[{"id":38584,"web_url":"https://patchwork.libcamera.org/comment/38584/","msgid":"","date":"2026-04-13T08:34:56","subject":"Re: [PATCH 4/4] meson: Add \"fips\" meson option to enable ML-DSA","submitter":{"id":216,"url":"https://patchwork.libcamera.org/api/people/216/","name":"Barnabás Pőcze","email":"barnabas.pocze@ideasonboard.com"},"content":"Hi\n\n2026. 04. 08. 9:55 keltezéssel, Kate Hsuan írta:\n> Add a boolean type \"fips\" meson option to enable ML-SDA. If fips=false,\n> the RSA-SHA256 will be used.\n> \n> Signed-off-by: Kate Hsuan \n> ---\n> meson_options.txt | 5 +++++\n> src/libcamera/meson.build | 6 ++++++\n> src/meson.build | 13 ++++++++++---\n> utils/gen-ipa-priv-key.sh | 16 ++++++++++++++--\n> 4 files changed, 35 insertions(+), 5 deletions(-)\n> \n> diff --git a/meson_options.txt b/meson_options.txt\n> index c27e377a..c89167fb 100644\n> --- a/meson_options.txt\n> +++ b/meson_options.txt\n> @@ -26,6 +26,11 @@ option('doc_werror',\n> value : false,\n> description : 'Treat documentation warnings as errors')\n> \n> +option('fips',\n> + type : 'boolean',\n> + value : false,\n> + description : 'Sign IPA library using ML-DSA (FIPS 204)')\n\nI think this is a very cryptic option name. Would it not be clearer to\ncall it \"pq-signature\" or similar? Or \"signature-algo\" as a `choice` option\nwith two values?\n\n\nRegards,\nBarnabás Pőcze\n\n> +\n> option('gstreamer',\n> type : 'feature',\n> value : 'auto',\n> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> index d1594358..aed962c4 100644\n> --- a/src/libcamera/meson.build\n> +++ b/src/libcamera/meson.build\n> @@ -118,6 +118,12 @@ else\n> endif\n> endif\n> \n> +# comply with FIPS 204\n> +with_fips = get_option('fips')\n> +if with_fips\n> + config_h.set('WITH_FIPS', 1)\n> +endif\n> +\n> if not libcrypto.found()\n> warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> summary({'IPA modules signed with': 'None (modules will run isolated)'},\n> diff --git a/src/meson.build b/src/meson.build\n> index 9b63c8e8..f1493341 100644\n> --- a/src/meson.build\n> +++ b/src/meson.build\n> @@ -15,11 +15,18 @@ summary({\n> }, section : 'Paths')\n> \n> # Module Signing\n> +with_fips = get_option('fips')\n> openssl = find_program('openssl', required : false)\n> if openssl.found()\n> - ipa_priv_key = custom_target('ipa-priv-key',\n> - output : ['ipa-priv-key.pem'],\n> - command : [gen_ipa_priv_key, '@OUTPUT@'])\n> + if with_fips\n> + ipa_priv_key = custom_target('ipa-priv-key',\n> + output : ['ipa-priv-key.pem'],\n> + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@'])\n> + else\n> + ipa_priv_key = custom_target('ipa-priv-key',\n> + output : ['ipa-priv-key.pem'],\n> + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@'])\n> + endif\n> config_h.set('HAVE_IPA_PUBKEY', 1)\n> ipa_sign_module = true\n> else\n> diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh\n> index 2ca7b883..374377fc 100755\n> --- a/utils/gen-ipa-priv-key.sh\n> +++ b/utils/gen-ipa-priv-key.sh\n> @@ -6,6 +6,18 @@\n> #\n> # Generate an RSA private key to sign IPA modules\n> \n> -key=\"$1\"\n> +algo=\"$1\"\n> +key=\"$2\"\n> \n> -openssl genpkey -algorithm RSA -out \"${key}\" -pkeyopt rsa_keygen_bits:2048\n> +# Two possible algorithms: RSA and ML-DSA-65\n> +# openssl genpkey -algorithm RSA -out \"${key}\" -pkeyopt rsa_keygen_bits:2048\n> +# openssl