| Message ID | 20260519030020.408693-5-hpa@redhat.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series |
|
| Related | show |
2026. 05. 19. 5:00 keltezéssel, Kate Hsuan írta: > Add a combo type "ipa-signature-algo" meson option to select signature > algorithms, including rsa-sha256 and ml-dsa-65. > ras-sha256 is the default setting for now. > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > --- > meson_options.txt | 8 ++++++++ > src/libcamera/meson.build | 6 ++++++ > src/meson.build | 14 +++++++++++--- > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > 4 files changed, 39 insertions(+), 5 deletions(-) > > diff --git a/meson_options.txt b/meson_options.txt > index 20baacc4..18488e6b 100644 > --- a/meson_options.txt > +++ b/meson_options.txt > @@ -46,6 +46,14 @@ option('gstreamer', > value : 'auto', > description : 'Compile libcamera GStreamer plugin') > > +option('ipa-signature-algo', > + type : 'combo', > + choices : [ > + 'rsa-sha256', > + 'ml-dsa-65', > + ], > + description : 'Select a signature algorithm to sign IPA libraries.') > + > option('ipas', > type : 'array', > choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > index 575408b2..55ba6c6d 100644 > --- a/src/libcamera/meson.build > +++ b/src/libcamera/meson.build > @@ -97,6 +97,12 @@ else > endif > endif > > +# comply with FIPS 204 > +signature_algo = get_option('ipa-signature-algo') > +if signature_algo == 'ml-dsa-65' > + config_h.set('WITH_PQC', 1) > +endif > + > if not libcrypto.found() > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > diff --git a/src/meson.build b/src/meson.build > index 9b63c8e8..7f8909b1 100644 > --- a/src/meson.build > +++ b/src/meson.build > @@ -15,11 +15,19 @@ summary({ > }, section : 'Paths') > > # Module Signing > +signature_algo = get_option('ipa-signature-algo') > openssl = find_program('openssl', required : false) > if openssl.found() > - ipa_priv_key = custom_target('ipa-priv-key', > - output : ['ipa-priv-key.pem'], > - command : [gen_ipa_priv_key, '@OUTPUT@']) > + if signature_algo == 'ml-dsa-65' > + ipa_priv_key = custom_target('ipa-priv-key', > + output : ['ipa-priv-key.pem'], > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > + endif > + if signature_algo == 'rsa-sha256' > + ipa_priv_key = custom_target('ipa-priv-key', > + output : ['ipa-priv-key.pem'], > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) Why not just pass `signature_algo`? There is already a conditional chain in the script. But to be honest, I feel like I would actually remove the script altogether and have something like this: SIGNATURE_DETAILS = { 'rsa-sha256': { 'algo': 'RSA', 'args': [ '-pkeyopt rsa_keygen_bits:2048', ], } ... } signature_details = SIGNATURE_DETAILS[signature_algo] ipa_priv_key = custom_target('ipa-priv-key', output : ['ipa-priv-key.pem'], command : [ openssl, 'genpkey', '-algorithm', signature_details.get('algo'), '-out', '@OUTPUT@', ] + signature_details.get('args', [])) This also fixes the (mostly theoretical) issue of using the wrong `openssl` when the `openssl` program is overridden in meson but not in $PATH. Any reason I'm missing why this extra script is useful? > + endif > config_h.set('HAVE_IPA_PUBKEY', 1) > ipa_sign_module = true > else > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > index 2ca7b883..8b86dfb3 100755 > --- a/utils/gen-ipa-priv-key.sh > +++ b/utils/gen-ipa-priv-key.sh > @@ -6,6 +6,18 @@ > # > # Generate an RSA private key to sign IPA modules > > -key="$1" > +algo="$1" > +key="$2" > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +# Two possible algorithms: RSA and ML-DSA-65 > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > + > +if [ "$algo" = "RSA" ]; then > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +elif [ "$algo" = "ML-DSA-65" ]; then > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > +else > + echo "Invalid algorithm: $algo" > + exit 1 > +fi > \ No newline at end of file > -- > 2.54.0 >
