[libcamera-devel,v4,09/10] ipa: add a flag to disable isolation for Android
diff mbox series

Message ID 20221027224135.348115-10-nicholas@rothemail.net
State Superseded
Headers show
Series
  • [libcamera-devel,v4,01/10] ipa: workaround libcxx duration limitation
Related show

Commit Message

Nicolas Dufresne via libcamera-devel Oct. 27, 2022, 10:41 p.m. UTC
From: Nicholas Roth <nicholas@rothemail.net>

Currently, libcamera isolates any IPAs whose signatures cannot be
verified. Shared objects are created at build-time, and then signed. The
public signing key is embedded in a .cpp file, and libcamera verifies
IPA signatures at runtime. When libcamera cannot authenticate an IPA, it
runs it out-of-process.

This is problematic on three levels:
* IPA signing fundamentally does not work on Android for vendor modules
  like HALs (discussed below)
* Executables built to run out-of-process are not ABI-compatible with
  Android, making isolation infeasible [1]
* Linux phone hardware tends to be low-end because of the FOSS
  requirement, so the performance hit from out-of-process IPA isolation
  is significant

IPA signing fundamentally does not work for Android vendor modules:
After we "meson install" built .so files to a known location, Android
explicitly access them in PREBUILT_SHARED_LIBRARY or BUILD_PREBUILIT
to transform the .so files by stripping symbols among other things [2].
By modifying prebuilt libraries after we have already signed them, the
build system renders our signatures useless on Android.

Android distribution maintainers can use this flag to disable signature
verification, which will allow them to use libcamera.

[1] https://github.com/waydroid/waydroid/issues/519
[2] https://cs.android.com/android/platform/superproject/+/master:build/make/core/cc_prebuilt_internal.mk?q=cc_prebuilt_internal

Signed-off-by: Nicholas Roth <nicholas@rothemail.net>
---
 meson.build                   |  4 ++++
 meson_options.txt             |  5 +++++
 src/libcamera/ipa_manager.cpp | 11 +++++++++++
 3 files changed, 20 insertions(+)

Patch
diff mbox series

diff --git a/meson.build b/meson.build
index 56910698..883847ef 100644
--- a/meson.build
+++ b/meson.build
@@ -74,6 +74,10 @@  if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR
     config_h.set('HAVE_SECURE_GETENV', 1)
 endif
 
+if get_option('allow_unsigned_ipas_in_process')
+    config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1)
+endif
+
 common_arguments = [
     '-Wshadow',
     '-include', meson.current_build_dir() / 'config.h',
diff --git a/meson_options.txt b/meson_options.txt
index f1d67808..77b21b9a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -64,3 +64,8 @@  option('pycamera',
         type : 'feature',
         value : 'disabled',
         description : 'Enable libcamera Python bindings (experimental)')
+
+option('allow_unsigned_ipas_in_process',
+        type : 'boolean',
+        value : false,
+        description : 'Allow unsigned IPAs to run in libcamera\'s address space')
diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
index 030ef43f..403cc42a 100644
--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
@@ -114,6 +114,14 @@  IPAManager::IPAManager()
 		LOG(IPAManager, Warning) << "Public key not valid";
 #endif
 
+#if ALLOW_UNSIGNED_IPAS_IN_PROCESS
+	LOG(IPAManager, Warning)
+		<< "All IPAs running in-process without signature verification."
+		<< " This is recommended only for tightly-managed installs"
+		<< " in contexts where both signature verification and out-of-process"
+		<< " execution are infeasible, such as Android HALs.";
+#endif
+
 	unsigned int ipaCount = 0;
 
 	/* User-specified paths take precedence. */
@@ -281,6 +289,9 @@  IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
 
 bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
 {
+#if ALLOW_UNSIGNED_IPAS_IN_PROCESS
+	return true;
+#endif
 #if HAVE_IPA_PUBKEY
 	char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
 	if (force && force[0] != '\0') {