[libcamera-devel,00/11] Sign IPA modules instead of checking their advertised license

Hello, This patch series is an attempt to fix an issue in the IPA module isolation policy that the license-based mechanism can't help with. For security reasons, libcamera isolates IPA modules in a separate process when they are shipped as unreviable closed-source binaries. We only want to allow loading the module in the libcamera process when its sources can be reviewed. This policy is enformed by checking the license reported by the module against a list of open-source licenses. We are aware that vendors could cheat and advertise an open-source license, but we noticed another issue more recently: An IPA module could be covered by an open-source license that doesn't require shipping sources, and be shipped as a closed-source module only. This really kills the idea of a license-based mechanism. This patch series replaces that mechanism with a completely different approach, based on cryptographic signatures. The libcamera build process generates a public/private key pair, and the public key is embedded in libcamera. The private key is used to sign the IPA modules that are part of libcamera, and is then thrown away. At runtime, libcamera checks the signature validity to decide whether to isolate the module or not. The changes introduce a dependency on openssl at build time and on gnutls at runtime. gnutls was chosen for the simplicity of its API compared to openssl. Other backends could also be implemented, with nettle, openssl and libgcrypt being candidates (in order of increasing complexity). We will likely need ways to override this mechanism for development purpose, in both directions (forcing isolation of a signed module, and allowing unsigned modules to be loaded without isolation). This can be achieved through a combination of build time options and environment variables, to give flexibility in policy decisions to system integrators. We can start discussing such extensions, but I don't think they need to block merging this series. Laurent Pinchart (11): ipa: vimc: Remove isolated VIMC IPA module libcamera: Add IPA module signing infrastructure libcamera: Add File helper class test: Add File class tests libcamera: ipa_module: Simplify error handling in loadIPAModuleInfo() libcamera: ipa_module: Use Span class to tie data and size libcamera: ipa_module: Load IPA module signature libcamera: Add PubKey class libcamera: ipa_manager: Embed IPA module signing public key libcamera: ipa_manager: Verify IPA module signature libcamera: ipa: Remove IPAModuleInfo license field include/ipa/ipa_module_info.h | 1 - src/ipa/gen-ipa-priv-key.sh | 9 + src/ipa/ipa-sign.sh | 10 + src/ipa/meson.build | 2 + src/ipa/rkisp1/meson.build | 25 +- src/ipa/rkisp1/rkisp1.cpp | 1 - src/ipa/vimc/meson.build | 30 +-- src/ipa/vimc/vimc.cpp | 1 - src/libcamera/file.cpp | 338 ++++++++++++++++++++++++++++ src/libcamera/gen-ipa-pub-key.py | 46 ++++ src/libcamera/include/file.h | 69 ++++++ src/libcamera/include/ipa_manager.h | 7 + src/libcamera/include/ipa_module.h | 6 +- src/libcamera/include/meson.build | 2 + src/libcamera/include/pub_key.h | 36 +++ src/libcamera/ipa_manager.cpp | 22 +- src/libcamera/ipa_module.cpp | 204 +++++++---------- src/libcamera/ipa_pub_key.cpp.in | 20 ++ src/libcamera/meson.build | 16 ++ src/libcamera/pub_key.cpp | 97 ++++++++ src/meson.build | 5 + test/file.cpp | 285 +++++++++++++++++++++++ test/ipa/ipa_module_test.cpp | 1 - test/meson.build | 1 + 24 files changed, 1083 insertions(+), 151 deletions(-) create mode 100755 src/ipa/gen-ipa-priv-key.sh create mode 100755 src/ipa/ipa-sign.sh create mode 100644 src/libcamera/file.cpp create mode 100755 src/libcamera/gen-ipa-pub-key.py create mode 100644 src/libcamera/include/file.h create mode 100644 src/libcamera/include/pub_key.h create mode 100644 src/libcamera/ipa_pub_key.cpp.in create mode 100644 src/libcamera/pub_key.cpp create mode 100644 test/file.cpp

Message ID	20200404015624.30440-1-laurent.pinchart@ideasonboard.com
Headers	show Return-Path: <laurent.pinchart@ideasonboard.com> From: Laurent Pinchart <laurent.pinchart@ideasonboard.com> To: libcamera-devel@lists.libcamera.org Date: Sat, 4 Apr 2020 04:56:13 +0300 Message-Id: <20200404015624.30440-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [libcamera-devel] [PATCH 00/11] Sign IPA modules instead of checking their advertised license Precedence: list
Series	Sign IPA modules instead of checking their advertised license
Related	show [libcamera-devel,00/11] Sign IPA modules instead of checking their advertised license [libcamera-devel,01/11] ipa: vimc: Remove isolated VIMC IPA module [libcamera-devel,02/11] libcamera: Add IPA module signing infrastructure [libcamera-devel,03/11] libcamera: Add File helper class [libcamera-devel,04/11] test: Add File class tests [libcamera-devel,05/11] libcamera: ipa_module: Simplify error handling in loadIPAModuleInfo() [libcamera-devel,06/11] libcamera: ipa_module: Use Span class to tie data and size [libcamera-devel,07/11] libcamera: ipa_module: Load IPA module signature [libcamera-devel,08/11] libcamera: Add PubKey class [libcamera-devel,09/11] libcamera: ipa_manager: Embed IPA module signing public key [libcamera-devel,10/11] libcamera: ipa_manager: Verify IPA module signature [libcamera-devel,11/11] libcamera: ipa: Remove IPAModuleInfo license field

[libcamera-devel,00/11] Sign IPA modules instead of checking their advertised license 3390 mbox series

Message

[libcamera-devel,00/11] Sign IPA modules instead of checking their advertised license
mbox series