[{"id":11770,"web_url":"https://patchwork.libcamera.org/comment/11770/","msgid":"<20200801130137.GE11820@pendragon.ideasonboard.com>","date":"2020-08-01T13:01:37","subject":"Re: [libcamera-devel] [meta-multimedia][PATCH v2] libcamera: fix\n\tpackaging and installation","submitter":{"id":2,"url":"https://patchwork.libcamera.org/api/people/2/","name":"Laurent Pinchart","email":"laurent.pinchart@ideasonboard.com"},"content":"Hi Andrey,\n\nThank you for the patch.\n\nOn Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote:\n> libcamera checks if RPATH or RUNPATH dynamic tag is present in\n> libcamera.so. If it does, it assumes that libcamera binaries are\n> run directly from the build directory without installing them, and\n> tries to use resorces like IPA modules from the build directory.\n> Mainline meson strips RPATH/RUNPATH out from libcamera.so file\n> at install time. But openembedded-core patches meson to disable\n> RPATH/RUNPATH removal. That's why we need to remove this tag manually\n> in do_install_append().\n> \n> IPA module is signed (with openssl dgst) after it is built. But\n> during packaging the OE build system 1) splits out debugging info,\n> and 2) strips the binaries. So the IPA module so file installed\n> isn't the one which the signature was calculated against. Then\n> the signature check fails, and libcamera tries to run the IPA\n> module isolated (in a sandbox), which doesn't work if the IPA\n> module wasn't designed to run isolated. The solution is to\n> recalculate the IPA modules signatures in ${PKGD} after do_package().\n> \n> Signed-off-by: Andrey Konovalov \n> ---\n> Changes in v2:\n> - Recalculate the IPA modules signatures after do_package()\n> instead of disabling stripping and splitting libcamera package\n> \n> .../recipes-multimedia/libcamera/libcamera.bb | 15 ++++++++++++++-\n> 1 file changed, 14 insertions(+), 1 deletion(-)\n> \n> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb\n> index 00a5c480d..30c6600e5 100644\n> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb\n> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb\n> @@ -18,13 +18,26 @@ PV = \"202006+git${SRCPV}\"\n> \n> S = \"${WORKDIR}/git\"\n> \n> -DEPENDS = \"python3-pyyaml-native udev gnutls boost\"\n> +DEPENDS = \"python3-pyyaml-native udev gnutls boost chrpath-native\"\n> DEPENDS += \"${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}\"\n> \n> RDEPENDS_${PN} = \"${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}\"\n> \n> inherit meson pkgconfig python3native\n> \n> +do_install_append() {\n> + chrpath -d ${D}${libdir}/libcamera.so\n> +}\n> +\n> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata\n> +do_recalculate_ipa_signatures_package() {\n> + for module in $(find \"${PKGD}/usr/lib/libcamera\" -name \"*.so.sign\"); do\n> + if [ -f \"${module%.sign}\" ] ; then\n> + \"${S}/src/ipa/ipa-sign.sh\" \"${B}/src/ipa-priv-key.pem\" \"${module%.sign}\" \"${module}\"\n> + fi\n> + done\n\nNote that you could also use the src/ipa/ipa-sign-install.sh script,\nwhich takes the key as the first argument followed by the list of .so\nfiles to sign. Something along the lines of (not tested)\n\n local modules\n for module in $(find \"${PKGD}/usr/lib/libcamera\" -name \"*.so.sign\"); do\n module=\"${module%.sign}\"\n if [ -f \"${module}\" ] ; then\n\t modules=\"${modules} ${module}\"\n fi\n done\n\n \"${S}/src/ipa/ipa-sign-install.sh\" \"${B}/src/ipa-priv-key.pem\" ${modules}\n\nI think this will lower the