Hi Kate, Thank you for the patch. On Tue, May 19, 2026 at 11:00:20AM +0800, Kate Hsuan wrote: > Add a combo type "ipa-signature-algo" meson option to select signature > algorithms, including rsa-sha256 and ml-dsa-65. > ras-sha256 is the default setting for now. > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > --- > meson_options.txt | 8 ++++++++ > src/libcamera/meson.build | 6 ++++++ > src/meson.build | 14 +++++++++++--- > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > 4 files changed, 39 insertions(+), 5 deletions(-) > > diff --git a/meson_options.txt b/meson_options.txt > index 20baacc4..18488e6b 100644 > --- a/meson_options.txt > +++ b/meson_options.txt > @@ -46,6 +46,14 @@ option('gstreamer', > value : 'auto', > description : 'Compile libcamera GStreamer plugin') > > +option('ipa-signature-algo', > + type : 'combo', > + choices : [ > + 'rsa-sha256', > + 'ml-dsa-65', > + ], > + description : 'Select a signature algorithm to sign IPA libraries.') > + > option('ipas', > type : 'array', > choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > index 575408b2..55ba6c6d 100644 > --- a/src/libcamera/meson.build > +++ b/src/libcamera/meson.build > @@ -97,6 +97,12 @@ else > endif > endif > > +# comply with FIPS 204 > +signature_algo = get_option('ipa-signature-algo') > +if signature_algo == 'ml-dsa-65' > + config_h.set('WITH_PQC', 1) > +endif I proposed renaming this HAVE_CRYPTO_ML_DSA_65 in patch 1/4. Thinking about it some more, maybe IPA_MODULE_DIR_SIGNATURE_ALGO would be a better option. I would then set it unconditionally, with a string value: config_h.set('IPA_MODULE_DIR_SIGNATURE_ALGO', '"' + get_option('ipa-signature-algo') + '"') The code in patch 1/4 could then be constexpr gnutls_sign_algorithm_t algo = IPA_MODULE_DIR_SIGNATURE_ALGO == "ml-dsa-65" ? GNUTLS_SIGN_MLDSA65 : GNUTLS_SIGN_RSA_SHA256; int ret = gnutls_pubkey_verify_data2(pubkey_, algo, 0, &gnuTlsData, &gnuTlsSig); (with the necessary adjustments to get it to compile :-)). This would remove conditional compilation. > + > if not libcrypto.found() > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > diff --git a/src/meson.build b/src/meson.build > index 9b63c8e8..7f8909b1 100644 > --- a/src/meson.build > +++ b/src/meson.build > @@ -15,11 +15,19 @@ summary({ > }, section : 'Paths') > > # Module Signing > +signature_algo = get_option('ipa-signature-algo') > openssl = find_program('openssl', required : false) > if openssl.found() > - ipa_priv_key = custom_target('ipa-priv-key', > - output : ['ipa-priv-key.pem'], > - command : [gen_ipa_priv_key, '@OUTPUT@']) > + if signature_algo == 'ml-dsa-65' > + ipa_priv_key = custom_target('ipa-priv-key', > + output : ['ipa-priv-key.pem'], > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > + endif > + if signature_algo == 'rsa-sha256' > + ipa_priv_key = custom_target('ipa-priv-key', > + output : ['ipa-priv-key.pem'], > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) Make this unconditional: ipa_priv_key = custom_target('ipa-priv-key', output : ['ipa-priv-key.pem'], command : [ gen_ipa_priv_key, get_option('ipa-signature-algo'), '@OUTPUT@' ]) and update gen-ipa-priv-key.sh accordingly. > + endif > config_h.set('HAVE_IPA_PUBKEY', 1) > ipa_sign_module = true > else > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > index 2ca7b883..8b86dfb3 100755 > --- a/utils/gen-ipa-priv-key.sh > +++ b/utils/gen-ipa-priv-key.sh > @@ -6,6 +6,18 @@ > # > # Generate an RSA private key to sign IPA modules This comment needs to be updated. > > -key="$1" > +algo="$1" > +key="$2" > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +# Two possible algorithms: RSA and ML-DSA-65 > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > + > +if [ "$algo" = "RSA" ]; then > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 According to the openssl-genpkey manpage, 2048 is the default, so maybe you could drop the option and simplify the code. > +elif [ "$algo" = "ML-DSA-65" ]; then > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > +else > + echo "Invalid algorithm: $algo" > + exit 1 > +fi One issue I ran into when testing the series is that changing the value of the ipa-signature-algo option doesn't regenerate the key. > \ No newline at end of file
