From patchwork Sat Apr 4 01:56:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 3390 Return-Path: Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 5150E60409 for ; Sat, 4 Apr 2020 03:56:38 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="wXEkIL9w"; dkim-atps=neutral Received: from pendragon.bb.dnainternet.fi (81-175-216-236.bb.dnainternet.fi [81.175.216.236]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id C4642321 for ; Sat, 4 Apr 2020 03:56:37 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1585965397; bh=8c40Wbngd3R/nuIdmPSsC1F8Y9OHU1GX29ho15tVPVk=; h=From:To:Subject:Date:From; b=wXEkIL9wAa42CwJvarwHxbfFG5RYG3fEwfLEQP/Sn8rz5LJWB65UrBm1Wqw7ovlmJ RLM7Tr8hDr6MP8cF+bsoD3bXvKBDAsL1ARhn+3hlepalaYbfH77ur+Ye523yPLrQ3F inVibg5LNnUdQQ55NGuePpqn9PeQIF/aJsLPE674= From: Laurent Pinchart To: libcamera-devel@lists.libcamera.org Date: Sat, 4 Apr 2020 04:56:13 +0300 Message-Id: <20200404015624.30440-1-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 00/11] Sign IPA modules instead of checking their advertised license X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Apr 2020 01:56:38 -0000 Hello, This patch series is an attempt to fix an issue in the IPA module isolation policy that the license-based mechanism can't help with. For security reasons, libcamera isolates IPA modules in a separate process when they are shipped as unreviable closed-source binaries. We only want to allow loading the module in the libcamera process when its sources can be reviewed. This policy is enformed by checking the license reported by the module against a list of open-source licenses. We are aware that vendors could cheat and advertise an open-source license, but we noticed another issue more recently: An IPA module could be covered by an open-source license that doesn't require shipping sources, and be shipped as a closed-source module only. This really kills the idea of a license-based mechanism. This patch series replaces that mechanism with a completely different approach, based on cryptographic signatures. The libcamera build process generates a public/private key pair, and the public key is embedded in libcamera. The private key is used to sign the IPA modules that are part of libcamera, and is then thrown away. At runtime, libcamera checks the signature validity to decide whether to isolate the module or not. The changes introduce a dependency on openssl at build time and on gnutls at runtime. gnutls was chosen for the simplicity of its API compared to openssl. Other backends could also be implemented, with nettle, openssl and libgcrypt being candidates (in order of increasing complexity). We will likely need ways to override this mechanism for development purpose, in both directions (forcing isolation of a signed module, and allowing unsigned modules to be loaded without isolation). This can be achieved through a combination of build time options and environment variables, to give flexibility in policy decisions to system integrators. We can start discussing such extensions, but I don't think they need to block merging this series. Laurent Pinchart (11): ipa: vimc: Remove isolated VIMC IPA module libcamera: Add IPA module signing infrastructure libcamera: Add File helper class test: Add File class tests libcamera: ipa_module: Simplify error handling in loadIPAModuleInfo() libcamera: ipa_module: Use Span class to tie data and size libcamera: ipa_module: Load IPA module signature libcamera: Add PubKey class libcamera: ipa_manager: Embed IPA module signing public key libcamera: ipa_manager: Verify IPA module signature libcamera: ipa: Remove IPAModuleInfo license field include/ipa/ipa_module_info.h | 1 - src/ipa/gen-ipa-priv-key.sh | 9 + src/ipa/ipa-sign.sh | 10 + src/ipa/meson.build | 2 + src/ipa/rkisp1/meson.build | 25 +- src/ipa/rkisp1/rkisp1.cpp | 1 - src/ipa/vimc/meson.build | 30 +-- src/ipa/vimc/vimc.cpp | 1 - src/libcamera/file.cpp | 338 ++++++++++++++++++++++++++++ src/libcamera/gen-ipa-pub-key.py | 46 ++++ src/libcamera/include/file.h | 69 ++++++ src/libcamera/include/ipa_manager.h | 7 + src/libcamera/include/ipa_module.h | 6 +- src/libcamera/include/meson.build | 2 + src/libcamera/include/pub_key.h | 36 +++ src/libcamera/ipa_manager.cpp | 22 +- src/libcamera/ipa_module.cpp | 204 +++++++---------- src/libcamera/ipa_pub_key.cpp.in | 20 ++ src/libcamera/meson.build | 16 ++ src/libcamera/pub_key.cpp | 97 ++++++++ src/meson.build | 5 + test/file.cpp | 285 +++++++++++++++++++++++ test/ipa/ipa_module_test.cpp | 1 - test/meson.build | 1 + 24 files changed, 1083 insertions(+), 151 deletions(-) create mode 100755 src/ipa/gen-ipa-priv-key.sh create mode 100755 src/ipa/ipa-sign.sh create mode 100644 src/libcamera/file.cpp create mode 100755 src/libcamera/gen-ipa-pub-key.py create mode 100644 src/libcamera/include/file.h create mode 100644 src/libcamera/include/pub_key.h create mode 100644 src/libcamera/ipa_pub_key.cpp.in create mode 100644 src/libcamera/pub_key.cpp create mode 100644 test/file.cpp