risk of breakage in the future, as\nipa-sign.sh will have a higher chance of being refactored than\nipa-sign-install.sh\n\nReviewed-by: Laurent Pinchart \n\n> +}\n> +\n> FILES_${PN}-dev = \"${includedir} ${libdir}/pkgconfig\"\n> FILES_${PN} += \" ${libdir}/libcamera.so\"","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id E62AEBD878\n\tfor ;\n\tSat, 1 Aug 2020 13:01:49 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 62DD061F7D;\n\tSat, 1 Aug 2020 15:01:49 +0200 (CEST)","from perceval.ideasonboard.com (perceval.ideasonboard.com\n\t[213.167.242.64])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 8E89761F24\n\tfor ;\n\tSat, 1 Aug 2020 15:01:47 +0200 (CEST)","from pendragon.ideasonboard.com (81-175-216-236.bb.dnainternet.fi\n\t[81.175.216.236])\n\tby perceval.ideasonboard.com (Postfix) with ESMTPSA id 177A255E;\n\tSat, 1 Aug 2020 15:01:47 +0200 (CEST)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n\tunprotected) header.d=ideasonboard.com header.i=@ideasonboard.com\n\theader.b=\"UB7S8Ekc\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;\n\ts=mail; t=1596286907;\n\tbh=O8hbxufj5tprlfrvasFVtKt/YXtGKFMBqKmI39zVK7g=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=UB7S8EkcqlLEoDunCNUAux4DyqtTZQpud+pBQZiMHf1ux3I+qZgQ2i00nR0r9UfAQ\n\tLmfsh2YsSjw8Fgo9P/t321KICvLm4VTEmBhJdP/32WFjALNACReGgFbrQa1nCyXAUn\n\ti6TOA3fJ7ED3hqp1q5UUbWx0drkcrAuElHeL0Rs0=","Date":"Sat, 1 Aug 2020 16:01:37 +0300","From":"Laurent Pinchart ","To":"Andrey Konovalov ","Message-ID":"<20200801130137.GE11820@pendragon.ideasonboard.com>","References":"<20200731143919.25825-1-andrey.konovalov@linaro.org>","MIME-Version":"1.0","Content-Disposition":"inline","In-Reply-To":"<20200731143919.25825-1-andrey.konovalov@linaro.org>","Subject":"Re: [libcamera-devel] [meta-multimedia][PATCH v2] libcamera: fix\n\tpackaging and installation","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"madhavan.krishnan@linaro.org, libcamera-devel@lists.libcamera.org,\n\topenembedded-devel@lists.openembedded.org, raj.khem@gmail.com","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}},{"id":11774,"web_url":"https://patchwork.libcamera.org/comment/11774/","msgid":"<5e874810-2a9b-260a-f8c5-2563b4e32489@linaro.org>","date":"2020-08-02T19:04:17","subject":"Re: [libcamera-devel] [meta-multimedia][PATCH v2] libcamera: fix\n\tpackaging and installation","submitter":{"id":25,"url":"https://patchwork.libcamera.org/api/people/25/","name":"Andrey Konovalov","email":"andrey.konovalov@linaro.org"},"content":"Hi Laurent,\n\nOn 01.08.2020 16:01, Laurent Pinchart wrote:\n> Hi Andrey,\n> \n> Thank you for the patch.\n> \n> On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote:\n>> libcamera checks if RPATH or RUNPATH dynamic tag is present in\n>> libcamera.so. If it does, it assumes that libcamera binaries are\n>> run directly from the build directory without installing them, and\n>> tries to use resorces like IPA modules from the build directory.\n>> Mainline meson strips RPATH/RUNPATH out from libcamera.so file\n>> at install time. But openembedded-core patches meson to disable\n>> RPATH/RUNPATH removal. That's why we need to remove this tag manually\n>> in do_install_append().\n>>\n>> IPA module is signed (with openssl dgst) after it is built. But\n>> during packaging the OE build system 1) splits out debugging info,\n>> and 2) strips the binaries. So the IPA module so file installed\n>> isn't the one which the signature was calculated against. Then\n>> the signature check fails, and libcamera tries to run the IPA\n>> module isolated (in a sandbox), which doesn't work if the IPA\n>> module wasn't designed to run isolated. The solution is to\n>> recalculate the IPA modules signatures in ${PKGD} after do_package().