[{"id":39074,"web_url":"https://patchwork.libcamera.org/comment/39074/","msgid":"<20260615130729.GA2849765@killaraus.ideasonboard.com>","date":"2026-06-15T13:07:29","subject":"Re: [PATCH 1/1] libcamera: ipa: allow trusting modules by checksum","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"On Mon, Jan 22, 2024 at 12:40:40PM +0100, libcamera@bzzt.net wrote:\n> From: Arnout Engelen \n> \n> Currently, libcamera signs the in-tree IPA modules during the build, and\n> embeds the public key so that only trusted IPA modules will be run\n> in-process. Out-of-tree modules will be run using runtime isolation.\n> \n> This commit adds a second mechanism to achieve the same: during installation\n> the checksums of the in-tree IPA modules are recorded, and at run time the\n> modules are considered trusted when they match the recorded trusted\n> checksums.\n> \n> The motivation behind adding this mechanism is that this allows rebuilding\n> the library and getting a bit-by-bit identical result, without having to\n> share the keys with which to sign the trusted modules. This is known as\n> 'Reproducible Builds', and you can read more about its advantages on\n> https://reproducible-builds.org/. With this feature, packagers that care\n> about reproducible builds can disable the module signing, and enjoy\n> equivalent security and performance while also allowing independent\n> rebuilds.\n\nGiven the increased importance of reproducible builds, as well as Kate\nHsuan's recent patch series to support ML-DSA-65 for post-quantum\ncryptography (see https://patchwork.libcamera.org/project/libcamera/list/?series=5954),\nI think we'll need to make a decision on how we want to handle\nout-of-tree IPA modules.\n\nMerging this patch would render ML-DSA-65 support uneeded (sorry about\nthat Kate) and would probably simplify the code base. I'm a bit\nuncomfortable with the idea of patching the libcamera.so binary though,\nat least with sed. If we were to go this way, moving the checksums to a\nseparate ELF section would be more robust.\n\nAnother idea that crossed my mind recently would take this one step\nfurther: should link all in-tree IPA modules in the libcamera binary\ninstead of building them as shared objects, and always run external IPA\nmodules in isolation ? There are a few drawbacks, in particular an\nincrease in memory usage. Will that be a scaling issue moving forward ?\n\n> Signed-off-by: Arnout Engelen \n> ---\n> include/libcamera/internal/ipa_manager.h | 9 ++-\n> include/libcamera/internal/ipa_module.h | 2 +\n> meson_options.txt | 8 +++\n> src/apps/ipa-verify/main.cpp | 43 +++++++++++-\n> src/apps/ipa-verify/meson.build | 2 +-\n> src/ipa/ipa-checksum-install.sh | 24 +++++++\n> src/ipa/meson.build | 7 ++\n> src/libcamera/ipa_manager.cpp | 88 +++++++++++++++++++++---\n> src/libcamera/ipa_module.cpp | 30 ++++++++\n> src/meson.build | 18 ++++-\n> 10 files changed, 215 insertions(+), 16 deletions(-)\n> create mode 100644 src/ipa/ipa-checksum-install.sh\n> \n> diff --git a/include/libcamera/internal/ipa_manager.h b/include/libcamera/internal/ipa_manager.h\n> index bf823563..2475e26a 100644\n> --- a/include/libcamera/internal/ipa_manager.h\n> +++ b/include/libcamera/internal/ipa_manager.h\n> @@ -38,7 +38,7 @@ public:\n> \t\tif (!m)\n> \t\t\treturn nullptr;\n> \n> -\t\tstd::unique_ptr proxy = std::make_unique(m, !self_->isSignatureValid(m));\n> +\t\tstd::unique_ptr proxy = std::make_unique(m, !self_->isTrusted(m));\n> \t\tif (!proxy->isValid()) {\n> \t\t\tLOG(IPAManager, Error) << \"Failed to load proxy\";\n> \t\t\treturn nullptr;\n> @@ -53,6 +53,7 @@ public:\n> \t\treturn pubKey_;\n> \t}\n> #endif\n> +\tstatic void loadTrustedChecksums(std::vector> &checksums);\n> \n> private:\n> \tstatic IPAManager *self_;\n> @@ -65,6 +66,8 @@ private:\n> \t\t\t uint32_t maxVersion);\n> \n> \tbool isSignatureValid(IPAModule *ipa) const;\n> +\tbool isTrustedChecksum(IPAModule *ipa) const;\n> +\tbool isTrusted(IPAModule *ipa) const;\n> \n> \tstd::vector modules_;\n> \n> @@ -72,6 +75,10 @@ private:\n> \tstatic const uint8_t publicKeyData_[];\n> \tstatic const PubKey pubKey_;\n> #endif\n> +\n> +#if HAVE_IPA_TRUSTED_MODULE_CHECKSUMS\n> +\tstd::vector> trusted_checksums_;\n> +#endif\n> };\n> \n> } /* namespace libcamera */\n> diff --git a/include/libcamera/internal/ipa_module.h b/include/libcamera/internal/ipa_module.h\n> index 8038bdee..f4c0ec5c 100644\n> --- a/include/libcamera/internal/ipa_module.h\n> +++ b/include/libcamera/internal/ipa_module.h\n> @@ -30,6 +30,7 @@ public:\n> \n> \tconst struct IPAModuleInfo &info() const;\n> \tconst std::vector signature() const;\n> +\tconst std::vector checksum() const;\n> \tconst std::string &path() const;\n> \n> \tbool load();\n> @@ -47,6 +48,7 @@ private:\n> \n> \tstruct IPAModuleInfo info_;\n> \tstd::vector signature_;\n> +\tstd::vector checksum_;\n> \n> \tstd::string libPath_;\n> \tbool valid_;\n> diff --git a/meson_options.txt b/meson_options.txt\n> index 5fdc7be8..dd753ca8 100644\n> --- a/meson_options.txt\n> +++ b/meson_options.txt\n> @@ -30,6 +30,14 @@ option('ipas',\n> choices : ['ipu3', 'rkisp1', 'rpi/vc4', 'vimc'],\n> description : 'Select which IPA modules to build')\n> \n> +option('ipa_sign_modules',\n> + type : 'feature',\n> + description : 'enable IPA trusted module signing')\n> +\n> +option('ipa_checksum_trusted_modules',\n> + type : 'feature',\n> + description : 'enable IPA trusted module checksums')\n> +\n> option('lc-compliance',\n> type : 'feature',\n> value : 'auto',\n> diff --git a/src/apps/ipa-verify/main.cpp b/src/apps/ipa-verify/main.cpp\n> index 76ba5073..facfd481 100644\n> --- a/src/apps/ipa-verify/main.cpp\n> +++ b/src/apps/ipa-verify/main.cpp\n> @@ -18,7 +18,8 @@ using namespace libcamera;\n> \n> namespace {\n> \n> -bool isSignatureValid(IPAModule *ipa)\n> +#if HAVE_IPA_PUBKEY\n> +bool isSignatureValid([[maybe_unused]] IPAModule *ipa)\n> {\n> \tFile file{ ipa->path() };\n> \tif (!file.open(File::OpenModeFlag::ReadOnly))\n> @@ -30,6 +31,22 @@ bool isSignatureValid(IPAModule *ipa)\n> \n> \treturn IPAManager::pubKey().verify(data, ipa->signature());\n> }\n> +#endif\n> +\n> +#if HAVE_IPA_TRUSTED_MODULE_CHECKSUMS\n> +bool isChecksumTrusted([[maybe_unused]] IPAModule *ipa)\n> +{\n> +\tstd::vector> trusted;\n> +\tIPAManager::loadTrustedChecksums(trusted);\n> +\tfor (std::vector t : trusted) {\n> +\t\tif (std::equal(t.begin(), t.begin() + 32,\n> +\t\t\t ipa->checksum().begin())) {\n> +\t\t\treturn true;\n> +\t\t}\n> +\t}\n> +\treturn false;\n> +}\n> +#endif\n> \n> void usage(char *argv0)\n> {\n> @@ -54,11 +71,31 @@ int main(int argc, char **argv)\n> \t\treturn EXIT_FAILURE;\n> \t}\n> \n> -\tif (!isSignatureValid(&module)) {\n> +\tbool ok = false;\n> +#if HAVE_IPA_PUBKEY\n> +\tif (isSignatureValid(&module)) {\n> +\t\tstd::cout << \"IPA module signature is valid\" << std::endl;\n> +\t\tok = true;\n> +\t} else {\n> \t\tstd::cout << \"IPA module signature is invalid\" << std::endl;\n> +\t}\n> +#else\n> +\tstd::cout << \"IPA module signing is disabled\" << std::endl;\n> +#endif\n> +#if HAVE_IPA_TRUSTED_MODULE_CHECKSUMS\n> +\tif (isChecksumTrusted(&module)) {\n> +\t\tstd::cout << \"IPA module checksum is