genpkey -algorithm ML-DSA-65 -out \"${key}\"\n> +\n> +if [ \"$algo\" == \"RSA\" ]; then\n> + openssl genpkey -algorithm RSA -out \"${key}\" -pkeyopt rsa_keygen_bits:2048\n> +elif [ \"$algo\" == \"ML-DSA-65\" ]; then\n> + openssl genpkey -algorithm ML-DSA-65 -out \"${key}\"\n> +else\n> + echo \"Invalid algorithm: $algo\"\n> + exit 1\n> +fi\n> \\ No newline at end of file","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id B313CC32BB\n\tfor ;\n\tMon, 13 Apr 2026 08:35:03 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id D04CD62E77;\n\tMon, 13 Apr 2026 10:35:02 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 5160162846\n\tfor ;\n\tMon, 13 Apr 2026 10:35:01 +0200 (CEST)","from [192.168.33.49] (185.182.214.8.nat.pool.zt.hu [185.182.214.8])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 88E104F1;\n\tMon, 13 Apr 2026 10:33:29 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"ju0IiEPS\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1776069209;\n\tbh=GlETto7byiHcAMazXl0IJKAmWn0WyRqCTRdPVqoKwFg=;\n\th=Date:Subject:To:References:From:In-Reply-To:From;\n\tb=ju0IiEPSlDBDPb48Vayzn6mkG8ZWYFXI7tRxiJK5ZHOPtRmxaJPOECxCiNTcBLvK2\n\toC45twV8J0gk6E619lQAtPZeWRXOYaNj4HXdDNUR80ExjT03F17eNlS6lyWMUyHkCD\n\ty61ES1f5X6eRS+wUi7SyGJS/iUnxuTmcNnc5rs1c=","Message-ID":"","Date":"Mon, 13 Apr 2026 10:34:56 +0200","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH 4/4] meson: Add \"fips\" meson option to enable ML-DSA","To":"Kate Hsuan , libcamera-devel@lists.libcamera.org","References":"<20260408075540.53309-1-hpa@redhat.com>\n\t<20260408075540.53309-5-hpa@redhat.com>","From":"=?utf-8?q?Barnab=C3=A1s_P=C5=91cze?= ","Content-Language":"en-US, hu-HU","In-Reply-To":"<20260408075540.53309-5-hpa@redhat.com>","Content-Type":"text/plain; charset=UTF-8; format=flowed","Content-Transfer-Encoding":"8bit","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":38616,"web_url":"https://patchwork.libcamera.org/comment/38616/","msgid":"","date":"2026-04-15T04:09:22","subject":"Re: [PATCH 4/4] meson: Add \"fips\" meson option to enable ML-DSA","submitter":{"id":105,"url":"https://patchwork.libcamera.org/api/people/105/","name":"Kate Hsuan","email":"hpa@redhat.com"},"content":"Hi Barnabás,\n\nOn Mon, Apr 13, 2026 at 4:43 PM Barnabás Pőcze\n wrote:\n>\n> Hi\n>\n> 2026. 04. 08. 9:55 keltezéssel, Kate Hsuan írta:\n> > Add a boolean type \"fips\" meson option to enable ML-SDA. If fips=false,\n> > the RSA-SHA256 will be used.\n> >\n> > Signed-off-by: Kate Hsuan \n> > ---\n> > meson_options.txt | 5 +++++\n> > src/libcamera/meson.build | 6 ++++++\n> > src/meson.build | 13 ++++++++++---\n> > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++--\n> > 4 files changed, 35 insertions(+), 5 deletions(-)\n> >\n> > diff --git a/meson_options.txt b/meson_options.txt\n> > index c27e377a..c89167fb 100644\n> > --- a/meson_options.txt\n> > +++ b/meson_options.txt\n> > @@ -26,6 +26,11 @@ option('doc_werror',\n> > value : false,\n> > description : 'Treat documentation warnings as errors')\n> >\n> > +option('fips',\n> > + type : 'boolean',\n> > + value : false,\n> > + description : 'Sign IPA library using ML-DSA (FIPS 204)')\n>\n> I think this is a very cryptic option name. Would it not be clearer to\n> call it \"pq-signature\" or similar? Or \"signature-algo\" as a `choice` option\n> with two values?