From patchwork Sun Jul 11 23:15:47 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
X-Patchwork-Id: 12900
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id C35E7C3226
	for <parsemail@patchwork.libcamera.org>;
	Sun, 11 Jul 2021 23:16:40 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id A0CA468528;
	Mon, 12 Jul 2021 01:16:39 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com
	header.b="Slw09HFW"; dkim-atps=neutral
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 50E6268521
	for <libcamera-devel@lists.libcamera.org>;
	Mon, 12 Jul 2021 01:16:38 +0200 (CEST)
Received: from pendragon.lan (62-78-145-57.bb.dnainternet.fi [62.78.145.57])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id E649A255
	for <libcamera-devel@lists.libcamera.org>;
	Mon, 12 Jul 2021 01:16:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1626045398;
	bh=LztnX5GgerYCOmJNK7HP5SePQGeH+AQAyyjA8SX5j8U=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=Slw09HFWnB2zu83u+fPB6feiuRmXtJ778Q2PrvEPYGqoDGhBKfRmuEVup6UPnjBJ8
	f4tIIhpZ6kKQ0UNhU+KbgdxxKxMs95AY69OTbxnual0h5cnSRymKzL26VeM6EY1AWP
	MPor1jzyJnLa2g80GC02EFIfJyt5qoecO/Sd175M=
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Mon, 12 Jul 2021 02:15:47 +0300
Message-Id: <20210711231547.19664-4-laurent.pinchart@ideasonboard.com>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210711231547.19664-1-laurent.pinchart@ideasonboard.com>
References: <20210711231547.19664-1-laurent.pinchart@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH 3/3] libcamera: ipa_manager: Allow forcing
	IPA module isolation
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

For test purpose it's useful to run open-source IPA modules in
isolation. This can already be done by deleting the corresponding
signature file, but that method can be inconvenient. Add a way to force
IPA module isolation through a new LIBCAMERA_IPA_FORCE_ISOLATION
environment variable.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Reviewed-by: Paul Elder <paul.elder@ideasonboard.com>
---
 Documentation/environment_variables.rst | 5 +++++
 src/libcamera/ipa_manager.cpp           | 8 ++++++++
 2 files changed, 13 insertions(+)

diff --git a/Documentation/environment_variables.rst b/Documentation/environment_variables.rst
index d392fd26b87a..1e85befd538a 100644
--- a/Documentation/environment_variables.rst
+++ b/Documentation/environment_variables.rst
@@ -24,6 +24,11 @@ LIBCAMERA_IPA_CONFIG_PATH
 
    Example value: ``${HOME}/.libcamera/share/ipa:/opt/libcamera/vendor/share/ipa``
 
+LIBCAMERA_IPA_FORCE_ISOLATION
+   When set to a non-empty string, force process isolation of all IPA modules.
+
+   Example value: ``1``
+
 LIBCAMERA_IPA_MODULE_PATH
    Define custom search locations for IPA modules (`more <IPA module_>`__).
 
diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
index 9533c8fadea6..028b2ce21779 100644
--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
@@ -276,6 +276,14 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
 bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
 {
 #if HAVE_IPA_PUBKEY
+	char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
+	if (force && force[0] != '\0') {
+		LOG(IPAManager, Debug)
+			<< "Isolation of IPA module " << ipa->path()
+			<< " forced through environment variable";
+		return false;
+	}
+
 	File file{ ipa->path() };
 	if (!file.open(File::ReadOnly))
 		return false;