Patch Detail
Show a patch.
GET /api/patches/3608/?format=api
{ "id": 3608, "url": "https://patchwork.libcamera.org/api/patches/3608/?format=api", "web_url": "https://patchwork.libcamera.org/patch/3608/", "project": { "id": 1, "url": "https://patchwork.libcamera.org/api/projects/1/?format=api", "name": "libcamera", "link_name": "libcamera", "list_id": "libcamera_core", "list_email": "libcamera-devel@lists.libcamera.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20200429013349.2389-1-laurent.pinchart@ideasonboard.com>", "date": "2020-04-29T01:33:49", "name": "[libcamera-devel] libcamera: Regenerate IPA module signatures at install time", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "24c9160ada014ff6c054d1154e5927d115969eed", "submitter": { "id": 2, "url": "https://patchwork.libcamera.org/api/people/2/?format=api", "name": "Laurent Pinchart", "email": "laurent.pinchart@ideasonboard.com" }, "delegate": null, "mbox": "https://patchwork.libcamera.org/patch/3608/mbox/", "series": [ { "id": 849, "url": "https://patchwork.libcamera.org/api/series/849/?format=api", "web_url": "https://patchwork.libcamera.org/project/libcamera/list/?series=849", "date": "2020-04-29T01:33:49", "name": "[libcamera-devel] libcamera: Regenerate IPA module signatures at install time", "version": 1, "mbox": "https://patchwork.libcamera.org/series/849/mbox/" } ], "comments": "https://patchwork.libcamera.org/api/patches/3608/comments/", "check": "pending", "checks": "https://patchwork.libcamera.org/api/patches/3608/checks/", "tags": {}, "headers": { "Return-Path": "<laurent.pinchart@ideasonboard.com>", "Received": [ "from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 094C1603F4\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 29 Apr 2020 03:33:56 +0200 (CEST)", "from pendragon.bb.dnainternet.fi (81-175-216-236.bb.dnainternet.fi\n\t[81.175.216.236])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 86CB1521\n\tfor <libcamera-devel@lists.libcamera.org>;\n\tWed, 29 Apr 2020 03:33:55 +0200 (CEST)" ], "Authentication-Results": "lancelot.ideasonboard.com; dkim=pass (1024-bit key; \n\tunprotected) header.d=ideasonboard.com\n\theader.i=@ideasonboard.com\n\theader.b=\"NW8eyRXM\"; dkim-atps=neutral", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1588124035;\n\tbh=6c7QNg9UEI5CZi3GiSqf6MUUmtQE7GhWVhhAfRDMsfQ=;\n\th=From:To:Subject:Date:From;\n\tb=NW8eyRXMz40aNz+7vrxuAOAOCqodJ1M0xlvq1z8x9CLiBvzoqAoTyShaumZMIqYPA\n\tqG41CyQkuthOFtyW+BIEUVC+0ffZlY+qeFCAyVMVLiLq8ExLnU+6EfJ47bN9trnE4j\n\tVT0zjkItygZowlatvGZHgPjrLCGIIVnTGpEwYkT4=", "From": "Laurent Pinchart <laurent.pinchart@ideasonboard.com>", "To": "libcamera-devel@lists.libcamera.org", "Date": "Wed, 29 Apr 2020 04:33:49 +0300", "Message-Id": "<20200429013349.2389-1-laurent.pinchart@ideasonboard.com>", "X-Mailer": "git-send-email 2.25.3", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[libcamera-devel] [PATCH] libcamera: Regenerate IPA module\n\tsignatures at install time", "X-BeenThere": "libcamera-devel@lists.libcamera.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "<libcamera-devel.lists.libcamera.org>", "List-Unsubscribe": "<https://lists.libcamera.org/options/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>", "List-Archive": "<https://lists.libcamera.org/pipermail/libcamera-devel/>", "List-Post": "<mailto:libcamera-devel@lists.libcamera.org>", "List-Help": "<mailto:libcamera-devel-request@lists.libcamera.org?subject=help>", "List-Subscribe": "<https://lists.libcamera.org/listinfo/libcamera-devel>,\n\t<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>", "X-List-Received-Date": "Wed, 29 Apr 2020 01:33:56 -0000" }, "content": "When the IPA modules are installed, meson strips the DT_RPATH and\nDT_RUNPATH from the binaries. This invalidates the signatures. Disable\ninstallation of the .sign files and add an installation script to\nregenerate them directly in the target directory. The .sign files still\nneed to be created at build time to support running IPA modules from the\nbuild tree.