[v4,4/4] meson: Add ipa-signature-algo option
diff mbox series

Message ID 20260701040721.145659-5-hpa@redhat.com
State New
Headers show
Series
  • Implement ML-DSA-65 for Post-Quantum Cryptographic compliance
Related show

Commit Message

Kate Hsuan July 1, 2026, 4:07 a.m. UTC
Add a combo type "ipa-signature-algo" meson option to select signature
algorithms, including rsa-sha256 and ml-dsa-65.
ras-sha256 is the default setting for now.

Signed-off-by: Kate Hsuan <hpa@redhat.com>
---
 meson_options.txt         |  8 ++++++++
 src/libcamera/meson.build | 11 +++++++++++
 src/meson.build           |  6 +++++-
 utils/check-algo.sh       | 35 +++++++++++++++++++++++++++++++++++
 utils/gen-ipa-priv-key.sh | 21 ++++++++++++++++++---
 5 files changed, 77 insertions(+), 4 deletions(-)
 create mode 100755 utils/check-algo.sh

Comments

Barnabás Pőcze July 1, 2026, 8:55 a.m. UTC | #1
2026. 07. 01. 6:07 keltezéssel, Kate Hsuan írta:
> Add a combo type "ipa-signature-algo" meson option to select signature
> algorithms, including rsa-sha256 and ml-dsa-65.
> ras-sha256 is the default setting for now.
> 
> Signed-off-by: Kate Hsuan <hpa@redhat.com>
> ---
>   meson_options.txt         |  8 ++++++++
>   src/libcamera/meson.build | 11 +++++++++++
>   src/meson.build           |  6 +++++-
>   utils/check-algo.sh       | 35 +++++++++++++++++++++++++++++++++++
>   utils/gen-ipa-priv-key.sh | 21 ++++++++++++++++++---
>   5 files changed, 77 insertions(+), 4 deletions(-)
>   create mode 100755 utils/check-algo.sh
> 
> diff --git a/meson_options.txt b/meson_options.txt
> index 20baacc4..18488e6b 100644
> --- a/meson_options.txt
> +++ b/meson_options.txt
> @@ -46,6 +46,14 @@ option('gstreamer',
>           value : 'auto',
>           description : 'Compile libcamera GStreamer plugin')
>   
> +option('ipa-signature-algo',
> +        type : 'combo',
> +        choices : [
> +            'rsa-sha256',
> +            'ml-dsa-65',
> +        ],
> +        description : 'Select a signature algorithm to sign IPA libraries.')
> +
>   option('ipas',
>           type : 'array',
>           choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple',
> diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
> index 575408b2..cabd1041 100644
> --- a/src/libcamera/meson.build
> +++ b/src/libcamera/meson.build
> @@ -89,14 +89,25 @@ libyaml = dependency('yaml-0.1', default_options : [
>   # Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
>   libcrypto = dependency('gnutls', required : false)
>   if libcrypto.found()
> +    r = run_command('../../utils/check-algo.sh', 'guntls', get_option('ipa-signature-algo'), check: false)
> +    if r.returncode() != 0
> +        error('Unsupported signature algorithm (', 'guntls,', get_option('ipa-signature-algo'), ')')
> +    endif
>       config_h.set('HAVE_GNUTLS', 1)
>   else
>       libcrypto = dependency('libcrypto', required : false)
>       if libcrypto.found()
> +            r = run_command('../../utils/check-algo.sh', 'openssl',  get_option('ipa-signature-algo'), check: false)
> +            if r.returncode() != 0
> +                error('Unsupported signature algorithm. (', 'libcrypto,', get_option('ipa-signature-algo'), ')')
> +            endif
>           config_h.set('HAVE_CRYPTO', 1)
>       endif
>   endif
>   
> +# comply with FIPS 204
> +config_h.set('IPA_MODULE_DIR_SIGNATURE_ALGO', '"' + get_option('ipa-signature-algo') + '"')
> +
>   if not libcrypto.found()
>       warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
>       summary({'IPA modules signed with': 'None (modules will run isolated)'},
> diff --git a/src/meson.build b/src/meson.build
> index 9b63c8e8..4111f591 100644
> --- a/src/meson.build
> +++ b/src/meson.build
> @@ -19,7 +19,11 @@ openssl = find_program('openssl', required : false)
>   if openssl.found()
>       ipa_priv_key = custom_target('ipa-priv-key',
>                                    output : ['ipa-priv-key.pem'],
> -                                 command : [gen_ipa_priv_key, '@OUTPUT@'])
> +                                 command : [
> +                                    gen_ipa_priv_key,
> +                                    get_option('ipa-signature-algo'),
> +                                    '@OUTPUT@'
> +                                 ])
>       config_h.set('HAVE_IPA_PUBKEY', 1)
>       ipa_sign_module = true
>   else
> diff --git a/utils/check-algo.sh b/utils/check-algo.sh
> new file mode 100755
> index 00000000..2ee6c7cb
> --- /dev/null
> +++ b/utils/check-algo.sh
> @@ -0,0 +1,35 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +# Copyright (C) 2026, Red Hat Inc.
> +#
> +# Author: Kate Hsuan <hpa@redhat.com>
> +#
> +# Check if the given algorithm is supported by the library
> +
> +tool="$1"
> +algo="$2"
> +
> +if [ "$algo" = "rsa-sha256" ]; then
> +    algo="RSA-SHA256"
> +elif [ "$algo" = "ml-dsa-65" ]; then
> +    algo="ML-DSA-65"
> +else
> +    echo "Invalid algorithm: $algo"
> +    exit 1
> +fi
> +
> +if [ "$tool" = "guntls" ]; then
> +    gnutls-cli -l | grep "$algo" > /dev/null
> +    ret=$?
> +elif [ "$tool" = "openssl" ]; then
> +    openssl list -signature-algorithms |grep ${algo} > /dev/null

