From patchwork Thu Oct 27 05:55:14 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Dufresne via libcamera-devel X-Patchwork-Id: 17700 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 625C8C328A for ; Thu, 27 Oct 2022 05:55:36 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id E904662F98; Thu, 27 Oct 2022 07:55:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1666850136; bh=uPfBp734F70Nl4/faDEoCE+469eSaTe+2TU432+CN6U=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=lFlFgBnNYfrySN7D6gLKCd+6OvoOuRlJxrdquvTCJAR4u481MxvMM8AuNPerg7F0r r7HyCgFPkYAxZ7mUO9UUcu26C+U3EJcHe0wJWlbYrHRlMoicRMj67CK5fMEBg7fEgA c1Ry80Bz5y8Ef9gQuCT7J8WzroQ06AiBD7IH8xH5EC1dwfyC9FxK1GZr++tXFrFcij vDmekHs1zA3aRNdTloQEEFkaxgf2uw6ggGUgKF0Egpz7doRLcTTXOGc+B2NmNjHJlX BMcWzA2/F8oETWAPnfk5jGeywkUbqveV8lAtu9jcdLnTt78hBU8+Zuw87/EchCAxaS x4o4ILiZl/KZQ== Received: from mail-oi1-x236.google.com (mail-oi1-x236.google.com [IPv6:2607:f8b0:4864:20::236]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id BE1C062F81 for ; Thu, 27 Oct 2022 07:55:28 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (2048-bit key; unprotected) header.d=rothemail-net.20210112.gappssmtp.com header.i=@rothemail-net.20210112.gappssmtp.com header.b="zNhaNbIp"; dkim-atps=neutral Received: by mail-oi1-x236.google.com with SMTP id s125so216155oib.6 for ; Wed, 26 Oct 2022 22:55:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothemail-net.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=S6elEshRjeYKV2WspXbwSeu79nOguOd5x4rDscK6N9Y=; b=zNhaNbIpGGyvsSex3/5mAlnRYKuhXRdD55HAwiHz+FvxMnIr5DCS6NjZWsd953VzSJ iWqQw1q690FmD84Kqx/aMg01rmRbedj3j95TkWmgRy6kqjzUHnJ2FEUhwFxkY+izDOGP 7tlTPdKT69Yf4uH0sAgKgAWtU4zcr1ecKPRofVZecwmBM4+Lk0MbJcmXpisrSdrqy1gV BKlGpqZuJl19vpms/UmkaUWsZ4v7gOe80Oc0IGNJ6gsh4mXLEtmuTpjePsMmAbWdoY69 6IJ3FPqvj+gHa1gkzAh5ywXYA1trbxWEhiQZo0RhRFA7Hr0yfw/a3/hSmDao+95KZWCJ Qx0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=S6elEshRjeYKV2WspXbwSeu79nOguOd5x4rDscK6N9Y=; b=LuKuoszIMmbjJGtiV93ijtpTYTXFfbHCodTndvIKaXY9NrVN84iVEWBBjThhmNYDuZ 9QsDZsu7QHYx6a3f/mSc9wv8Fu7/3WtEc6DIDbZam3r5ryqeA3C8qng+TnJ77gGPFPki KOpHmeZOE3/QbnNCNojmAXyviALRElxD9bl6sqD/8ERzhW36iwSMObeugiSKqvoz42Ep i/PjTuaxeEPt2wpbzW6Y9ePrKE6NcAytS9aqjAK90cnHCgHjp6PT3gjSQh0KI/qQdz4L 1NfQgZpanKc0Ah7gSzCOuTLW/LDZRoZkvuq0it4Wfx6c3++do9hfhY5Uv9e15FEbcDVd DWMw== X-Gm-Message-State: ACrzQf1qQ5BSXPhKcpT+yI1fon/eMUKlNdFjlpQXeYD8wQU8W1Ln0kEh Trf+/WE3Dz1WkqAdzNKvqz/864kYWyrw9xKr X-Google-Smtp-Source: AMsMyM709ymtJ3ooObYxuuWyYJUcgo9RC4vyFt9dUmW4+PkTyHpuqAN5RPWWG0NKk5otR79bE/6DVQ== X-Received: by 2002:a05:6808:60c:b0:355:221e:db30 with SMTP id y12-20020a056808060c00b00355221edb30mr3984256oih.21.1666850126544; Wed, 26 Oct 2022 22:55:26 -0700 (PDT) Received: from nroth-pc.attlocal.net ([2600:1700:20:20c0:6406:fc7a:e46d:1666]) by smtp.gmail.com with ESMTPSA id 9-20020a9d0c09000000b00661a05691fasm140021otr.79.2022.10.26.22.55.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Oct 2022 22:55:26 -0700 (PDT) To: libcamera-devel@lists.libcamera.org Date: Thu, 27 Oct 2022 00:55:14 -0500 Message-Id: <20221027055515.321791-10-nicholas@rothemail.