From patchwork Thu Oct 27 22:41:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Dufresne via libcamera-devel X-Patchwork-Id: 17710 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 7A48DC3287 for ; Thu, 27 Oct 2022 22:41:56 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 0D83562FC0; Fri, 28 Oct 2022 00:41:56 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1666910516; bh=uPfBp734F70Nl4/faDEoCE+469eSaTe+2TU432+CN6U=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=yjIRSARoHBOjo66O5E27TC/XhpnJQJxXyYikcDvqk18ox70xhsvyKoxr6OKG2Sbcw ZvlAcCaI2DlrKONVP6xZMnrzd65qzz6wZMgSfFyRnHMWFKHDSiUJRDUXMg0OhXQVDC 77N+lh9TbMiSgfumSh+Pw478FNUnsF9JOgS6WdN1lcV3PoPkbH6ITWuuFrDPjLE1w9 rNVdby16DemYq2e1hAs6IwLCyhQnNNM8qjQzCIUdh44c7WfNLYCXuyHEqmSxsUQIyJ 3XaK9kBXxJgtV/bxXV7zbk0lPo2+NaRHxvV+/HZc65hKfrXZsqkhol9jc1XnmiBYIs xJyi1Tb4rYflw== Received: from mail-oa1-x34.google.com (mail-oa1-x34.google.com [IPv6:2001:4860:4864:20::34]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 8A48162FB9 for ; Fri, 28 Oct 2022 00:41:47 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (2048-bit key; unprotected) header.d=rothemail-net.20210112.gappssmtp.com header.i=@rothemail-net.20210112.gappssmtp.com header.b="XjHWY/fT"; dkim-atps=neutral Received: by mail-oa1-x34.google.com with SMTP id 586e51a60fabf-13c2cfd1126so4285130fac.10 for ; Thu, 27 Oct 2022 15:41:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothemail-net.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=S6elEshRjeYKV2WspXbwSeu79nOguOd5x4rDscK6N9Y=; b=XjHWY/fT10u7B3XV60RdQjUOVtL3aCG4n8bdU3PP0buCI4nDe0ujmcDA11xkh51S7Y 5tDpx+THN035gzqamFEV5rr3q8KcDo08LZFRmmdrzVmkqB61QuTK2Ty7reElZ/J9X6fz tRzKCaaq49njOMQbEUTip/tA98+n8gTzjo4YFmIn0zP6ex/Trvt9fNPwTXI08xrpAd9V 4fNONgpAFXX0FYgAh6qiXhmqoRM3qMuez8Y8/CArDCRVCbI5yDc446Dmz+NJWFOW13WP JSROGhtky8zrmsfOrPIMNNxo/9yKSHpr75HeovU0GYekmtSZEUIDbwQoz3bbx21qFxSN Xw+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=S6elEshRjeYKV2WspXbwSeu79nOguOd5x4rDscK6N9Y=; b=FYzcLlDXw9NDwyWVV1fHFj/IGVndqwRU6rDPJyWAaRNSQm76V7FjToCH0YgxFqk9tm k1ouc4KMtyCebJwKanYRppanRE+JaQa34zra20hk9yXD06tFkoXBXPb92z1fPMG6o6nj T8Pa8/njhK2Ea6yJ0xWaaSNnlZpl1A1vdZGtQRZ67NzkSRfYCBPigFIj6nN3v365cmS5 dO2fOg/eLZj3zx3vwXaBvYnyXxs6UVWoYRasrM1yiSvDwG6ZXrqh1j4vtwKbY/1emH0/ 64xrli8VtEfrxZ9GHdMxu7yDdmU2ucrsFeuJDkC1AkTXAlXkDmkctLpSGpkN/f0vez2m dz6Q== X-Gm-Message-State: ACrzQf1/dkjsEGa7rT+xEDcFehBenOwibcpe1DqqHUzQ9XFbOJaiPgNo OxrkvLmV5M4yNjsvnwZ+4Jjgh9CYUCHpq4Nc X-Google-Smtp-Source: AMsMyM7itiP4r+T7RybKnWlNNyOKTzwF6HywXPwLyY/sTYyVU57ptLlkAqwfIkaXbG25eq43wBRZeg== X-Received: by 2002:a05:6870:c897:b0:11b:de9f:57c2 with SMTP id er23-20020a056870c89700b0011bde9f57c2mr6884800oab.267.1666910505867; Thu, 27 Oct 2022 15:41:45 -0700 (PDT) Received: from nroth-pc.attlocal.net ([2600:1700:20:20c0:6a4b:7aa7:dda2:75cb]) by smtp.gmail.com with ESMTPSA id r20-20020a056830419400b006619533d1ddsm976825otu.76.2022.10.27.15.41.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 15:41:45 -0700 (PDT) To: libcamera-devel@lists.libcamera.org Date: Thu, 27 Oct 2022 17:41:34 -0500 Message-Id: <20221027224135.348115-10-nicholas@rothemail.