{"id":3392,"url":"https://patchwork.libcamera.org/api/patches/3392/?format=json","web_url":"https://patchwork.libcamera.org/patch/3392/","project":{"id":1,"url":"https://patchwork.libcamera.org/api/projects/1/?format=json","name":"libcamera","link_name":"libcamera","list_id":"libcamera_core","list_email":"libcamera-devel@lists.libcamera.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20200404015624.30440-3-laurent.pinchart@ideasonboard.com>","date":"2020-04-04T01:56:15","name":"[libcamera-devel,02/11] libcamera: Add IPA module signing infrastructure","commit_ref":null,"pull_url":null,"state":"superseded","archived":false,"hash":"a16e0979ba7d5ceb3593b55bc7e06681f081733a","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/?format=json","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"delegate":null,"mbox":"https://patchwork.libcamera.org/patch/3392/mbox/","series":[{"id":797,"url":"https://patchwork.libcamera.org/api/series/797/?format=json","web_url":"https://patchwork.libcamera.org/project/libcamera/list/?series=797","date":"2020-04-04T01:56:13","name":"Sign IPA modules instead of checking their advertised license","version":1,"mbox":"https://patchwork.libcamera.org/series/797/mbox/"}],"comments":"https://patchwork.libcamera.org/api/patches/3392/comments/","check":"pending","checks":"https://patchwork.libcamera.org/api/patches/3392/checks/","tags":{},"headers":{"Return-Path":"","Received":["from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id DF324629C1\n\tfor ;\n\tSat, 4 Apr 2020 03:56:38 +0200 (CEST)","from pendragon.bb.dnainternet.fi (81-175-216-236.bb.dnainternet.fi\n\t[81.175.216.236])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 7DBFC321\n\tfor ;\n\tSat, 4 Apr 2020 03:56:38 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"cjYp/zXZ\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1585965398;\n\tbh=m8sogttKWk7MWLQlKy0us7W1DEPhxapZHEOWCHvjoZY=;\n\th=From:To:Subject:Date:In-Reply-To:References:From;\n\tb=cjYp/zXZtHGy/bCT9KrV25JBxc6cBbEeq3RK5Uj/TCWRPpGXDVISoMveUqT8xtl8g\n\tt19woQxrnMXPlQ29Ca825vZgjTobeHGLzDHg1ptZrhDiRXEvZNXPmqoMlY4CkKgWoX\n\tyIv0hh/A0hRE7WpxJsadqSZyM7YtJ5F1TUMpqxdQ=","From":"Laurent Pinchart ","To":"libcamera-devel@lists.libcamera.org","Date":"Sat, 4 Apr 2020 04:56:15 +0300","Message-Id":"<20200404015624.30440-3-laurent.pinchart@ideasonboard.com>","X-Mailer":"git-send-email 2.24.1","In-Reply-To":"<20200404015624.30440-1-laurent.pinchart@ideasonboard.com>","References":"<20200404015624.30440-1-laurent.pinchart@ideasonboard.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","Subject":"[libcamera-devel] [PATCH 02/11] libcamera: Add IPA module signing\n\tinfrastructure","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","X-List-Received-Date":"Sat, 04 Apr 2020 01:56:39 -0000"},"content":"Add infrastructure to generate an RSA private key and sign IPA modules.\nThe signatures are stored in separate files with a .sign suffix.\n\nSigned-off-by: Laurent Pinchart \n---\n src/ipa/gen-ipa-priv-key.sh | 9 +++++++++\n src/ipa/ipa-sign.sh | 10 ++++++++++\n src/ipa/meson.build | 2 ++\n src/ipa/rkisp1/meson.build | 25 +++++++++++++++++--------\n src/ipa/vimc/meson.build | 12 +++++++++++-\n src/meson.build | 5 +++++\n 6 files changed, 54 insertions(+), 9 deletions(-)\n create mode 100755 src/ipa/gen-ipa-priv-key.sh\n create mode 100755 src/ipa/ipa-sign.sh","diff":"diff --git a/src/ipa/gen-ipa-priv-key.sh b/src/ipa/gen-ipa-priv-key.sh\nnew file mode 100755\nindex 000000000000..2b19c001d6c5\n--- /dev/null\n+++ b/src/ipa/gen-ipa-priv-key.sh\n@@ -0,0 +1,9 @@\n+#!