trusted\" << std::endl;\n> +\t\tok = true;\n> +\t} else {\n> +\t\tstd::cout << \"IPA module checksum is not trusted\" << std::endl;\n> +\t}\n> +#else\n> +\tstd::cout << \"IPA module checksums are disabled\" << std::endl;\n> +#endif\n> +\n> +\tif (!ok) {\n> \t\treturn EXIT_FAILURE;\n> \t}\n> \n> -\tstd::cout << \"IPA module signature is valid\" << std::endl;\n> \treturn 0;\n> }\n> diff --git a/src/apps/ipa-verify/meson.build b/src/apps/ipa-verify/meson.build\n> index 7fdda3b9..feffb538 100644\n> --- a/src/apps/ipa-verify/meson.build\n> +++ b/src/apps/ipa-verify/meson.build\n> @@ -1,6 +1,6 @@\n> # SPDX-License-Identifier: CC0-1.0\n> \n> -if not ipa_sign_module\n> +if not ipa_sign_module and not ipa_checksum_trusted_modules\n> subdir_done()\n> endif\n> \n> diff --git a/src/ipa/ipa-checksum-install.sh b/src/ipa/ipa-checksum-install.sh\n> new file mode 100644\n> index 00000000..41a1cb48\n> --- /dev/null\n> +++ b/src/ipa/ipa-checksum-install.sh\n> @@ -0,0 +1,24 @@\n> +#!/bin/sh\n> +# SPDX-License-Identifier: GPL-2.0-or-later\n> +# Copyright (C) 2020, Google Inc.\n> +#\n> +# Author: Arnout Engelen \n> +#\n> +# ipa-checksum-install.sh - Generate IPA module checksums when installing\n> +\n> +modules=$*\n> +\n> +echo \"Generating trusted IPA module checksums\"\n> +\n> +lib_file=$(find ${MESON_INSTALL_DESTDIR_PREFIX}/lib -type f -regex .*/libcamera.so.*)\n> +\n> +i=1\n> +for module in ${modules} ; do\n> +\tmodule=\"${MESON_INSTALL_DESTDIR_PREFIX}/${module}\"\n> +\tif [ -f \"${module}\" ] ; then\n> + checksum=$(sha256sum -b \"${module}\" | cut -d \" \" -f 1)\n> + # FIXME support for trusting multiple modules\n> + sed -b -e \"s/embedded_ipa_trusted_module_checksum_sha256_placeholder_0000000${i}/${checksum}/\" -i ${lib_file}\n> + i=$((i+1))\n> +\tfi\n> +done\n> diff --git a/src/ipa/meson.build b/src/ipa/meson.build\n> index 48793e07..00299a7c 100644\n> --- a/src/ipa/meson.build\n> +++ b/src/ipa/meson.build\n> @@ -75,3 +75,10 @@ if ipa_sign_module\n> enabled_ipa_modules,\n> install_tag : 'runtime')\n> endif\n> +\n> +if ipa_checksum_trusted_modules\n> + # Similarly, calculate checksums for the installed artifacts\n> + meson.add_install_script('ipa-checksum-install.sh',\n> + enabled_ipa_modules,\n> + install_tag : 'runtime')\n> +endif\n> diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp\n> index 7a4515d9..96281758 100644\n> --- a/src/libcamera/ipa_manager.cpp\n> +++ b/src/libcamera/ipa_manager.cpp\n> @@ -114,6 +114,10 @@ IPAManager::IPAManager()\n> \t\tLOG(IPAManager, Warning) << \"Public key not valid\";\n> #endif\n> \n> +#if HAVE_IPA_TRUSTED_MODULE_CHECKSUMS\n> +\tIPAManager::loadTrustedChecksums(trusted_checksums_);\n> +#endif\n> +\n> \tunsigned int ipaCount = 0;\n> \n> \t/* User-specified paths take precedence. */\n> @@ -165,6 +169,38 @@ IPAManager::~IPAManager()\n> \tself_ = nullptr;\n> }\n> \n> +/**\n> + * \\brief Load trusted checksums\n> + * \\param[out] checksums A vector of checksums as 32-element byte vectors\n> + */\n> +void IPAManager::loadTrustedChecksums([[maybe_unused]] std::vector> &checksums)\n> +{\n> +#if HAVE_IPA_TRUSTED_MODULE_CHECKSUMS\n> +\t// Since there are legitimate reasons for post-processing the modules\n> +\t// in the install phase, we use static placeholders here and allow\n> +\t// replacing them in the binary in the install phase.