On Mon, Jun 15, 2026 at 05:09:40PM +0200, Barnabás Pőcze wrote: > 2026. 05. 19. 5:00 keltezéssel, Kate Hsuan írta: > > Add a combo type "ipa-signature-algo" meson option to select signature > > algorithms, including rsa-sha256 and ml-dsa-65. > > ras-sha256 is the default setting for now. > > > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > > --- > > meson_options.txt | 8 ++++++++ > > src/libcamera/meson.build | 6 ++++++ > > src/meson.build | 14 +++++++++++--- > > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > > 4 files changed, 39 insertions(+), 5 deletions(-) > > > > diff --git a/meson_options.txt b/meson_options.txt > > index 20baacc4..18488e6b 100644 > > --- a/meson_options.txt > > +++ b/meson_options.txt > > @@ -46,6 +46,14 @@ option('gstreamer', > > value : 'auto', > > description : 'Compile libcamera GStreamer plugin') > > > > +option('ipa-signature-algo', > > + type : 'combo', > > + choices : [ > > + 'rsa-sha256', > > + 'ml-dsa-65', > > + ], > > + description : 'Select a signature algorithm to sign IPA libraries.') > > + > > option('ipas', > > type : 'array', > > choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > index 575408b2..55ba6c6d 100644 > > --- a/src/libcamera/meson.build > > +++ b/src/libcamera/meson.build > > @@ -97,6 +97,12 @@ else > > endif > > endif > > > > +# comply with FIPS 204 > > +signature_algo = get_option('ipa-signature-algo') > > +if signature_algo == 'ml-dsa-65' > > + config_h.set('WITH_PQC', 1) > > +endif > > + > > if not libcrypto.found() > > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > > diff --git a/src/meson.build b/src/meson.build > > index 9b63c8e8..7f8909b1 100644 > > --- a/src/meson.build > > +++ b/src/meson.build > > @@ -15,11 +15,19 @@ summary({ > > }, section : 'Paths') > > > > # Module Signing > > +signature_algo = get_option('ipa-signature-algo') > > openssl = find_program('openssl', required : false) > > if openssl.found() > > - ipa_priv_key = custom_target('ipa-priv-key', > > - output : ['ipa-priv-key.pem'], > > - command : [gen_ipa_priv_key, '@OUTPUT@']) > > + if signature_algo == 'ml-dsa-65' > > + ipa_priv_key = custom_target('ipa-priv-key', > > + output : ['ipa-priv-key.pem'], > > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > > + endif > > + if signature_algo == 'rsa-sha256' > > + ipa_priv_key = custom_target('ipa-priv-key', > > + output : ['ipa-priv-key.pem'], > > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) > > Why not just pass `signature_algo`? There is already a conditional chain in the script. > > But to be honest, I feel like I would actually remove the script altogether and > have something like this: > > SIGNATURE_DETAILS = { > 'rsa-sha256': { 'algo': 'RSA', 'args': [ '-pkeyopt rsa_keygen_bits:2048', ], } > ... > } > > signature_details = SIGNATURE_DETAILS[signature_algo] > > ipa_priv_key = custom_target('ipa-priv-key', > output : ['ipa-priv-key.pem'], > command : [ openssl, 'genpkey', > '-algorithm', signature_details.get('algo'), > '-out', '@OUTPUT@', > ] + signature_details.get('args', [])) > > This also fixes the (mostly theoretical) issue of using the wrong `openssl` when the > `openssl` program is overridden in meson but not in $PATH. > > Any reason I'm missing why this extra script is useful? Not that I know of. On a related note, do we need a nice