From patchwork Mon Aug  8 23:08:33 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
X-Patchwork-Id: 17035
Return-Path: <libcamera-devel-bounces@lists.libcamera.org>
X-Original-To: parsemail@patchwork.libcamera.org
Delivered-To: parsemail@patchwork.libcamera.org
Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com
	[92.243.16.209])
	by patchwork.libcamera.org (Postfix) with ESMTPS id 2EFBDC3272
	for <parsemail@patchwork.libcamera.org>;
	Mon,  8 Aug 2022 23:08:52 +0000 (UTC)
Received: from lancelot.ideasonboard.com (localhost [IPv6:::1])
	by lancelot.ideasonboard.com (Postfix) with ESMTP id E631F63335;
	Tue,  9 Aug 2022 01:08:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org;
	s=mail; t=1660000131;
	bh=I0nOdXe8I8/IfijM5XsxJ3QWb+s+Q6YbCvLOOYcDfbo=;
	h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:
	List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	From;
	b=fkEIKavjXbEAseXaVf18Xt0CA673IEx+70/ZiVnpVlGOPPCmHzgpWBd/H201p3lC2
	CFT78E0cajP+f6OUjTKG8iZKzhlfhgODslvoS3dIZikafnYFREdVSat5XhB57wNREm
	aHmWMAdgfJUsar4GFVmRKwzI9aKygsWdwMDqYEwfya0aLNMcyAmp8TiQZXyWQlqReD
	Ddm7P71GOdBqCS3szgIpFliPDuB8v+SpbZHrb7XleyqdKDJQjdUbXrNHHN1PGzr5hG
	kP/sP0Jeje0TPekkbD/A5t+v2g78mqY6gWG/OUeD2Z3WRnrnztu9xRRL2d7iD56lbJ
	cRwaj0PfqpV0A==
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[213.167.242.64])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 53BAA63331
	for <libcamera-devel@lists.libcamera.org>;
	Tue,  9 Aug 2022 01:08:49 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key;
	unprotected) header.d=ideasonboard.com
	header.i=@ideasonboard.com
	header.b="cPpXg7DY"; dkim-atps=neutral
Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi
	[62.78.145.57])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id D1884481;
	Tue,  9 Aug 2022 01:08:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1660000129;
	bh=I0nOdXe8I8/IfijM5XsxJ3QWb+s+Q6YbCvLOOYcDfbo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=cPpXg7DYkwO+xL5Ubj52H8zp00Zs6OK+hczczAdzV4ugCu6w7tS2UX4DvtAy113pX
	XexVn5jdU0IJOX6MzorB/YaOumKtPJubr47j8F0RJz1Rq0JEsXPs3t9T8a9ivdZU4V
	Ht8NnaaPsLcKqQmjPGRI+YOtjPbpHRe6YpvlbPdw=
To: libcamera-devel@lists.libcamera.org
Date: Tue,  9 Aug 2022 02:08:33 +0300
Message-Id: <20220808230833.16275-5-laurent.pinchart@ideasonboard.com>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com>
References: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH v2 4/4] libcamera: Make IPA module signing
	recommended instead of mandatory
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel
	<libcamera-devel@lists.libcamera.org>
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reply-To: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Errors-To: libcamera-devel-bounces@lists.libcamera.org
Sender: "libcamera-devel" <libcamera-devel-bounces@lists.libcamera.org>

Commit b382f67c833d ("libcamera: Make IPA module signing mandatory for
the meantime") made openssl and gnutls dependencies mandatory to work
around the lack of proper IPA module isolation support, which broke
operation without module signatures. This has now been fixed, so IPA
module isolation isn't strictly required anymore.

There are few use cases for disabling module signing completely, given
that the openssl or gnutls dependencies are available on the vast
majority of systems and the overheard introduced by isolating all IPA
modules when signatures are not available is better avoided.
Nonetheless, libcamera should operate properly with forced IPA module
isolation, so we can support those use cases.

Adopt a middle-ground approach to avoid unintentional isolation by
documenting the dependencies as recommended, and warn at meson setup
time if they are not found.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Eric Curtin <ecurtin@redhat.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
---
 README.rst                |  5 ++++-
 src/libcamera/meson.build | 10 ++++++++--
 src/meson.build           |  3 ++-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/README.rst b/README.rst
index 3bf4685b0e15..e9dd4207ae55 100644
--- a/README.rst
+++ b/README.rst
@@ -60,9 +60,12 @@ Meson Build system: [required]
 for the libcamera core: [required]
         libyaml-dev python3-yaml python3-ply python3-jinja2
 
-for IPA module signing: [required]
+for IPA module signing: [recommended]
         Either libgnutls28-dev or libssl-dev, openssl
 
+        Without IPA module signing, all IPA modules will be isolated in a
+        separate process. This adds an unnecessary extra overhead at runtime.
+
 for improved debugging: [optional]
         libdw-dev libunwind-dev
 
diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build
index 401fc498cfbc..0efa8fd5df7f 100644
--- a/src/libcamera/meson.build
+++ b/src/libcamera/meson.build
@@ -73,8 +73,14 @@ libcrypto = dependency('gnutls2', required : false)
 if libcrypto.found()
     config_h.set('HAVE_GNUTLS', 1)
 else
-    libcrypto = dependency('libcrypto', required : true)
-    config_h.set('HAVE_CRYPTO', 1)
+    libcrypto = dependency('libcrypto', required : false)
+    if libcrypto.found()
+        config_h.set('HAVE_CRYPTO', 1)
+    endif
+endif
+
+if not libcrypto.found()
+    warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
 endif
 
 if liblttng.found()
diff --git a/src/meson.build b/src/meson.build
index 34663a6f134d..f37c44ca9f60 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -14,7 +14,7 @@ summary({
          }, section : 'Paths')
 
 # Module Signing
-openssl = find_program('openssl', required : true)
+openssl = find_program('openssl', required : false)
 if openssl.found()
     ipa_priv_key = custom_target('ipa-priv-key',
                                  output : ['ipa-priv-key.pem'],
@@ -22,6 +22,7 @@ if openssl.found()
     config_h.set('HAVE_IPA_PUBKEY', 1)
     ipa_sign_module = true
 else
+    warning('openssl not found, all IPA modules will be isolated')
     ipa_sign_module = false
 endif