\n> +\tstd::string embeddedChecksums =\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000001\\n\"\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000002\\n\"\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000003\\n\"\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000004\\n\"\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000005\\n\"\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000006\\n\"\n> +\t\t\"embedded_ipa_trusted_module_checksum_sha256_placeholder_00000007\\n\";\n> +\n> +\tchar* data = embeddedChecksums.data();\n> +\tconst int size = strlen(data);\n> +\tfor (int i = 0; i < size; i += 65) {\n> +\t\tstd::vector *checksum = new std::vector();\n> +\t\tfor (int c = 0; c < 64; c += 2) {\n> +\t\t\tchar chr[3] = { static_cast(data[i+c]), static_cast(data[i+c+1]), '\\0' };\n> +\t\t\tchecksum->push_back(strtol(chr, nullptr, 16));\n> +\t\t}\n> +\t\tchecksums.push_back(*checksum);\n> +\t}\n> +#endif\n> +}\n> +\n> /**\n> * \\brief Identify shared library objects within a directory\n> * \\param[in] libDir The directory to search for shared objects\n> @@ -295,14 +331,6 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,\n> bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const\n> {\n> #if HAVE_IPA_PUBKEY\n> -\tchar *force = utils::secure_getenv(\"LIBCAMERA_IPA_FORCE_ISOLATION\");\n> -\tif (force && force[0] != '\\0') {\n> -\t\tLOG(IPAManager, Debug)\n> -\t\t\t<< \"Isolation of IPA module \" << ipa->path()\n> -\t\t\t<< \" forced through environment variable\";\n> -\t\treturn false;\n> -\t}\n> -\n> \tFile file{ ipa->path() };\n> \tif (!file.open(File::OpenModeFlag::ReadOnly))\n> \t\treturn false;\n> @@ -323,4 +351,48 @@ bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const\n> #endif\n> }\n> \n> +bool IPAManager::isTrustedChecksum([[maybe_unused]] IPAModule *ipa) const\n> +{\n> +#if HAVE_IPA_TRUSTED_MODULE_CHECKSUMS\n> +\tFile file{ ipa->path() };\n> +\tif (!file.open(File::OpenModeFlag::ReadOnly))\n> +\t\treturn false;\n> +\n> +\tSpan data = file.map();\n> +\tif (data.empty())\n> +\t\treturn false;\n> +\n> +\tbool valid = false;\n> +\n> +\tfor (std::vector t : trusted_checksums_) {\n> +\t\tif (std::equal(t.begin(), t.begin() + 32,\n> +\t\t\t ipa->checksum().begin())) {\n> +\t\t\tvalid = true;\n> +\t\t\tcontinue;\n> +\t\t}\n> +\t}\n> +\n> +\tLOG(IPAManager, Debug)\n> +\t\t<< \"IPA module \" << ipa->path() << \" checksum is \"\n> +\t\t<< (valid ? \"trusted\" : \"not trusted\");\n> +\n> +\treturn valid;\n> +#else\n> +\treturn false;\n> +#endif\n> +}\n> +\n> +bool IPAManager::isTrusted(IPAModule *ipa) const\n> +{\n> +\tchar *force = utils::secure_getenv(\"LIBCAMERA_IPA_FORCE_ISOLATION\");\n> +\tif (force && force[0] != '\\0') {\n> +\t\tLOG(IPAManager, Debug)\n> +\t\t\t<< \"Isolation of IPA module \" << ipa->path()\n> +\t\t\t<< \" forced through environment variable\";\n> +\t\treturn false;\n> +\t}\n> +\treturn isTrustedChecksum(ipa) || isSignatureValid(ipa);\n> +}\n> +\n> +\n> } /* namespace libcamera */\n> diff --git a/src/libcamera/ipa_module.cpp b/src/libcamera/ipa_module.cpp\n> index f2dd87e5..3d49432b 100644\n> --- a/src/libcamera/ipa_module.cpp\n> +++ b/src/libcamera/ipa_module.cpp\n> @@ -27,6 +27,12 @@\n> \n> #include \"libcamera/internal/pipeline_handler.h\"\n> \n> +#if HAVE_CRYPTO\n> +#include \n> +#elif HAVE_GNUTLS\n> +#include \n> +#endif\n> +\n> /**\n> * \\file ipa_module.h\n> * \\brief Image Processing Algorithm module\n> @@ -281,6 +287,17 @@ int IPAModule::loadIPAModuleInfo()\n> \t}\n> \n> \tSpan data = file.map();\n> +\n> +\t/* Calculate the module checksum. */\n> +\tuint8_t digest[32] = { 0 };\n> +#if HAVE_CRYPTO\n> +\tSHA256(data.data(), data.size(), digest);\n> +#elif HAVE_GNUTLS\n> +\tgnutls_hash_fast(GNUTLS_DIG_SHA256, data.data(), data.size(), digest);\n> +#endif\n> +\tchecksum_ = std::vector(digest, digest + 32);\n> +\n> +\t/* Interpret the file. */\n> \tint ret = elfVerifyIdent(data);\n> \tif (ret) {\n> \t\tLOG(IPAModule, Error) << \"IPA module is not an ELF file\";\n> @@ -379,6 +396,19 @@ const std::vector IPAModule::signature() const\n> \treturn signature_;\n> }\n> \n> +/**\n> + * \\brief Retrieve the IPA module checksum\n> + *\n> + * The IPA module checksum is loaded when the IPAModule instance is created.