\n\nGood question. Since there are many options for the ml-dsa, such as\nml-dsa-44 and ml-dsa-87, a \"choice\" option is more flexible.\n\nIf \"signature-algo\" is used, the option will look like the following example.\nsignature-algo: ml-dsa-65 | rsa-sha254\n\n>\n>\n> Regards,\n> Barnabás Pőcze\n>\n> > +\n> > option('gstreamer',\n> > type : 'feature',\n> > value : 'auto',\n> > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build\n> > index d1594358..aed962c4 100644\n> > --- a/src/libcamera/meson.build\n> > +++ b/src/libcamera/meson.build\n> > @@ -118,6 +118,12 @@ else\n> > endif\n> > endif\n> >\n> > +# comply with FIPS 204\n> > +with_fips = get_option('fips')\n> > +if with_fips\n> > + config_h.set('WITH_FIPS', 1)\n> > +endif\n> > +\n> > if not libcrypto.found()\n> > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')\n> > summary({'IPA modules signed with': 'None (modules will run isolated)'},\n> > diff --git a/src/meson.build b/src/meson.build\n> > index 9b63c8e8..f1493341 100644\n> > --- a/src/meson.build\n> > +++ b/src/meson.build\n> > @@ -15,11 +15,18 @@ summary({\n> > }, section : 'Paths')\n> >\n> > # Module Signing\n> > +with_fips = get_option('fips')\n> > openssl = find_program('openssl', required : false)\n> > if openssl.found()\n> > - ipa_priv_key = custom_target('ipa-priv-key',\n> > - output : ['ipa-priv-key.pem'],\n> > - command : [gen_ipa_priv_key, '@OUTPUT@'])\n> > + if with_fips\n> > + ipa_priv_key = custom_target('ipa-priv-key',\n> > + output : ['ipa-priv-key.pem'],\n> > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@'])\n> > + else\n> > + ipa_priv_key = custom_target('ipa-priv-key',\n> > + output : ['ipa-priv-key.pem'],\n> > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@'])\n> > + endif\n> > config_h.set('HAVE_IPA_PUBKEY', 1)\n> > ipa_sign_module = true\n> > else\n> > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh\n> > index 2ca7b883..374377fc 100755\n> > --- a/utils/gen-ipa-priv-key.sh\n> > +++ b/utils/gen-ipa-priv-key.sh\n> > @@ -6,6 +6,18 @@\n> > #\n> > # Generate an RSA private key to sign IPA modules\n> >\n> > -key=\"$1\"\n> > +algo=\"$1\"\n> > +key=\"$2\"\n> >\n> > -openssl genpkey -algorithm RSA -out \"${key}\" -pkeyopt rsa_keygen_bits:2048\n> > +# Two possible algorithms: RSA and ML-DSA-65\n> > +# openssl genpkey -algorithm RSA -out \"${key}\" -pkeyopt rsa_keygen_bits:2048\n> > +# openssl genpkey -algorithm ML-DSA-65 -out \"${key}\"\n> > +\n> > +if [ \"$algo\" == \"RSA\" ]; then\n> > + openssl genpkey -algorithm RSA -out \"${key}\" -pkeyopt rsa_keygen_bits:2048\n> > +elif [ \"$algo\" == \"ML-DSA-65\" ]; then\n> > + openssl genpkey -algorithm ML-DSA-65 -out \"${key}\"\n> > +else\n> > + echo \"Invalid algorithm: $algo\"\n> > + exit 1\n> > +fi\n> > \\ No newline at end of file\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id 6BAF0C32BB\n\tfor ;\n\tWed, 15 Apr 2026 04:09:40 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 6B13162EA3;\n\tWed, 15 Apr 2026 06:09:39 +0200 (CEST)","from us-smtp-delivery-124.mimecast.com\n\t(us-smtp-delivery-124.mimecast.com [170.10.129.124])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 4A6476271A\n\tfor ;\n\tWed, 15 Apr 2026 06:09:38 +0200 (CEST)","from mail-oa1-f69.google.com (mail-oa1-f69.google.com\n\t[209.85.160.69]) by relay.mimecast.com with ESMTP with