error message when ml-dsa-65 is selected but not available, or is the error output by openssl good enough ? I don't have an old version available here for testing. > > + endif > > config_h.set('HAVE_IPA_PUBKEY', 1) > > ipa_sign_module = true > > else > > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > > index 2ca7b883..8b86dfb3 100755 > > --- a/utils/gen-ipa-priv-key.sh > > +++ b/utils/gen-ipa-priv-key.sh > > @@ -6,6 +6,18 @@ > > # > > # Generate an RSA private key to sign IPA modules > > > > -key="$1" > > +algo="$1" > > +key="$2" > > > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +# Two possible algorithms: RSA and ML-DSA-65 > > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > + > > +if [ "$algo" = "RSA" ]; then > > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +elif [ "$algo" = "ML-DSA-65" ]; then > > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > +else > > + echo "Invalid algorithm: $algo" > > + exit 1 > > +fi > > \ No newline at end of file
On Mon, Jun 15, 2026 at 06:44:07PM +0300, Laurent Pinchart wrote: > On Mon, Jun 15, 2026 at 05:09:40PM +0200, Barnabás Pőcze wrote: > > 2026. 05. 19. 5:00 keltezéssel, Kate Hsuan írta: > > > Add a combo type "ipa-signature-algo" meson option to select signature > > > algorithms, including rsa-sha256 and ml-dsa-65. > > > ras-sha256 is the default setting for now. > > > > > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > > > --- > > > meson_options.txt | 8 ++++++++ > > > src/libcamera/meson.build | 6 ++++++ > > > src/meson.build | 14 +++++++++++--- > > > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > > > 4 files changed, 39 insertions(+), 5 deletions(-) > > > > > > diff --git a/meson_options.txt b/meson_options.txt > > > index 20baacc4..18488e6b 100644 > > > --- a/meson_options.txt > > > +++ b/meson_options.txt > > > @@ -46,6 +46,14 @@ option('gstreamer', > > > value : 'auto', > > > description : 'Compile libcamera GStreamer plugin') > > > > > > +option('ipa-signature-algo', > > > + type : 'combo', > > > + choices : [ > > > + 'rsa-sha256', > > > + 'ml-dsa-65', > > > + ], > > > + description : 'Select a signature algorithm to sign IPA libraries.') > > > + > > > option('ipas', > > > type : 'array', > > > choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > > index 575408b2..55ba6c6d 100644 > > > --- a/src/libcamera/meson.build > > > +++ b/src/libcamera/meson.build > > > @@ -97,6 +97,12 @@ else > > > endif > > > endif > > > > > > +# comply with FIPS 204 > > > +signature_algo = get_option('ipa-signature-algo') > > > +if signature_algo == 'ml-dsa-65' > > > + config_h.set('WITH_PQC', 1) > > > +endif > > > + > > > if not libcrypto.found() > > > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > > > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > > > diff --git a/src/meson.build b/src/meson.build > > > index 9b63c8e8..7f8909b1 100644 > > > --- a/src/meson.build > > > +++ b/src/meson.build > > > @@ -15,11 +15,19 @@ summary({ > > > }, section : 'Paths') > > > > > > # Module Signing > > > +signature_algo = get_option('ipa-signature-algo') > > > openssl = find_program('openssl', required : false) > > > if openssl.found() > > > - ipa_priv_key = custom_target('ipa-priv-key', > > > - output : ['ipa-priv-key.pem'], > > > - command : [gen_ipa_priv_key, '@OUTPUT@']) > > > + if signature_algo == 'ml-dsa-65' > > > + ipa_priv_key = custom_target('ipa-priv-key', > > > + output : ['ipa-priv-key.pem'], > > > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > > > + endif > > > + if signature_algo == 'rsa-sha256' > > > + ipa_priv_key = custom_target('ipa-priv-key', > > > + output : ['ipa-priv-key.pem'], > > > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) > > > > Why not just pass `signature_algo`? There is already a conditional chain in the script. > > > > But to be honest, I feel