\n> + *\n> + * \\return The IPA module checksum\n> + */\n> +const std::vector IPAModule::checksum() const\n> +{\n> +\treturn checksum_;\n> +}\n> +\n> +\n> /**\n> * \\brief Retrieve the IPA module path\n> *\n> diff --git a/src/meson.build b/src/meson.build\n> index 165a77bb..2096ff79 100644\n> --- a/src/meson.build\n> +++ b/src/meson.build\n> @@ -14,19 +14,31 @@ summary({\n> 'LIBCAMERA_SYSCONF_DIR' : config_h.get('LIBCAMERA_SYSCONF_DIR'),\n> }, section : 'Paths')\n> \n> +# Trusted module checksumming\n> +if get_option('ipa_checksum_trusted_modules').enabled() or get_option('ipa_checksum_trusted_modules').auto()\n> + ipa_checksum_trusted_modules = true\n> + config_h.set('HAVE_IPA_TRUSTED_MODULE_CHECKSUMS', 1)\n> +else\n> + ipa_checksum_trusted_modules = false\n> +endif\n> +\n> # Module Signing\n> -openssl = find_program('openssl', required : false)\n> -if openssl.found()\n> +openssl = find_program('openssl', required : get_option('ipa_sign_modules'))\n> +if (get_option('ipa_sign_modules').enabled() or get_option('ipa_checksum_trusted_modules').auto()) and openssl.found()\n> ipa_priv_key = custom_target('ipa-priv-key',\n> output : ['ipa-priv-key.pem'],\n> command : [gen_ipa_priv_key, '@OUTPUT@'])\n> config_h.set('HAVE_IPA_PUBKEY', 1)\n> ipa_sign_module = true\n> else\n> - warning('openssl not found, all IPA modules will be isolated')\n> ipa_sign_module = false\n> endif\n> \n> +if not ipa_checksum_trusted_modules and not ipa_sign_module\n> + warning('neither checksums nor signatures enabled,')\n> + warning('all IPA modules will be isolated')\n> +endif\n> +\n> # libcamera must be built first as a dependency to the other components.\n> subdir('libcamera')\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 55702C324C\n\tfor ;\n\tMon, 15 Jun 2026 13:07:34 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 53585623DF;\n\tMon, 15 Jun 2026 15:07:33 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 26D17623CB\n\tfor ;\n\tMon, 15 Jun 2026 15:07:31 +0200 (CEST)","from killaraus.ideasonboard.com\n\t(2001-14ba-70f3-e800--a06.rev.dnainternet.fi\n\t[IPv6:2001:14ba:70f3:e800::a06])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 1BFE7241;\n\tMon, 15 Jun 2026 15:06:58 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"bkLCgUVh\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1781528818;\n\tbh=teBkjdotE3DRTCDbvhsikrdKhgUG9jxmnvbt68SfN5Y=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=bkLCgUVhJzRV/Y1lmasAd3vfV4dVYyZ7TG0MmINL8bk3Ik8z8VlenJRsEsgXecVDv\n\tNyWQQ5vTrKn+AFTA/2wZtWWtgf6NEPoUX75QRrSIJA8ZbO7a0Nv2728pilwi8JgVST\n\tFAt3R4+5belp08KnskbhPKwn/FEcTc5uoloH+p7Q=","Date":"Mon, 15 Jun 2026 16:07:29 +0300","From":"Laurent Pinchart ","To":"libcamera@bzzt.net","Cc":"libcamera-devel@lists.libcamera.org, Arnout Engelen ,\n\tKate Hsuan ","Subject":"Re: [PATCH 1/1] libcamera: ipa: allow trusting modules by checksum","Message-ID":"<20260615130729.GA2849765@killaraus.ideasonboard.com>","References":"<20240122114040.275771-1-libcamera@bzzt.net>\n\t<20240122114040.275771-2-libcamera@bzzt.net>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20240122114040.275771-2-libcamera@bzzt.net>","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]