Unfortunately the version in debian 11 does not support this option.
This will be dropped in August in any case, so probably not a big issue.

$ podman run --rm -it registry.freedesktop.org/camera/libcamera/debian/bullseye:2026-04-05.0
root@3302aa618c1e:/app# openssl list -help
Usage: list [options]
Valid options are:
  -help                   Display this summary
  -1                      List in one column
  -commands               List of standard commands
  -digest-commands        List of message digest commands
  -digest-algorithms      List of message digest algorithms
  -cipher-commands        List of cipher commands
  -cipher-algorithms      List of cipher algorithms
  -public-key-algorithms  List of public key algorithms
  -public-key-methods     List of public key methods
  -disabled               List of disabled features
  -missing-help           List missing detailed help strings
  -options val            List options for specified command

But the debian 12 also fails the check:

$ podman run --rm -it registry.freedesktop.org/camera/libcamera/debian/bookworm:2026-04-05.0
root@a3962e2aab7f:/app# openssl list -signature-algorithms
   { 1.2.840.113549.1.1.1, 2.5.8.1.1, RSA, rsaEncryption } @ default
   { 1.2.840.10040.4.1, 1.2.840.10040.4.3, 1.3.14.3.2.12, 1.3.14.3.2.13, 1.3.14.3.2.27, DSA, DSA-old, DSA-SHA, DSA-SHA1, DSA-SHA1-old, dsaEncryption, dsaEncryption-old, dsaWithSHA, dsaWithSHA1, dsaWithSHA1-old } @ default
   { 1.3.101.112, ED25519 } @ default
   { 1.3.101.113, ED448 } @ default
   { 1.2.156.10197.1.301, SM2 } @ default
   ECDSA @ default
   HMAC @ default
   SIPHASH @ default
   POLY1305 @ default
   CMAC @ default


> +    ret=$?
> +else
> +    echo "Invalid tool: $tool"
> +    exit 1
> +fi
> +
> +if [ $ret -ne 0 ]; then
> +    echo "Algorithm $algo is not supported by $tool"
> +    exit 1
> +fi
> diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh
> index 2ca7b883..3fc44bcc 100755
> --- a/utils/gen-ipa-priv-key.sh
> +++ b/utils/gen-ipa-priv-key.sh
> @@ -4,8 +4,23 @@
>   #
>   # Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>   #
> -# Generate an RSA private key to sign IPA modules
> +# Generate an private key for the given algorithm to sign IPA modules
>   
> -key="$1"
> +algo="$1"
> +key="$2"
>   
> -openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
> +if [ -e "${key}" ]; then
> +    echo "File ${key} already exists. Removing it."
> +    rm "${key}"
> +fi
> +
> +# Two possible algorithms: RSA and ML-DSA-65
> +
> +if [ "$algo" = "rsa-sha256" ]; then
> +    openssl genpkey -algorithm RSA -out "${key}"
> +elif [ "$algo" = "ml-dsa-65" ]; then
> +    openssl genpkey -algorithm ML-DSA-65 -out "${key}"
> +else
> +    echo "Invalid algorithm: $algo"
> +    exit 1
> +fi

Patch
diff mbox series

diff --git a/meson_options.txt b/meson_options.txt
index 20baacc4..18488e6b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -46,6 +46,14 @@  option('gstreamer',
         value : 'auto',
         description : 'Compile libcamera GStreamer plugin')
 