like I would actually remove the script altogether and > > have something like this: > > > > SIGNATURE_DETAILS = { > > 'rsa-sha256': { 'algo': 'RSA', 'args': [ '-pkeyopt rsa_keygen_bits:2048', ], } > > ... > > } > > > > signature_details = SIGNATURE_DETAILS[signature_algo] > > > > ipa_priv_key = custom_target('ipa-priv-key', > > output : ['ipa-priv-key.pem'], > > command : [ openssl, 'genpkey', > > '-algorithm', signature_details.get('algo'), > > '-out', '@OUTPUT@', > > ] + signature_details.get('args', [])) > > > > This also fixes the (mostly theoretical) issue of using the wrong `openssl` when the > > `openssl` program is overridden in meson but not in $PATH. > > > > Any reason I'm missing why this extra script is useful? > > Not that I know of. > > On a related note, do we need a nice error message when ml-dsa-65 is > selected but not available, or is the error output by openssl good > enough ? I don't have an old version available here for testing. A check at build time that the openssl or gnutls version for the target provide ml-dsa-65 support would be good too. For gnutls we'll get a compilation error, but for openssl we'll have a runtime failure. > > > + endif > > > config_h.set('HAVE_IPA_PUBKEY', 1) > > > ipa_sign_module = true > > > else > > > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > > > index 2ca7b883..8b86dfb3 100755 > > > --- a/utils/gen-ipa-priv-key.sh > > > +++ b/utils/gen-ipa-priv-key.sh > > > @@ -6,6 +6,18 @@ > > > # > > > # Generate an RSA private key to sign IPA modules > > > > > > -key="$1" > > > +algo="$1" > > > +key="$2" > > > > > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > > +# Two possible algorithms: RSA and ML-DSA-65 > > > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > > + > > > +if [ "$algo" = "RSA" ]; then > > > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > > +elif [ "$algo" = "ML-DSA-65" ]; then > > > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > > +else > > > + echo "Invalid algorithm: $algo" > > > + exit 1 > > > +fi > > > \ No newline at end of file
Hi Barnabás and Laurent Thank you for reviewing this work. On Mon, Jun 15, 2026 at 11:10 PM Laurent Pinchart <laurent.pinchart@ideasonboard.com> wrote: > > Hi Kate, > > Thank you for the patch. > > On Tue, May 19, 2026 at 11:00:20AM +0800, Kate Hsuan wrote: > > Add a combo type "ipa-signature-algo" meson option to select signature > > algorithms, including rsa-sha256 and ml-dsa-65. > > ras-sha256 is the default setting for now. > > > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > > --- > > meson_options.txt | 8 ++++++++ > > src/libcamera/meson.build | 6 ++++++ > > src/meson.build | 14 +++++++++++--- > > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > > 4 files changed, 39 insertions(+), 5 deletions(-) > > > > diff --git a/meson_options.txt b/meson_options.txt > > index 20baacc4..18488e6b 100644 > > --- a/meson_options.txt > > +++ b/meson_options.txt > > @@ -46,6 +46,14 @@ option('gstreamer', > > value : 'auto', > > description : 'Compile libcamera GStreamer plugin') > > > > +option('ipa-signature-algo', > > + type : 'combo', > > + choices : [ > > + 'rsa-sha256', > > + 'ml-dsa-65', > > + ], > > + description : 'Select a signature algorithm to sign IPA libraries.') > > + > > option('ipas', > > type : 'array', > > choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > index 575408b2..55ba6c6d 100644 > > --- a/src/libcamera/meson.build > > +++ b/src/libcamera/meson.build > > @@ -97,6 +97,12 @@ else > > endif > > endif > > > > +# comply with FIPS 204 > > +signature_algo = get_option('ipa-signature-algo') > > +if signature_algo == 'ml-dsa-65' > > + config_h.set('WITH_PQC', 1) > > +endif > > I proposed renaming this HAVE_CRYPTO_ML_DSA_65 in patch 1/4. Thinking > about it some more, maybe IPA_MODULE_DIR_SIGNATURE_ALGO would be a > better option. I would then set it unconditionally, with a string value: OK, this is a better way if more algorithms are introduced into libcamera. > > config_h.set('IPA_MODULE_DIR_SIGNATURE_ALGO', '"' + get_option('ipa-signature-algo') + '"') > > The code in patch 1/4 could then be > > constexpr gnutls_sign_algorithm_t algo = > IPA_MODULE_DIR_SIGNATURE_ALGO == "ml-dsa-65" ? > GNUTLS_SIGN_MLDSA65 : GNUTLS_SIGN_RSA_SHA256; > > int ret = gnutls_pubkey_verify_data2(pubkey_, algo, 0, &gnuTlsData, > &gnuTlsSig); > > (with the necessary adjustments to get it to compile :-)). This would > remove conditional compilation. Sounds good. I'll check the code with "WITH_PQC" again. > > > + > > if not libcrypto.found() > > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > > diff --git a/src/meson.build b/src/meson.build > > index 9b63c8e8..7f8909b1 100644 > > --- a/src/meson.build > > +++ b/src/meson.build > > @@ -15,11 +15,19 @@ summary({ > > }, section : 'Paths') > > > > # Module Signing > > +signature_algo = get_option('ipa-signature-algo') > > openssl = find_program('openssl', required : false) > > if openssl.found() > > - ipa_priv_key = custom_target('ipa-priv-key', > > - output : ['ipa-priv-key.pem'], > > - command : [gen_ipa_priv_key, '@OUTPUT@']) > > + if signature_algo == 'ml-dsa-65' > > + ipa_priv_key = custom_target('ipa-priv-key', > > + output : ['ipa-priv-key.pem'], > > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > > + endif > > + if signature_algo == 'rsa-sha256' > > + ipa_priv_key = custom_target('ipa-priv-key', > > + output : ['ipa-priv-key.pem'], > > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) > > Make this unconditional: Okay > > ipa_priv_key = custom_target('ipa-priv-key', > output : ['ipa-priv-key.pem'], > command : [ > gen_ipa_priv_key, > get_option('ipa-signature-algo'), > '@OUTPUT@' > ]) Ok > > and update gen-ipa-priv-key.sh accordingly. Sure. > > > + endif > > config_h.set('HAVE_IPA_PUBKEY', 1) > > ipa_sign_module = true > > else > > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > > index 2ca7b883..8b86dfb3 100755 > > --- a/utils/gen-ipa-priv-key.sh > > +++ b/utils/gen-ipa-priv-key.sh > > @@ -6,6 +6,18 @@ > > # > > # Generate an RSA private key to sign IPA modules > > This comment needs to be updated. OK > > > > > -key="$1" > > +algo="$1" > > +key="$2" > > > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +# Two possible algorithms: RSA and ML-DSA-65 > > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > + > > +if [ "$algo" = "RSA" ]; then > > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > According to the openssl-genpkey manpage, 2048 is the default, so maybe > you could drop the option and simplify the code. Yes, the default value is 2048 if we don't specify a value. I'll drop it. > > > +elif [ "$algo" = "ML-DSA-65" ]; then > > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > +else > > + echo "Invalid algorithm: $algo" > > + exit 1 > > +fi > > One issue I ran into when testing the series is that changing the value > of the ipa-signature-algo option doesn't regenerate the key. I found this too. I'll rename the remove ${key}".old and rename ${key}" to ${key}".old before running the command. > > > \ No newline at end of file I'll drop the line. > > -- > Regards, > > Laurent Pinchart >