\n\nTwo alternative approaches have been considered:\n\n- meson could be taught a new target argument to preserve binary\n compatibility by skipping any operation that modifies files. This has\n been proposed in the #mesonbuild IRC channel. While this could be\n interesting in the longer term, we need to fix the issue now.\n\n- The module signatures could be computed on selected sections only.\n While skipping the .dynamic section when signing may not cause\n security issues, it would make signature generation and verification\n more complex, and wasn't deemed worth it.\n\nSigned-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n---\n src/ipa/ipa-sign-install.sh | 18 ++++++++++++++++++\n src/ipa/meson.build | 9 +++++++++\n src/ipa/rkisp1/meson.build | 2 +-\n src/ipa/vimc/meson.build | 2 +-\n 4 files changed, 29 insertions(+), 2 deletions(-)\n create mode 100755 src/ipa/ipa-sign-install.sh", "diff": "diff --git a/src/ipa/ipa-sign-install.sh b/src/ipa/ipa-sign-install.sh\nnew file mode 100755\nindex 000000000000..5317a8a2042b\n--- /dev/null\n+++ b/src/ipa/ipa-sign-install.sh\n@@ -0,0 +1,18 @@\n+#!/bin/sh\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+# Copyright (C) 2020, Google Inc.\n+#\n+# Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>\n+#\n+# ipa-sign-install.sh - Regenerate IPA module signatures when installing\n+\n+libdir=$1\n+key=$2\n+\n+ipa_sign=$(dirname \"$0\")/ipa-sign.sh\n+\n+echo \"Regenerating IPA modules signatures\"\n+\n+for module in \"${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}\"/*.so ; do\n+\t\"${ipa_sign}\" \"${key}\" \"${module}\" \"${module}.sign\"\n+done\ndiff --git a/src/ipa/meson.build b/src/ipa/meson.build\nindex 145bf8105af7..56e65eaa7426 100644\n--- a/src/ipa/meson.build\n+++ b/src/ipa/meson.build\n@@ -25,3 +25,12 @@ foreach pipeline : get_option('pipelines')\n subdir(pipeline)\n endif\n endforeach\n+\n+if ipa_sign_module\n+ # Regenerate the signatures for all IPA modules. We can't simply install the\n+ # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at\n+ # install time, which invalidates the signatures.\n+ meson.add_install_script('ipa-sign-install.sh',\n+ ipa_install_dir,\n+ ipa_priv_key.full_path())\n+endif\ndiff --git a/src/ipa/rkisp1/meson.build b/src/ipa/rkisp1/meson.build\nindex 247d0429b49c..98dbbd632c12 100644\n--- a/src/ipa/rkisp1/meson.build\n+++ b/src/ipa/rkisp1/meson.build\n@@ -14,6 +14,6 @@ if ipa_sign_module\n input : mod,\n output : ipa_name + '.so.sign',\n command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],\n- install : true,\n+ install : false,\n install_dir : ipa_install_dir)\n endif\ndiff --git a/src/ipa/vimc/meson.build b/src/ipa/vimc/meson.build\nindex f8650ee80461..9d0760e57cc1 100644\n--- a/src/ipa/vimc/meson.build\n+++ b/src/ipa/vimc/meson.build\n@@ -14,7 +14,7 @@ if ipa_sign_module\n input : mod,\n output : ipa_name + '.so.sign',\n command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],\n- install : true,\n+ install : false,\n install_dir : ipa_install_dir)\n endif\n \n", "prefixes": [ "libcamera-devel" ] }