPR5vhZxO+oONw+D4PDoukF2EsAepcQrAV/h72UOx+XCwDFh9\n\tx53acIi6kAOaBtJ3wgHuMkGA5rgqoXhRMbbm93Eitq8Iv5EAhvXAThz5TpBqBMGkah\n\tSxVwQQJrFsWHw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=bzzt.net; h=cc\n\t:cc:content-type:content-type:date:date:from:from:in-reply-to\n\t:in-reply-to:message-id:mime-version:references:reply-to:subject\n\t:subject:to:to; s=fm1; t=1705913552; x=1705999952; bh=3A+QCpuKW6\n\tJgW6I2dMezXd66+46f9gzJ8ursG8Pcieg=; b=dhWDq8yyyJQDYwdaWMcNUNdQD4\n\tETMdStc7NfsYdagRA7hOSyKqSz18lnHAfM4uTBpZAAqQA9HoJmjSakgisXz/mw2I\n\tJLY2TWq7wS7yR9r2lsoK6PFcGmL/ut8jSFfYmTI/vNZIpjwlcZ9aYzBvzsKcdpYy\n\tQf2wQuLbgzaAZerKcFmBUXD8NSxgN8eyd8ai8V9Fz+BrCOmS/796OFdkVMHv5y9e\n\tkcpO/+Jumuy0PBFsCQu2UJnipf4Kv18sfnr4sxCYUCVxgrXwbkQzZCFxatAtMX0d\n\t5b+a8OAjnSLjjR4qoLxthOe+dEi8EZTz9zt5s03xD43QwEk6uIbCV/20wfsw==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n\tmessagingengine.com; h=cc:cc:content-type:content-type:date:date\n\t:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to\n\t:message-id:mime-version:references:reply-to:subject:subject:to\n\t:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=\n\tfm3; t=1705913552; x=1705999952; bh=3A+QCpuKW6JgW6I2dMezXd66+46f\n\t9gzJ8ursG8Pcieg=; b=vYB1SjxQq00GK33s7ynNmTlezlBIzozawxusQt/7ofJr\n\tH/dVfBc1YAkCvl04l0221h27pwNy6Z0WiyNR9XuDimkvQwIIa3huvw00qFpeJfaR\n\tYqjAufpaBLh/nDpNhIQUn+aVhJoTVVLaa5DW9Wz+c0VeqxgWH0GaHVsjdMadRDYp\n\tBZ1AVLXdpQIhGdV2MvcaAGP8g5s4w7FwETk4LjfBIh7phGIwgUtE4qAND4aulIYK\n\t5c8Y008ikbU7WNS2h/UpD9iXXtsGtfVY5oZbTsDgrYe1om/CUPuf8F5Nhi+yIALq\n\tQ8FmM3+4RrfxV8hrBbYy+Oq7SaqP6dkCeWuLla7L+A=="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (2048-bit key; \n\tunprotected) header.d=bzzt.net header.i=@bzzt.net\n\theader.b=\"dhWDq8yy\"; dkim=pass (2048-bit key;\n\tunprotected) header.d=messagingengine.com\n\theader.i=@messagingengine.com\n\theader.b=\"vYB1SjxQ\"; dkim-atps=neutral","X-ME-Sender":"\n\t","X-ME-Proxy-Cause":"gggruggvucftvghtrhhoucdtuddrgedvkedrvdekhedguddvvdcutefuodetggdotefrod\n\tftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh\n\tnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd\n\tenucfjughrpefofgggkfgjfhffhffvvefutgesrgdtreerreertdenucfhrhhomhepfdet\n\trhhnohhuthcugfhnghgvlhgvnhdfuceolhhisggtrghmvghrrgessgiiiihtrdhnvghtqe\n\tenucggtffrrghtthgvrhhnpeehjeevhfejvddvvedtgeefkeefveejtdeuvdekhedthedu\n\ttddvveejveekheefgeenucffohhmrghinheprhgvphhrohguuhgtihgslhgvqdgsuhhilh\n\tgushdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhr\n\tohhmpehlihgstggrmhgvrhgrsegsiiiithdrnhgvth","X-ME-Proxy":"\n\t\n\t\n\t","Feedback-ID":"i7559471f:Fastmail","X-Mailer":"MessagingEngine.com Webmail Interface","User-Agent":"Cyrus-JMAP/3.9.0-alpha0-1374-gc37f3abe3d-fm-20240102.001-gc37f3abe","MIME-Version":"1.0","Message-Id":"","In-Reply-To":"<20240121185442.GC4378@pendragon.ideasonboard.com>","References":"\n\t<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>\n\t<20240121185442.GC4378@pendragon.ideasonboard.com>","Date":"Mon, 22 Jan 2024 09:50:02 +0100","To":"\"Laurent Pinchart\" ,\n\t\"Kieran Bingham\" ","Content-Type":"multipart/alternative;\n\tboundary=311b45cda9424a3dba3e55be4fcfc145","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Arnout Engelen via libcamera-devel\n\t","Reply-To":"Arnout Engelen ","Cc":"libcamera-devel@lists.libcamera.org, Elias Naur ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":28508,"web_url":"https://patchwork.libcamera.org/comment/28508/","msgid":"<20240122092704.GJ4378@pendragon.ideasonboard.com>","date":"2024-01-22T09:27:04","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"On Mon, Jan 22, 2024 at 09:50:02AM +0100, Arnout Engelen wrote:\n> On Sun, Jan 21, 2024, at 19:54, Laurent Pinchart wrote:\n> > On Sun, Jan 21, 2024 at 04:32:06PM +0000, Kieran Bingham via libcamera-devel wrote:\n> > > Quoting Elias Naur via libcamera-devel (2024-01-21 14:09:52)\n> > > > Hi Arnout,\n> > > > \n> > > > > The motivation behind adding this mechanism is that this allows rebuilding the\n> > > > > library and getting a bit-by-bit identical result, without having to share the\n> > > > > keys with which to sign the trusted modules. This is known as 'Reproducible\n> > > > > Builds', and you can read more about its advantages on\n> > > > > https://reproducible-builds.org/. With this feature, packagers that care about\n> > > > > reproducible builds can disable the module signing, and enjoy equivalent\n> > > > > security and performance while also allowing independent rebuilds.\n> > > > \n> > > > Thanks for working on reproducible builds. I locally hack libcamera\n> > > > to achieve bit-for-bit reproducible builds, and look forward to no longer needing\n> > > > that hack.\n> > > \n> > > I agree, finding a solution to handle reproducible builds is a good\n> > > goal.\n> \n> Thanks for the encouragement!\n> \n> > > > I think the feature would even more useful if it were always enabled. In particular,\n> > > > I propose to:\n> > > > \n> > > > - Always enable checksums.\n> > > > - Embed the known checksums into the binary, not in a separate configuration file.\n> > > \n> > > I think this is a fairly important requirement to be able to upstream a\n> > > reproducilble builds solution. The checksums should be stored within the\n> > > libcamera binary so the configuration file can not be amended after the\n> > > fact, which would otherwise defeat the purpose. \n> > > \n> > > But this makes things much more difficult I believe...\n> > > \n> > > The tricky parts here will be handling how to verify the checksum of the\n> > > modules while distributions do actions such as stripping symbols. There\n> > > are legitimate modifications that can be made to the module as part of\n> > > the installation process which would then break the checksum\n> > > verifications.\n> \n> Indeed: embedding the checksums in the binary was my initial approach,\n> but it's tricky given the legitimate use cases for modifying the\n> objects in the install phase.\n\nThere's also a chicken-and-egg issue I believe, as the in-tree IPA\nmodules have to link against the libcamera binary, and checksums can\nonly be computed after the IPA modules have been linked.\n\n> > Checksums in a configuration file is a no-go I'm afraid, as it means\n> > anyone could ship a closed-source IPA module and instruct users to add\n> > an entry to the configuration file, circumventing IPA module isolation.\n> \n> It depends on your threat model / risk appetite, of course - it's hard\n> to protect against users that are happy to explicitly trust such a\n> third-party module. Going to extremes, someone could even try to\n> convince such users to load a version of libcamera that trusts their\n> module, or other terrible hacks. I guess we don't want to make it too\n> easy, though.