Hi Laurent, On Mon, Jun 15, 2026 at 11:44 PM Laurent Pinchart <laurent.pinchart@ideasonboard.com> wrote: > > On Mon, Jun 15, 2026 at 05:09:40PM +0200, Barnabás Pőcze wrote: > > 2026. 05. 19. 5:00 keltezéssel, Kate Hsuan írta: > > > Add a combo type "ipa-signature-algo" meson option to select signature > > > algorithms, including rsa-sha256 and ml-dsa-65. > > > ras-sha256 is the default setting for now. > > > > > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > > > --- > > > meson_options.txt | 8 ++++++++ > > > src/libcamera/meson.build | 6 ++++++ > > > src/meson.build | 14 +++++++++++--- > > > utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- > > > 4 files changed, 39 insertions(+), 5 deletions(-) > > > > > > diff --git a/meson_options.txt b/meson_options.txt > > > index 20baacc4..18488e6b 100644 > > > --- a/meson_options.txt > > > +++ b/meson_options.txt > > > @@ -46,6 +46,14 @@ option('gstreamer', > > > value : 'auto', > > > description : 'Compile libcamera GStreamer plugin') > > > > > > +option('ipa-signature-algo', > > > + type : 'combo', > > > + choices : [ > > > + 'rsa-sha256', > > > + 'ml-dsa-65', > > > + ], > > > + description : 'Select a signature algorithm to sign IPA libraries.') > > > + > > > option('ipas', > > > type : 'array', > > > choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', > > > diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build > > > index 575408b2..55ba6c6d 100644 > > > --- a/src/libcamera/meson.build > > > +++ b/src/libcamera/meson.build > > > @@ -97,6 +97,12 @@ else > > > endif > > > endif > > > > > > +# comply with FIPS 204 > > > +signature_algo = get_option('ipa-signature-algo') > > > +if signature_algo == 'ml-dsa-65' > > > + config_h.set('WITH_PQC', 1) > > > +endif > > > + > > > if not libcrypto.found() > > > warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') > > > summary({'IPA modules signed with': 'None (modules will run isolated)'}, > > > diff --git a/src/meson.build b/src/meson.build > > > index 9b63c8e8..7f8909b1 100644 > > > --- a/src/meson.build > > > +++ b/src/meson.build > > > @@ -15,11 +15,19 @@ summary({ > > > }, section : 'Paths') > > > > > > # Module Signing > > > +signature_algo = get_option('ipa-signature-algo') > > > openssl = find_program('openssl', required : false) > > > if openssl.found() > > > - ipa_priv_key = custom_target('ipa-priv-key', > > > - output : ['ipa-priv-key.pem'], > > > - command : [gen_ipa_priv_key, '@OUTPUT@']) > > > + if signature_algo == 'ml-dsa-65' > > > + ipa_priv_key = custom_target('ipa-priv-key', > > > + output : ['ipa-priv-key.pem'], > > > + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) > > > + endif > > > + if signature_algo == 'rsa-sha256' > > > + ipa_priv_key = custom_target('ipa-priv-key', > > > + output : ['ipa-priv-key.pem'], > > > + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) > > > > Why not just pass `signature_algo`? There is already a conditional chain in the script. > > > > But to be honest, I feel like I would actually remove the script altogether and > > have something like this: > > > > SIGNATURE_DETAILS = { > > 'rsa-sha256': { 'algo': 'RSA', 'args': [ '-pkeyopt rsa_keygen_bits:2048', ], } > > ... > > } > > > > signature_details = SIGNATURE_DETAILS[signature_algo] > > > > ipa_priv_key = custom_target('ipa-priv-key', > > output : ['ipa-priv-key.pem'], > > command : [ openssl, 'genpkey', > > '-algorithm', signature_details.get('algo'), > > '-out', '@OUTPUT@', > > ] + signature_details.get('args', [])) > > > > This also fixes the (mostly theoretical) issue of using the wrong `openssl` when the > > `openssl` program is overridden in meson but not in $PATH. > > > > Any reason I'm missing why this extra script is useful? > > Not that I know of. > > On a related note, do we need a nice error message when ml-dsa-65 is > selected but not available, or is the error output by openssl good > enough ? I don't have an old version available here for testing. I may run the command "openssl list -signature-algorithms |grep signature_algo" to list and check the available algorithms. If the algorithm is not supported, drop an error message to the console. That makes the output of "meson setup" much friendlier. :) > > > > + endif > > > config_h.set('HAVE_IPA_PUBKEY', 1) > > > ipa_sign_module = true > > > else > > > diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh > > > index 2ca7b883..8b86dfb3 100755 > > > --- a/utils/gen-ipa-priv-key.sh > > > +++ b/utils/gen-ipa-priv-key.sh > > > @@ -6,6 +6,18 @@ > > > # > > > # Generate an RSA private key to sign IPA modules > > > > > > -key="$1" > > > +algo="$1" > > > +key="$2" > > > > > > -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > > +# Two possible algorithms: RSA and ML-DSA-65 > > > +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > > +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > > + > > > +if [ "$algo" = "RSA" ]; then > > > + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 > > > +elif [ "$algo" = "ML-DSA-65" ]; then > > > + openssl genpkey -algorithm ML-DSA-65 -out "${key}" > > > +else > > > + echo "Invalid algorithm: $algo" > > > + exit 1 > > > +fi > > > \ No newline at end of file > > -- > Regards, > > Laurent Pinchart >
diff --git a/meson_options.txt b/meson_options.txt index 20baacc4..18488e6b 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -46,6 +46,14 @@ option('gstreamer', value : 'auto', description : 'Compile libcamera GStreamer plugin') +option('ipa-signature-algo', + type : 'combo', + choices : [ + 'rsa-sha256', + 'ml-dsa-65', + ], + description : 'Select a signature algorithm to sign IPA libraries.') + option('ipas', type : 'array', choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple', diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index 575408b2..55ba6c6d 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -97,6 +97,12 @@ else endif endif +# comply with FIPS 204 +signature_algo = get_option('ipa-signature-algo') +if signature_algo == 'ml-dsa-65' + config_h.set('WITH_PQC', 1) +endif + if not libcrypto.found() warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') summary({'IPA modules signed with': 'None (modules will run isolated)'}, diff --git a/src/meson.build b/src/meson.build index 9b63c8e8..7f8909b1 100644 --- a/src/meson.build +++ b/src/meson.build @@ -15,11 +15,19 @@ summary({ }, section : 'Paths') # Module Signing +signature_algo = get_option('ipa-signature-algo') openssl = find_program('openssl', required : false) if openssl.found() - ipa_priv_key = custom_target('ipa-priv-key', - output : ['ipa-priv-key.pem'], - command : [gen_ipa_priv_key, '@OUTPUT@']) + if signature_algo == 'ml-dsa-65' + ipa_priv_key = custom_target('ipa-priv-key', + output : ['ipa-priv-key.pem'], + command : [gen_ipa_priv_key, 'ML-DSA-65', '@OUTPUT@']) + endif + if signature_algo == 'rsa-sha256' + ipa_priv_key = custom_target('ipa-priv-key', + output : ['ipa-priv-key.pem'], + command : [gen_ipa_priv_key, 'RSA', '@OUTPUT@']) + endif config_h.set('HAVE_IPA_PUBKEY', 1) ipa_sign_module = true else diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh index 2ca7b883..8b86dfb3 100755 --- a/utils/gen-ipa-priv-key.sh +++ b/utils/gen-ipa-priv-key.sh @@ -6,6 +6,18 @@ # # Generate an RSA private key to sign IPA modules -key="$1" +algo="$1" +key="$2" -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 +# Two possible algorithms: RSA and ML-DSA-65 +# openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 +# openssl genpkey -algorithm ML-DSA-65 -out "${key}" + +if [ "$algo" = "RSA" ]; then + openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048 +elif [ "$algo" = "ML-DSA-65" ]; then + openssl genpkey -algorithm ML-DSA-65 -out "${key}" +else + echo "Invalid algorithm: $algo" + exit 1 +fi \ No newline at end of file
Add a combo type "ipa-signature-algo" meson option to select signature algorithms, including rsa-sha256 and ml-dsa-65. ras-sha256 is the default setting for now. Signed-off-by: Kate Hsuan <hpa@redhat.com> --- meson_options.txt | 8 ++++++++ src/libcamera/meson.build | 6 ++++++ src/meson.build | 14 +++++++++++--- utils/gen-ipa-priv-key.sh | 16 ++++++++++++++-- 4 files changed, 39 insertions(+), 5 deletions(-)