STARTTLS\n\t(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id\n\tus-mta-481-AjHFedKPPauBNyEryDOJUA-1; Wed, 15 Apr 2026 00:09:35 -0400","by mail-oa1-f69.google.com with SMTP id\n\t586e51a60fabf-4236c3b8f32so12604211fac.0\n\tfor ;\n\tTue, 14 Apr 2026 21:09:35 -0700 (PDT)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key;\n\tunprotected) header.d=redhat.com header.i=@redhat.com\n\theader.b=\"DQNuAub/\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n\ts=mimecast20190719; t=1776226177;\n\th=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n\tto:to:cc:cc:mime-version:mime-version:content-type:content-type:\n\tcontent-transfer-encoding:content-transfer-encoding:\n\tin-reply-to:in-reply-to:references:references;\n\tbh=e/FG83IYGiwz+nXtY/FJuK8l7PXPcYIMadIxVHGCAZE=;\n\tb=DQNuAub/xHle7c+a5XBr25bL7mqPxOYettyqQuzrzRXLfw/BMQLodPTnSLp5EXstwobewK\n\tgoSVn/B+S/gGezBVt0cCKmBxW12J+CLTUvbkL0aTPMEbAj8Y+61H9HMp4MlBclU1C1SbRn\n\tfKAPZ73VtbOS0kY86yWVGTuhxidHCik=","X-MC-Unique":"AjHFedKPPauBNyEryDOJUA-1","X-Mimecast-MFC-AGG-ID":"AjHFedKPPauBNyEryDOJUA_1776226175","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20251104; t=1776226174; x=1776830974;\n\th=content-transfer-encoding:cc:to:subject:message-id:date:from\n\t:in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from\n\t:to:cc:subject:date:message-id:reply-to;\n\tbh=e/FG83IYGiwz+nXtY/FJuK8l7PXPcYIMadIxVHGCAZE=;\n\tb=NH0fmL/p5Vhccrbs+kRidv0pZVfBfAeQ6WuRxSQ9lVJ+pZKjbbRDbdf31Fgro0n3FN\n\tQc+/UuA8qUHX771jxRAVQCzUiyFp/RNmIdlOAHV1H1qhqZYeSGa31i2v7qX8a+CI7xuD\n\tTNPED9ZRFqFUrf66WkpWHQKG0bniRlFFDr5K/9BgOjKqUPDkx/7WhyVUvPdHcogGxB7h\n\tpVIsLphbV7LPBYAvcTIwSWJw/E9kCU0a3rk2WpZB8NwyT0HmIqcemjht/MZiRuHAHuvQ\n\tlwYRKa++3afdTTp+rmd+n3AsVigEfM6TsQpSP++0FsIScIcdOEpi9yKF3cZxxvYXAtQB\n\t8pfQ==","X-Gm-Message-State":"AOJu0YzIAmbEHXiijmzg7Rb0ZQ3loOkte6htZJgRVFHY4Og7J0G5O2PS\n\tjGv5smY83hRJX+xCDclS4FFWepMnlQIXcpMS8Cx8sEwkTze2YD3kxc1nK7CEmOjGxEhwVTlEc8A\n\tfoxoqrZITNQkAm4tCcz8IeAiYwPM6ZrtiLOvxLW8xh1RsWd7NFi1sLgQKX113AODeOCm/1um/75\n\t046yha8IuJ1GpcPvevsNtz/+8u1oDNCsZdtSREJRDOKMpnDltCUiS4WD99mAq5","X-Gm-Gg":"AeBDieuLlL3KvJGjX7bx27mTtiaDpIKhF8DhwYo5BqcVsgj7LWuhgMZTcDxqR55igJq\n\t9REgLrNTr/UBTab0ozYSFY2517QlaOIBCVDG8dbPJNpQaJ/IFpuIDQ7XnqRT5rCkIPmPRbF+d8X\n\tUscHn6dul60i0rVSHPpT+EixZDLyg9A6/1J2Qvb379wvg+ibfiWQrblJhJYkc+tJtkxEp9Ft1dE\n\tk+N2JhW1WzmtVmtrA==","X-Received":["by 2002:a05:6870:1697:b0:423:5641:3d7f with SMTP id\n\t586e51a60fabf-423bd146d7dmr11988812fac.25.1776226174341; \n\tTue, 14 Apr 2026 21:09:34 -0700 (PDT)","by 2002:a05:6870:1697:b0:423:5641:3d7f with SMTP id\n\t586e51a60fabf-423bd146d7dmr11988793fac.25.1776226173747;\n\tTue, 14 Apr 2026 21:09:33 -0700 (PDT)"],"MIME-Version":"1.0","References":"<20260408075540.53309-1-hpa@redhat.com>\n\t<20260408075540.53309-5-hpa@redhat.com>\n\t","In-Reply-To":"","From":"Kate Hsuan ","Date":"Wed, 15 Apr 2026 12:09:22 +0800","X-Gm-Features":"AQROBzCYqeq4dNTHlJ1i_ECFN-9GyJpKaaOK6h7O1wb7z2fED4gMUxLo9omfePk","Message-ID":"","Subject":"Re: [PATCH 4/4] meson: Add \"fips\" meson option to enable ML-DSA","To":"=?utf-8?q?Barnab=C3=A1s_P=C5=91cze?= ","Cc":"libcamera-devel@lists.libcamera.org","X-Mimecast-Spam-Score":"0","X-Mimecast-MFC-PROC-ID":"ST4cmLZjTwi8C6fB09ZKF9pZ-dpCkb6haTgpQCmVaDs_1776226175","X-Mimecast-Originator":"redhat.com","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]