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221027055515.321791-1-nicholas@rothemail.net> References: <20221027055515.321791-1-nicholas@rothemail.net> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 09/10] ipa: add a flag to disable isolation for Android X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Nicholas Roth via libcamera-devel From: Nicolas Dufresne via libcamera-devel Reply-To: libcamera-devel@lists.libcamera.org Cc: nicholas@rothemail.net Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" From: Nicholas Roth Currently, libcamera isolates any IPAs whose signatures cannot be verified. Shared objects are created at build-time, and then signed. The public signing key is embedded in a .cpp file, and libcamera verifies IPA signatures at runtime. When libcamera cannot authenticate an IPA, it runs it out-of-process. This is problematic on three levels: * IPA signing fundamentally does not work on Android for vendor modules like HALs (discussed below) * Executables built to run out-of-process are not ABI-compatible with Android, making isolation infeasible [1] * Linux phone hardware tends to be low-end because of the FOSS requirement, so the performance hit from out-of-process IPA isolation is significant IPA signing fundamentally does not work for Android vendor modules: After we "meson install" built .so files to a known location, Android explicitly access them in PREBUILT_SHARED_LIBRARY or BUILD_PREBUILIT to transform the .so files by stripping symbols among other things [2]. By modifying prebuilt libraries after we have already signed them, the build system renders our signatures useless on Android. Android distribution maintainers can use this flag to disable signature verification, which will allow them to use libcamera. [1] https://github.com/waydroid/waydroid/issues/519 [2] https://cs.android.com/android/platform/superproject/+/master:build/make/core/cc_prebuilt_internal.mk?q=cc_prebuilt_internal Signed-off-by: Nicholas Roth --- meson.build | 4 ++++ meson_options.txt | 5 +++++ src/libcamera/ipa_manager.cpp | 11 +++++++++++ 3 files changed, 20 insertions(+) diff --git a/meson.build b/meson.build index 56910698..883847ef 100644 --- a/meson.build +++ b/meson.build @@ -74,6 +74,10 @@ if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR config_h.set('HAVE_SECURE_GETENV', 1) endif +if get_option('allow_unsigned_ipas_in_process') + config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1) +endif + common_arguments = [ '-Wshadow', '-include', meson.current_build_dir() / 'config.h', diff --git a/meson_options.txt b/meson_options.txt index f1d67808..77b21b9a 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -64,3 +64,8 @@ option('pycamera', type : 'feature', value : 'disabled', description : 'Enable libcamera Python bindings (experimental)') + +option('allow_unsigned_ipas_in_process', + type : 'boolean', + value : false, + description : 'Allow unsigned IPAs to run in libcamera\'s address space') diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp index 030ef43f..403cc42a 100644 --- a/src/libcamera/ipa_manager.cpp +++ b/src/libcamera/ipa_manager.cpp @@ -114,6 +114,14 @@ IPAManager::IPAManager() LOG(IPAManager, Warning) << "Public key not valid"; #endif +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + LOG(IPAManager, Warning) + << "All IPAs running in-process without signature verification." + << " This is recommended only for tightly-managed installs" + << " in contexts where both signature verification and out-of-process" + << " execution are infeasible, such as Android HALs."; +#endif + unsigned int ipaCount = 0; /* User-specified paths take precedence. */ @@ -281,6 +289,9 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion, bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const { +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + return true; +#endif #if HAVE_IPA_PUBKEY char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION"); if (force && force[0] != '\0') {