\n\nThat's the idea, yes. libcamera being open-source, users can ultimately\ndisable any protection method we put in place. We don't want to make it\neasy to circumvent this, not so much towards the users, but towards the\nclosed-source IPA module providers.\n\n> I'd be happy to provide a version of this patch with the\n> 'LIBCAMERA_IPA_TRUSTED_MODULE_CHECKSUMS_FILE' environment variable\n> support removed, and a meson option to enable/disable trusting\n> checksums - default value up to you. That may increase the barrier and\n> give distributions a chance to make their own trade-off?\n\nI'm afraid I'm still not comfortable with that. If we want to use\nchecksums, I think we need to embed them in the libcamera binary.\n\n> (I also like Elias' idea of statically linking the in-tree modules,\n> but I don't think I'm comfortable enough with the codebase to take\n> that on)\n\nI've been sleeping over this, and it's an interesting idea to explore I\nthink. There will be technical issues to solve though, as we want to\nmake it possible for users to select between different IPA modules for\nthe same platform.\n\n> > > > - Don't sign IPAs that have known checksums (thus achieving bit-for-bit reproducibility).\n> > > > - In your patch, I believe this is equivalent to \"ipa_sign_modules\" always being false.\n> > > \n> > > Would there be a mix of signed+checksummed modules in a given\n> > > distribution?\n> \n> I don't see an obvious use case for having both, but I don't see a\n> reason to restrict it either.","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 02E0FC323E\n\tfor ;\n\tMon, 22 Jan 2024 09:27:02 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 54D3362931;\n\tMon, 22 Jan 2024 10:27:02 +0100 (CET)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 6F551628AD\n\tfor ;\n\tMon, 22 Jan 2024 10:27:00 +0100 (CET)","from pendragon.ideasonboard.com (89-27-53-110.bb.dnainternet.fi\n\t[89.27.53.110])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 3EE3E74A;\n\tMon, 22 Jan 2024 10:25:47 +0100 (CET)"],"DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;\n\ts=mail; t=1705915622;\n\tbh=6fONEMSVU7679IXL26cewueojd7f/oBosJ/ZhI3d+iw=;\n\th=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:\n\tList-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:\n\tFrom;\n\tb=EUiMW9JX0OrjaGEtsDizVd2ZhHZHCzzx/ZrRB164v1kudwhNSXdc5+CaFt6OvGdFP\n\tG2EusvqbUTtpzLQ29gc21fhkoCkhm9Oole3KhVuhYnAh/+4VGlzPdrLJqHF+/nGR0V\n\t85JwFHlzRh6dh9BCZITJ/jdQo7Fm9YclUcb2ESdpBioC5sNrEfPDfG3XbYf/jD6nZj\n\tV21lXSEXAF4XbhHYmhgrPudI7KYSX1KeTAO4sKaVjS49nD/UCU47O1kdo8M/Jkcvtx\n\thNgoP3/4Wkwn6IMthUiHkkSnFPwr1Y4M3pG7s1QXRVla/PCPa5+LRUq83wUBD44iwc\n\tar6IrwLfYBY3A==","v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1705915547;\n\tbh=6fONEMSVU7679IXL26cewueojd7f/oBosJ/ZhI3d+iw=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=QQvz2im6X4hbgTX4W2QFsFormflVEzNiy2au7BDvQgw0AqOQ0QbdqchxvI2GzaEmC\n\tAYdZNFGFGabpDRyAvNMPgyS49oHkaStxKotroyyG3kSdblH9WVAfZQlZLsoZDGTv+s\n\t+xzdsX2KHJp9LFiq1gYXgIqsYqZ6bTxmm1AsvYYE="],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"QQvz2im6\"; dkim-atps=neutral","Date":"Mon, 22 Jan 2024 