From patchwork Mon Aug 8 23:08:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17031 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id CEB6DC3272 for ; Mon, 8 Aug 2022 23:08:46 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 3546163327; Tue, 9 Aug 2022 01:08:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1660000126; bh=mhp7Fs2P+uM9wSamiDtbENejKrxPF0rzAWBLLBGmyQ0=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=jm7Zc7sxZIpQQ/tbAfkmanJ1ZNj+YtTjPl1i+t80zckAnz2JT34ECzgbXUvnvMMCg N7IEwllkWFPkidzGR2+Xm6bIxghysbuq94X0vDag3+IQdfDvJ+VZXbmu2vWCif237/ LJtKGXdMETP3azhsW+AlGh52L1WmOdRsdt+NPuAr1ndEXCKdUZBjA6M3ewgusMOoqE Qvz08VJZw2jvhYFZFrFk+unGaAuz/MLoUzk3z+2NP2RovTtlZ/Myv/Ea/Mm1nK2O0x T/Xu4IcCHXQ7mvjpa4T6jhlVlHrc1vUq4NSxOTXPdERjeQ54Ni6JhZn43pWb+eZz7K ey0OrqxPH+dZA== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 6EF8A600EA for ; Tue, 9 Aug 2022 01:08:44 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="fmxGFlFw"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id E6FAE481; Tue, 9 Aug 2022 01:08:43 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1660000124; bh=mhp7Fs2P+uM9wSamiDtbENejKrxPF0rzAWBLLBGmyQ0=; h=From:To:Cc:Subject:Date:From; b=fmxGFlFw8m3H6Nbfvf/CdTubG0tABWddubDP6iyoEOWTNibJDHM1Zkn5Jf2+63R1h b/bvQnFqYxjEpxIGE9U6Zmdu74rXkE5d0rs26a6HuNZkz2DLG+0JHWz97LzbzDcsMX FjY1g5sPj1Pg4YsfIfIkbu8ksBTAJbAgMFOCPBZg= To: libcamera-devel@lists.libcamera.org Date: Tue, 9 Aug 2022 02:08:29 +0300 Message-Id: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2 0/4] libcamera: Support openssl as an alternative to gnutls X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Hello, This small patch series adds support for openssl as an alternative to gnutls to verify the signature of IPA modules. Compared to v1, I have reorganized the series to move the most controversial part - making the dependency on crypto libraries optional - on top, in patch 4/4 (previously 1/5 and 2/5, squashed together) to allow discussions to continue without blocking the other patches. Patch 4/4, which add libcrypto support, has been modified to not use APIs that are deprecated in OpenSSL 3.0, to support Fedora 36. The dependency on crypto libraries was optional, before we realized that missing IPA protocol serialization made it effectively required in practice. Serialization is now there, so module signature support can be made optional again. This could possibly cause issues for some users who may not notice the missing dependency and wonder why IPA modules run isolated (although that should be a fully supported configuration). To address this, I've documented module signing as recommended in README.md (patch 4/4), and emit a warning at meson setup time when the dependencies are not found. We however all know how often both documentation and warnings are overlooked. If anyone thinks this is a bad idea, I can drop (or modify) patch 4/4. For the rest of the series, please see individual patches. Eric, would you be able to test this on Fedora 36 to check if it fixes the compilation issues you've reported ? Laurent Pinchart (4): libcamera: meson: Use dependency() to find gnutls libcamera: pub_key: Gracefully handle failures to load public key libcamera: pub_key: Support openssl as an alternative to gnutls libcamera: Make IPA module signing recommended instead of mandatory README.rst | 7 ++-- include/libcamera/internal/pub_key.h | 8 +++-- src/libcamera/ipa_manager.cpp | 3 ++ src/libcamera/meson.build | 16 +++++++-- src/libcamera/pub_key.cpp | 50 +++++++++++++++++++++++++--- src/meson.build | 3 +- 6 files changed, 75 insertions(+), 12 deletions(-) base-commit: fe8941d7d61bd22ed66e5b5615e931c68fdf9bfa Tested-by: Eric Curtin