+option('ipa-signature-algo',
+        type : 'combo',
+        choices : [
+            'rsa-sha256',
+            'ml-dsa-65',
+        ],
+        description : 'Select a signature algorithm to sign IPA libraries.')
+
 option('ipas',
         type : 'array',
         choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple',
diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
index 575408b2..cabd1041 100644
--- a/src/libcamera/meson.build
+++ b/src/libcamera/meson.build
@@ -89,14 +89,25 @@  libyaml = dependency('yaml-0.1', default_options : [
 # Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
 libcrypto = dependency('gnutls', required : false)
 if libcrypto.found()
+    r = run_command('../../utils/check-algo.sh', 'guntls', get_option('ipa-signature-algo'), check: false)
+    if r.returncode() != 0
+        error('Unsupported signature algorithm (', 'guntls,', get_option('ipa-signature-algo'), ')')
+    endif
     config_h.set('HAVE_GNUTLS', 1)
 else
     libcrypto = dependency('libcrypto', required : false)
     if libcrypto.found()
+            r = run_command('../../utils/check-algo.sh', 'openssl',  get_option('ipa-signature-algo'), check: false)
+            if r.returncode() != 0
+                error('Unsupported signature algorithm. (', 'libcrypto,', get_option('ipa-signature-algo'), ')')
+            endif
         config_h.set('HAVE_CRYPTO', 1)
     endif
 endif
 
+# comply with FIPS 204
+config_h.set('IPA_MODULE_DIR_SIGNATURE_ALGO', '"' + get_option('ipa-signature-algo') + '"')
+
 if not libcrypto.found()
     warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
     summary({'IPA modules signed with': 'None (modules will run isolated)'},
diff --git a/src/meson.build b/src/meson.build
index 9b63c8e8..4111f591 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -19,7 +19,11 @@  openssl = find_program('openssl', required : false)
 if openssl.found()
     ipa_priv_key = custom_target('ipa-priv-key',
                                  output : ['ipa-priv-key.pem'],
-                                 command : [gen_ipa_priv_key, '@OUTPUT@'])
+                                 command : [
+                                    gen_ipa_priv_key,
+                                    get_option('ipa-signature-algo'),
+                                    '@OUTPUT@'
+                                 ])
     config_h.set('HAVE_IPA_PUBKEY', 1)
     ipa_sign_module = true
 else
diff --git a/utils/check-algo.sh b/utils/check-algo.sh
new file mode 100755
index 00000000..2ee6c7cb
--- /dev/null
+++ b/utils/check-algo.sh
@@ -0,0 +1,35 @@ 
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2026, Red Hat Inc.
+#
+# Author: Kate Hsuan <hpa@redhat.com>
+#
+# Check if the given algorithm is supported by the library
+
+tool="$1"
+algo="$2"
+
+if [ "$algo" = "rsa-sha256" ]; then
+    algo="RSA-SHA256"
+elif [ "$algo" = "ml-dsa-65" ]; then
+    algo="ML-DSA-65"
+else
+    echo "Invalid algorithm: $algo"
+    exit 1
+fi
+
+if [ "$tool" = "guntls" ]; then
+    gnutls-cli -l | grep "$algo" > /dev/null
+    ret=$?
+elif [ "$tool" = "openssl" ]; then
+    openssl list -signature-algorithms |grep ${algo} > /dev/null
+    ret=$?
+else
+    echo "Invalid tool: $tool"
+    exit 1
+fi
+
+if [ $ret -ne 0 ]; then
+    echo "Algorithm $algo is not supported by $tool"
+    exit 1
+fi
diff --git a/utils/gen-ipa-priv-key.sh b/utils/gen-ipa-priv-key.sh
index 2ca7b883..3fc44bcc 100755
--- a/utils/gen-ipa-priv-key.sh
+++ b/utils/gen-ipa-priv-key.sh
@@ -4,8 +4,23 @@ 
 #
 # Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
 #
-# Generate an RSA private key to sign IPA modules
+# Generate an private key for the given algorithm to sign IPA modules
 
-key="$1"
+algo="$1"
+key="$2"
 
-openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+if [ -e "${key}" ]; then
+    echo "File ${key} already exists. Removing it."
+    rm "${key}"
+fi
+
+# Two possible algorithms: RSA and ML-DSA-65
+
+if [ "$algo" = "rsa-sha256" ]; then
+    openssl genpkey -algorithm RSA -out "${key}"
+elif [ "$algo" = "ml-dsa-65" ]; then
+    openssl genpkey -algorithm ML-DSA-65 -out "${key}"
+else
+    echo "Invalid algorithm: $algo"
+    exit 1
+fi