/bin/sh\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+# Copyright (C) 2020, Google Inc.\n+#\n+# Author: Laurent Pinchart \n+#\n+# gen-ipa-priv-key.sh - Generate an RSA private key to sign IPA modules\n+\n+openssl genpkey -algorithm RSA -out \"$1\" -pkeyopt rsa_keygen_bits:2048\ndiff --git a/src/ipa/ipa-sign.sh b/src/ipa/ipa-sign.sh\nnew file mode 100755\nindex 000000000000..d41e67e00ad0\n--- /dev/null\n+++ b/src/ipa/ipa-sign.sh\n@@ -0,0 +1,10 @@\n+#!/bin/sh\n+\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+# Generate a signature for an IPA module\n+\n+key=\"$1\"\n+input=\"$2\"\n+output=\"$3\"\n+\n+openssl dgst -sha256 -sign \"${key}\" -out \"${output}\" \"${input}\"\ndiff --git a/src/ipa/meson.build b/src/ipa/meson.build\nindex 73278a60a99f..cb4e3ab3388f 100644\n--- a/src/ipa/meson.build\n+++ b/src/ipa/meson.build\n@@ -10,6 +10,8 @@ config_h.set('IPA_MODULE_DIR',\n \n subdir('libipa')\n \n+ipa_sign = find_program('ipa-sign.sh')\n+\n ipas = ['rkisp1', 'vimc']\n \n foreach pipeline : get_option('pipelines')\ndiff --git a/src/ipa/rkisp1/meson.build b/src/ipa/rkisp1/meson.build\nindex 521518bd1237..6ccadcfbbe64 100644\n--- a/src/ipa/rkisp1/meson.build\n+++ b/src/ipa/rkisp1/meson.build\n@@ -1,8 +1,17 @@\n-rkisp1_ipa = shared_module('ipa_rkisp1',\n- 'rkisp1.cpp',\n- name_prefix : '',\n- include_directories : [ipa_includes, libipa_includes],\n- dependencies : libcamera_dep,\n- link_with : libipa,\n- install : true,\n- install_dir : ipa_install_dir)\n+ipa_name = 'ipa_rkisp1'\n+\n+mod = shared_module(ipa_name,\n+ 'rkisp1.cpp',\n+ name_prefix : '',\n+ include_directories : [ipa_includes, libipa_includes],\n+ dependencies : libcamera_dep,\n+ link_with : libipa,\n+ install : true,\n+ install_dir : ipa_install_dir)\n+\n+custom_target(ipa_name + '.so.sign',\n+ input : mod,\n+ output : ipa_name + '.so.sign',\n+ command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],\n+ install : true,\n+ install_dir : ipa_install_dir)\ndiff --git a/src/ipa/vimc/meson.build b/src/ipa/vimc/meson.build\nindex e827e75f9f91..3097a12f964a 100644\n--- a/src/ipa/vimc/meson.build\n+++ b/src/ipa/vimc/meson.build\n@@ -1,4 +1,7 @@\n-ipa = shared_module('ipa_vimc', 'vimc.cpp',\n+ipa_name = 'ipa_vimc'\n+\n+mod = shared_module(ipa_name,\n+ 'vimc.cpp',\n name_prefix : '',\n include_directories : [ipa_includes, libipa_includes],\n dependencies : libcamera_dep,\n@@ -6,3 +9,10 @@ ipa = shared_module('ipa_vimc', 'vimc.cpp',\n install : true,\n install_dir : ipa_install_dir,\n cpp_args : '-DLICENSE=\"LGPL-2.1-or-later\"')\n+\n+custom_target(ipa_name + '.so.sign',\n+ input : mod,\n+ output : ipa_name + '.so.sign',\n+ command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],\n+ install : true,\n+ install_dir : ipa_install_dir)\ndiff --git a/src/meson.build b/src/meson.build\nindex d818d8b86d93..dc0e0c82b900 100644\n--- a/src/meson.build\n+++ b/src/meson.build\n@@ -2,6 +2,11 @@ if get_option('android')\n subdir('android')\n endif\n \n+ipa_gen_priv_key = find_program('ipa/gen-ipa-priv-key.sh')\n+ipa_priv_key = custom_target('ipa-priv-key',\n+ output : [ 'ipa-priv-key.pem' ],\n+ command : [ ipa_gen_priv_key, '@OUTPUT@' ])\n+\n subdir('libcamera')\n subdir('ipa')\n subdir('cam')\n","prefixes":["libcamera-devel","02/11"]}