\n>>\n>> Signed-off-by: Andrey Konovalov \n>> ---\n>> Changes in v2:\n>> - Recalculate the IPA modules signatures after do_package()\n>> instead of disabling stripping and splitting libcamera package\n>>\n>> .../recipes-multimedia/libcamera/libcamera.bb | 15 ++++++++++++++-\n>> 1 file changed, 14 insertions(+), 1 deletion(-)\n>>\n>> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb\n>> index 00a5c480d..30c6600e5 100644\n>> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb\n>> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb\n>> @@ -18,13 +18,26 @@ PV = \"202006+git${SRCPV}\"\n>> \n>> S = \"${WORKDIR}/git\"\n>> \n>> -DEPENDS = \"python3-pyyaml-native udev gnutls boost\"\n>> +DEPENDS = \"python3-pyyaml-native udev gnutls boost chrpath-native\"\n>> DEPENDS += \"${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}\"\n>> \n>> RDEPENDS_${PN} = \"${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}\"\n>> \n>> inherit meson pkgconfig python3native\n>> \n>> +do_install_append() {\n>> + chrpath -d ${D}${libdir}/libcamera.so\n>> +}\n>> +\n>> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata\n>> +do_recalculate_ipa_signatures_package() {\n>> + for module in $(find \"${PKGD}/usr/lib/libcamera\" -name \"*.so.sign\"); do\n>> + if [ -f \"${module%.sign}\" ] ; then\n>> + \"${S}/src/ipa/ipa-sign.sh\" \"${B}/src/ipa-priv-key.pem\" \"${module%.sign}\" \"${module}\"\n>> + fi\n>> + done\n> \n> Note that you could also use the src/ipa/ipa-sign-install.sh script,\n> which takes the key as the first argument followed by the list of .so\n> files to sign. Something along the lines of (not tested)\n> \n> local modules\n> for module in $(find \"${PKGD}/usr/lib/libcamera\" -name \"*.so.sign\"); do\n> module=\"${module%.sign}\"\n> if [ -f \"${module}\" ] ; then\n> \t modules=\"${modules} ${module}\"\n> fi\n> done\n> \n> \"${S}/src/ipa/ipa-sign-install.sh\" \"${B}/src/ipa-priv-key.pem\" ${modules}\n> \n> I think this will lower the risk of breakage in the future, as\n> ipa-sign.sh will have a higher chance of being refactored than\n> ipa-sign-install.sh\n\nOK, makes sense. Thanks for the suggestion!\n\nWhen creating v2 I've got the impression of ipa-sign-install.sh relying\non running in meson environment - when run as part of 'meson install'\nit prefixes each module with ${MESON_INSTALL_DESTDIR_PREFIX}/.\nBut ipa-sign-install.sh also works OK when used in do_recalculate_ipa_signatures_package() -\n\"${MESON_INSTALL_DESTDIR_PREFIX}\" resolves to \"\", and the ${modules}\nuse full path names.\n\n> Reviewed-by: Laurent Pinchart \n\nThanks,\nAndrey\n\n>> +}\n>> +\n>> FILES_${PN}-dev = \"${includedir} ${libdir}/pkgconfig\"\n>> FILES_${PN} += \" ${libdir}/libcamera.so\"\n>","headers":{"Return-Path":"","X-Original-To":"parsemail@patchwork.libcamera.org","Delivered-To":"parsemail@patchwork.libcamera.org","Received":["from lancelot.ideasonboard.com (lancelot.ideasonboard.com\n\t[92.243.16.209])\n\tby patchwork.libcamera.org (Postfix) with ESMTPS id C8BE9BD87A\n\tfor ;\n\tSun, 2 Aug 2020 19:04:22 +0000 (UTC)","from lancelot.ideasonboard.com (localhost [IPv6:::1])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTP id 611A860396;\n\tSun, 2 Aug 2020 21:04:22 +0200 (CEST)","from mail-lj1-x243.google.com (mail-lj1-x243.google.com\n\t[IPv6:2a00:1450:4864:20::243])\n\tby lancelot.ideasonboard.com (Postfix) with ESMTPS id 887E860393\n\tfor ;\n\tSun, 2 Aug 2020 21:04:20 +0200 (CEST)","by mail-lj1-x243.google.com with SMTP id 185so27169601ljj.7\n\tfor ;\n\tSun, 02 Aug 2020 12:04:20 -0700 (PDT)","from [192.168.118.216] (37-144-159-139.broadband.corbina.ru.