From patchwork Fri Oct 28 03:17:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Dufresne via libcamera-devel X-Patchwork-Id: 17721 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id C43EAC3287 for ; Fri, 28 Oct 2022 03:17:45 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 6583C62FD6; Fri, 28 Oct 2022 05:17:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1666927065; bh=uPfBp734F70Nl4/faDEoCE+469eSaTe+2TU432+CN6U=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=Sj9Txgd8IxFgSUwhpFOUeIx0+zBFwKPcj0JdT0mbv6NeCQ3cAnTegZKfNGXTPHLlP tyKc6NqmAMROG33Tc0BnZSNuUKCmWNjNvXyiZzSpBN2Z+6Sw+pYeUpOG90N5HiZFoN cTtnN0W8aYZupJXdtmqhU+jdBs/GkCGvZBrE5lHET5PRC7f8b2mIevfXJ+0wAY3XYn MCIMZDvAe7wYjyW1QzZ59WN+1x86/u3QJUirEwdvYm8B+2VehmGb8Mirbdwbanx8ZQ OQMDJDBzlbPAqQTsqgsGEYXdp32haTE+47uZQzUf12EGY2oNVg+3HCR/TZ55JlbsWe gFVnCb+F0fOAg== Received: from mail-oa1-x33.google.com (mail-oa1-x33.google.com [IPv6:2001:4860:4864:20::33]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 9B2CC62FAD for ; Fri, 28 Oct 2022 05:17:37 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (2048-bit key; unprotected) header.d=rothemail-net.20210112.gappssmtp.com header.i=@rothemail-net.20210112.gappssmtp.com header.b="oOqzTjvv"; dkim-atps=neutral Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-13b23e29e36so4973724fac.8 for ; Thu, 27 Oct 2022 20:17:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothemail-net.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=S6elEshRjeYKV2WspXbwSeu79nOguOd5x4rDscK6N9Y=; b=oOqzTjvvX08YAJa5XU9pFTK/n+NaMg7FWwAg0A2h115xVInJbKPxL9wROB5kzO3azR B940iBpEnFirk+tGG4EeiMfzMXrY5LHHEYJrEZy+QMMNeff936/wosL8vzNHHl7rnUDY xg1bPgNchE1hvS/+4bBUM6wJlNtCVfo6SkkDL7dTYTdld6/xkeUnZlF/tQrjFBc+9JE7 +VerkLLB7AUpCnF58hE+uytL361WNk7rTIY2b2z9OC4LvEZdEmO837ka78lm8Ixt1FR2 N6MnKhk3d+YBx0mzLf4JEkpLXnnxipcJVXoy43j0Olh9zmNk64EtlBW7ab5r96uy5v29 sg5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:reply-to:references :in-reply-to:message-id:date:subject:cc:to:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=S6elEshRjeYKV2WspXbwSeu79nOguOd5x4rDscK6N9Y=; b=P7izXvwstjrOTfJyFWmRfhku211nDkgGrfTvjMjdaq7MHzqYT5cnHcB4flezW8GH1u IFemZ+BcujhyyyyZKDlmPjtaFSRNKwGzgli6cPpFI/1LJt7CPy82KSToYl+8+rPZMKt7 b4WW7VUVslRkCtkBqM+Qa2dK/DdFgb0rJvVj3fQ2XrmJCuRvv22DkREO9dWVYaF997/E NG1BAKk5SVOhVUr5+/ZX7z4VeVRo8SF2KWkx1vXs9FjBK9jyQLV3CJBVg0fqxkMt9sM1 EF8sAiAWxaI70YTSPPyNehGlpUBhC8NZdbfNKJX5gXy9B7KoxAwJmQ2/JXkPqMmWvHw3 soXQ== X-Gm-Message-State: ACrzQf0DLmwYZdE9jP08MLtqaXzfL0VSZC57X/dU1kkuXQ1JrJsvY8S6 +D4/eGmjog5b6GfEN7JP/hrBq3kP5aEp+3OJVrM= X-Google-Smtp-Source: AMsMyM54g+qM054PCkV1SXu0eVSoDgG+GbmvoRiE3tJyzzWkJvrWNRmVOB5LTKtPdwI3uFTh7AQ+Aw== X-Received: by 2002:a05:6870:6086:b0:132:e9d6:ea36 with SMTP id t6-20020a056870608600b00132e9d6ea36mr8079790oae.116.1666927055909; Thu, 27 Oct 2022 20:17:35 -0700 (PDT) Received: from nroth-pc.attlocal.net ([2600:1700:20:20c0:293a:90ce:6463:244d]) by smtp.gmail.com with ESMTPSA id fp19-20020a056870659300b0013626c1a5f6sm1527738oab.10.2022.10.27.20.17.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Oct 2022 20:17:35 -0700 (PDT) To: libcamera-devel@lists.libcamera.org Date: Thu, 27 Oct 2022 22:17:25 -0500 Message-Id: <20221028031726.4849-10-nicholas@rothemail.