11:27:04 +0200","To":"Arnout Engelen ","Message-ID":"<20240122092704.GJ4378@pendragon.ideasonboard.com>","References":"\n\t<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>\n\t<20240121185442.GC4378@pendragon.ideasonboard.com>\n\t","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting\n\tmodules by checksum","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","From":"Laurent Pinchart via libcamera-devel\n\t","Reply-To":"Laurent Pinchart ","Cc":"libcamera-devel@lists.libcamera.org, Elias Naur ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":28625,"web_url":"https://patchwork.libcamera.org/comment/28625/","msgid":"<99a5d61e-9b44-447e-9caf-5ea4467e72e9@app.fastmail.com>","date":"2024-01-29T16:15:24","subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting modules\n\tby checksum","submitter":{"id":182,"url":"https://patchwork.libcamera.org/api/people/182/","name":"Arnout Engelen","email":"libcamera@bzzt.net"},"content":"On Mon, Jan 22, 2024, at 10:27, Laurent Pinchart wrote:\n> > > Checksums in a configuration file is a no-go I'm afraid, as it means\n> > > anyone could ship a closed-source IPA module and instruct users to add\n> > > an entry to the configuration file, circumventing IPA module isolation.\n> >\n> > I'd be happy to provide a version of this patch with the\n> > 'LIBCAMERA_IPA_TRUSTED_MODULE_CHECKSUMS_FILE' environment variable\n> > support removed, and a meson option to enable/disable trusting\n> > checksums - default value up to you. That may increase the barrier and\n> > give distributions a chance to make their own trade-off?\n> \n> I'm afraid I'm still not comfortable with that. If we want to use\n> checksums, I think we need to embed them in the libcamera binary.\n\nI created a variation on the patch that does this at https://lists.libcamera.org/pipermail/libcamera-devel/2024-January/040244.html. Happy to finish it if the general approach looks acceptable.\n\n> > (I also like Elias' idea of statically linking the in-tree modules,\n> > but I don't think I'm comfortable enough with the codebase to take\n> > that on)\n> \n> I've been sleeping over this, and it's an interesting idea to explore I\n> think. There will be technical issues to solve though, as we want to\n> make it possible for users to select between different IPA modules for\n> the same platform.\n\n(this might still be interesting, but if it doesn't materialize let's not stall the other solution for it :) )\n\n\nKind regards,\n\nArnout","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id EF3E4BDB13\n\tfor ;\n\tMon, 29 Jan 2024 16:16:03 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 154B86296D;\n\tMon, 29 Jan 2024 17:16:03 +0100 (CET)","from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com\n\t[66.111.4.26])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id E3B886294A\n\tfor ;\n\tMon, 29 Jan 2024 17:15:59 +0100 (CET)","from compute3.internal (compute3.nyi.internal [10.202.2.43])\n\tby mailout.nyi.internal (Postfix) with ESMTP id EDA345C018F;\n\tMon, 29 Jan 2024 11:15:55 -0500 (EST)","from imap52 ([10.202.2.102])\n\tby compute3.internal (MEProxy); Mon, 29 Jan 2024 11:15:55 -0500","by mailuser.nyi.internal (Postfix, from userid 501)\n\tid 9CAB7C60097; Mon, 29 Jan 2024 11:15:55 -0500 (EST)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=bzzt.net header.i=@bzzt.net header.b=\"QsuqHALv\";\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=messagingengine.com\n\theader.i=@messagingengine.com header.b=\"RgUoSsdM\"; \n\tdkim-atps=neutral","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=bzzt.net; h=cc\n\t:cc:content-type:content-type:date:date:from:from:in-reply-to\n\t:in-reply-to:message-id:mime-version:references:reply-to:subject\n\t:subject:to:to; s=fm1; t=1706544955; x=1706631355; bh=4kTCWJZ8Oo\n\ttKwUE/yjY8SmGxpI1MMu+ojI2A8t3XGvA=; b=QsuqHALvC6A+jGyonv383dBw+a\n\tqGltCsRy/6DfEgK7uNhnFqDbnorp1K9H8avRqlTneVW1+9Rt1jTOb9+B3kWz2FHo\n\t3xMHMIxefYd2kySiV7xsDAnrBv1InrNTLAVNoGqha4+LXKtziz68uIF8PwTRqhfH\n\tLJa8OMonA14y6CPuyECr57JakGYl0e2Wp5jvW7kFia/NICxdsw5+0HvGJR+3n7Nz\n\tbWasBCN54eH/cUC64vmDYUGi2/FoXH5TgE6SPerHC3FZm5RipTaeHf8awp8N5Int\n\tn6C+Z0ysO1mpH57XNWzC9dAhdymFc2MSYHWKBeRNQLy7Y0ivhs4tMfpUd8Gg==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n\tmessagingengine.com; h=cc:cc:content-type:content-type:date:date\n\t:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to\n\t:message-id:mime-version:references:reply-to:subject:subject:to\n\t:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=\n\tfm3; t=1706544955; x=1706631355; bh=4kTCWJZ8OotKwUE/yjY8SmGxpI1M\n\tMu+ojI2A8t3XGvA=; b=RgUoSsdMniiItB8qhB32h45eUd9vjFDB4giSgT6LnFGK\n\t0gmghLvmXjkRtSJBRhOokdo3pWtT4OG4xf48A+MBKX+2xx/QlKowK8Rpay6qBd77\n\tZnFE0CNhyBGWFzIsQ58n8+hrxc6A1jfQ59IKgYeti8nTYyHmxorNhksTz8ImPgkn\n\tGWS0UoJIa3OnvHOO0DF1TkHYbKbCOHWCa+mLX3Esod6ErMLyw6QexRc4TDLLrb5C\n\tdk1WQrx4wceVDo+NwFevOKGoTx6RcE1ZQLgYlRqIjoRsPsm71EsTTD/zCrJwqUEl\n\t2h6/nXYZQbG92M5hj3lqxj5Y7QYWUd1h/M9c/Bpdbw=="],"X-ME-Sender":"\n\t","X-ME-Proxy-Cause":"gggruggvucftvghtrhhoucdtuddrgedvkedrfedtgedgjeehucetufdoteggodetrfdotf\n\tfvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen\n\tuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne\n\tcujfgurhepofgfggfkjghffffhvfevufgtsegrtderreerredtnecuhfhrohhmpedftehr\n\tnhhouhhtucfgnhhgvghlvghnfdcuoehlihgstggrmhgvrhgrsegsiiiithdrnhgvtheqne\n\tcuggftrfgrthhtvghrnhepffelgedtleejkedujeelkeegffdugfefgefhtdelvdeutdff\n\tvdehlefhtedvtdeknecuffhomhgrihhnpehlihgstggrmhgvrhgrrdhorhhgnecuvehluh\n\thsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhhisggtrghmvghr\n\trgessgiiiihtrdhnvght","X-ME-Proxy":"\n\t\n\t\n\t","Feedback-ID":"i7559471f:Fastmail","X-Mailer":"MessagingEngine.com Webmail Interface","User-Agent":"Cyrus-JMAP/3.11.0-alpha0-144-ge5821d614e-fm-20240125.002-ge5821d61","MIME-Version":"1.0","Message-Id":"<99a5d61e-9b44-447e-9caf-5ea4467e72e9@app.fastmail.com>","In-Reply-To":"<20240122092704.GJ4378@pendragon.ideasonboard.com>","References":"\n\t<170585472666.4032600.8317145635110648851@ping.linuxembedded.co.uk>\n\t<20240121185442.GC4378@pendragon.ideasonboard.com>\n\t\n\t<20240122092704.GJ4378@pendragon.ideasonboard.com>","Date":"Mon, 29 Jan 2024 17:15:24 +0100","From":"\"Arnout Engelen\" ","To":"\"Laurent Pinchart\" ","Subject":"Re: [libcamera-devel] [PATCH] libcamera: ipa: allow trusting modules\n\tby checksum","Content-Type":"multipart/alternative;\n\tboundary=9c4947a2758242b2a22030a875879ae1","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"libcamera-devel@lists.libcamera.org, Elias Naur ","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]