\n\t[37.144.159.139]) by smtp.gmail.com with ESMTPSA id\n\t15sm2880634ljw.92.2020.08.02.12.04.17\n\t(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n\tSun, 02 Aug 2020 12:04:18 -0700 (PDT)"],"Authentication-Results":"lancelot.ideasonboard.com;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n\tunprotected) header.d=linaro.org header.i=@linaro.org\n\theader.b=\"GKx7MN5n\"; dkim-atps=neutral","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;\n\th=subject:to:cc:references:from:message-id:date:user-agent\n\t:mime-version:in-reply-to:content-language:content-transfer-encoding; \n\tbh=3tyrwuKK/8A1qW0k2LZvPsg7v418yhVOo7+0Z7Fm0I0=;\n\tb=GKx7MN5ni5rRm22/pnFMxzm5p2B17RRG68zV0LjJWSeRahsvtUK+wtu7nvHPtbGMVV\n\tq3wqwFjm/cHQSheod7yFqmBPKsy/vdS5Ot4FZkjlk4js7UBmV0p3Bam/tB/3RmptDpf3\n\tkycfgn6drCuDC/TRQoFkMNWM7v8JuaiqcU3zoYLQwFM06e7NOEmzUxfr4DFNV/7j+7U2\n\tOB24m4JauBEKyLGZ+BIaicrC8akx1fi+4LUxsIPISmrRAPxM2JUpuRmzCslJqVt4iMZ1\n\tqHVE+tzaIWo3Yx47TgUn/sAdPJo2K5MNOgTtmFnCJTQosRxfZfaAFrUqulJDaNxgWP/K\n\tNBmw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:subject:to:cc:references:from:message-id:date\n\t:user-agent:mime-version:in-reply-to:content-language\n\t:content-transfer-encoding;\n\tbh=3tyrwuKK/8A1qW0k2LZvPsg7v418yhVOo7+0Z7Fm0I0=;\n\tb=omew5KlNtuAOqLN169v5+QJ/Nz4PbG+GNf8fF4OnniXNMjKwLSET0AbetlNcvMvi7b\n\tvTw0UM5PUdzS14kNvzEoPxLcXukmFcJDmxDDnCuzbKjNIfL6RohTLvo8+meQsXDZUFw2\n\t08L9uQyHqCO7+8Ma8Pqz/M2Re1qwFUq7VjNzsypmpJTWgtUfTGApw1dqtXntfwLAJy1a\n\tMqlI3OcqGhHeaCTaUw2748haVJhKjx1F5uSEMvEoo6mixeW92RT/Ll+E0X1mYTYfqg/K\n\tTcontOdstuoYMVhsRXkyKMszNQrKMMIsWlDv+KQ++ml19zTFTtnNjLTiPCavKCVvUbVu\n\t8D0A==","X-Gm-Message-State":"AOAM531L+ToN4ZdOwny5p5b7Z9G60jZPg0byZOudaJeq0qn/6yhyNrof\n\t2Qp9kR7FrB/R3zxJBAmNtRwGCw==","X-Google-Smtp-Source":"ABdhPJxDhLc8u05gBkS/T1Okv00RYn8Cmcx+V1cb6EzFJoTrG9VWzm1aCTNWT+FEoiipRxcEPt8IJQ==","X-Received":"by 2002:a05:651c:155:: with SMTP id\n\tc21mr6525892ljd.453.1596395059584; \n\tSun, 02 Aug 2020 12:04:19 -0700 (PDT)","To":"Laurent Pinchart ","References":"<20200731143919.25825-1-andrey.konovalov@linaro.org>\n\t<20200801130137.GE11820@pendragon.ideasonboard.com>","From":"Andrey Konovalov ","Message-ID":"<5e874810-2a9b-260a-f8c5-2563b4e32489@linaro.org>","Date":"Sun, 2 Aug 2020 22:04:17 +0300","User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101\n\tThunderbird/68.10.0","MIME-Version":"1.0","In-Reply-To":"<20200801130137.GE11820@pendragon.ideasonboard.com>","Content-Language":"en-US","Subject":"Re: [libcamera-devel] [meta-multimedia][PATCH v2] libcamera: fix\n\tpackaging and installation","X-BeenThere":"libcamera-devel@lists.libcamera.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"","List-Unsubscribe":",\n\t","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n\t","Cc":"madhavan.krishnan@linaro.org, libcamera-devel@lists.libcamera.org,\n\topenembedded-devel@lists.openembedded.org, raj.khem@gmail.com","Content-Transfer-Encoding":"7bit","Content-Type":"text/plain; charset=\"us-ascii\"; Format=\"flowed\"","Errors-To":"libcamera-devel-bounces@lists.libcamera.org","Sender":"\"libcamera-devel\" "}}]