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221028031726.4849-1-nicholas@rothemail.net> References: <20221027224135.348115-1-nicholas@rothemail.net> <20221028031726.4849-1-nicholas@rothemail.net> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v5 09/10] ipa: add a flag to disable isolation for Android X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Nicholas Roth via libcamera-devel From: Nicolas Dufresne via libcamera-devel Reply-To: libcamera-devel@lists.libcamera.org Cc: nicholas@rothemail.net Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" From: Nicholas Roth Currently, libcamera isolates any IPAs whose signatures cannot be verified. Shared objects are created at build-time, and then signed. The public signing key is embedded in a .cpp file, and libcamera verifies IPA signatures at runtime. When libcamera cannot authenticate an IPA, it runs it out-of-process. This is problematic on three levels: * IPA signing fundamentally does not work on Android for vendor modules like HALs (discussed below) * Executables built to run out-of-process are not ABI-compatible with Android, making isolation infeasible [1] * Linux phone hardware tends to be low-end because of the FOSS requirement, so the performance hit from out-of-process IPA isolation is significant IPA signing fundamentally does not work for Android vendor modules: After we "meson install" built .so files to a known location, Android explicitly access them in PREBUILT_SHARED_LIBRARY or BUILD_PREBUILIT to transform the .so files by stripping symbols among other things [2]. By modifying prebuilt libraries after we have already signed them, the build system renders our signatures useless on Android. Android distribution maintainers can use this flag to disable signature verification, which will allow them to use libcamera. [1] https://github.com/waydroid/waydroid/issues/519 [2] https://cs.android.com/android/platform/superproject/+/master:build/make/core/cc_prebuilt_internal.mk?q=cc_prebuilt_internal Signed-off-by: Nicholas Roth --- meson.build | 4 ++++ meson_options.txt | 5 +++++ src/libcamera/ipa_manager.cpp | 11 +++++++++++ 3 files changed, 20 insertions(+) diff --git a/meson.build b/meson.build index 56910698..883847ef 100644 --- a/meson.build +++ b/meson.build @@ -74,6 +74,10 @@ if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR config_h.set('HAVE_SECURE_GETENV', 1) endif +if get_option('allow_unsigned_ipas_in_process') + config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1) +endif + common_arguments = [ '-Wshadow', '-include', meson.current_build_dir() / 'config.h', diff --git a/meson_options.txt b/meson_options.txt index f1d67808..77b21b9a 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -64,3 +64,8 @@ option('pycamera', type : 'feature', value : 'disabled', description : 'Enable libcamera Python bindings (experimental)') + +option('allow_unsigned_ipas_in_process', + type : 'boolean', + value : false, + description : 'Allow unsigned IPAs to run in libcamera\'s address space') diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp index 030ef43f..403cc42a 100644 --- a/src/libcamera/ipa_manager.cpp +++ b/src/libcamera/ipa_manager.cpp @@ -114,6 +114,14 @@ IPAManager::IPAManager() LOG(IPAManager, Warning) << "Public key not valid"; #endif +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + LOG(IPAManager, Warning) + << "All IPAs running in-process without signature verification." + << " This is recommended only for tightly-managed installs" + << " in contexts where both signature verification and out-of-process" + << " execution are infeasible, such as Android HALs."; +#endif + unsigned int ipaCount = 0; /* User-specified paths take precedence. */ @@ -281,6 +289,9 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion, bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const { +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + return true; +#endif #if HAVE_IPA_PUBKEY char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION"); if (force && force[0] != '\0') {