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221027224135.348115-1-nicholas@rothemail.net> References: <20221027224135.348115-1-nicholas@rothemail.net> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v4 09/10] ipa: add a flag to disable isolation for Android X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Nicholas Roth via libcamera-devel From: Nicolas Dufresne via libcamera-devel Reply-To: libcamera-devel@lists.libcamera.org Cc: nicholas@rothemail.net Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" From: Nicholas Roth Currently, libcamera isolates any IPAs whose signatures cannot be verified. Shared objects are created at build-time, and then signed. The public signing key is embedded in a .cpp file, and libcamera verifies IPA signatures at runtime. When libcamera cannot authenticate an IPA, it runs it out-of-process. This is problematic on three levels: * IPA signing fundamentally does not work on Android for vendor modules like HALs (discussed below) * Executables built to run out-of-process are not ABI-compatible with Android, making isolation infeasible [1] * Linux phone hardware tends to be low-end because of the FOSS requirement, so the performance hit from out-of-process IPA isolation is significant IPA signing fundamentally does not work for Android vendor modules: After we "meson install" built .so files to a known location, Android explicitly access them in PREBUILT_SHARED_LIBRARY or BUILD_PREBUILIT to transform the .so files by stripping symbols among other things [2]. By modifying prebuilt libraries after we have already signed them, the build system renders our signatures useless on Android. Android distribution maintainers can use this flag to disable signature verification, which will allow them to use libcamera. [1] https://github.com/waydroid/waydroid/issues/519 [2] https://cs.android.com/android/platform/superproject/+/master:build/make/core/cc_prebuilt_internal.mk?q=cc_prebuilt_internal Signed-off-by: Nicholas Roth --- meson.build | 4 ++++ meson_options.txt | 5 +++++ src/libcamera/ipa_manager.cpp | 11 +++++++++++ 3 files changed, 20 insertions(+) diff --git a/meson.build b/meson.build index 56910698..883847ef 100644 --- a/meson.build +++ b/meson.build @@ -74,6 +74,10 @@ if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR config_h.set('HAVE_SECURE_GETENV', 1) endif +if get_option('allow_unsigned_ipas_in_process') + config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1) +endif + common_arguments = [ '-Wshadow', '-include', meson.current_build_dir() / 'config.h', diff --git a/meson_options.txt b/meson_options.txt index f1d67808..77b21b9a 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -64,3 +64,8 @@ option('pycamera', type : 'feature', value : 'disabled', description : 'Enable libcamera Python bindings (experimental)') + +option('allow_unsigned_ipas_in_process', + type : 'boolean', + value : false, + description : 'Allow unsigned IPAs to run in libcamera\'s address space') diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp index 030ef43f..403cc42a 100644 --- a/src/libcamera/ipa_manager.cpp +++ b/src/libcamera/ipa_manager.cpp @@ -114,6 +114,14 @@ IPAManager::IPAManager() LOG(IPAManager, Warning) << "Public key not valid"; #endif +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + LOG(IPAManager, Warning) + << "All IPAs running in-process without signature verification." + << " This is recommended only for tightly-managed installs" + << " in contexts where both signature verification and out-of-process" + << " execution are infeasible, such as Android HALs."; +#endif + unsigned int ipaCount = 0; /* User-specified paths take precedence. */ @@ -281,6 +289,9 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion, bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const { +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + return true; +#endif #if HAVE_IPA_PUBKEY char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION"); if (force && force[0] != '\0') {