From patchwork Sun Oct 30 23:04:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicholas Roth X-Patchwork-Id: 17732 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id CF3FDC3285 for ; Sun, 30 Oct 2022 23:05:23 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 5646863037; Mon, 31 Oct 2022 00:05:23 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1667171123; bh=IfMkSAJGamLk72+xer54fWr+yzrGKaU9cBho00iDY8k=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=nHcVGB0EshHnF1nedUTmXmHofzWYvHxVqN/bd2FK8PHvLvMSgiADqZ1VNEkmcvEBJ k3z4twGAht1U8ZPXVw8097MPhx35zeXJbIGtq9laaYKQpCvqNiO8sF93iGFF1dCCnb MJzj8e3TXF6JKqvwtXN8RDlD4uOvmFNaSyUjj7EMmOBm7dyb8pOx04GZNn/1pvUEIR biQJwXbiyICAltPlwS+ldAOAmLPY+3XGA0ol9fJ7fKrqH2zrhGKzydcQugcrt9sXwA gdwfSN5e8vm7BrFwO6ZZIRgeHawF0Xu2XujjBycURsil4+vMsFtB8bwYHuBCsZcYBg R92SdVldmH5VA== Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id D038B63034 for ; Mon, 31 Oct 2022 00:05:19 +0100 (CET) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (2048-bit key; unprotected) header.d=rothemail-net.20210112.gappssmtp.com header.i=@rothemail-net.20210112.gappssmtp.com header.b="zsFRfxmb"; dkim-atps=neutral Received: by mail-ot1-x333.google.com with SMTP id d26-20020a05683018fa00b0066ab705617aso5925215otf.13 for ; Sun, 30 Oct 2022 16:05:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rothemail-net.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Dw+n/49NUNVR6SvuGKucupCVs8imNjPtbMgx2nr5rec=; b=zsFRfxmbxblvus124jYRUg6gq0CZjGrNjT2FvvnM77d6ylXGnWkpwK3xUk0qBGcSnS e6ub5qA/AlWnAG0Obc5pJbBSa2fYAjLkj4UooZnKdfDbaEhcSf1+njWHjXSRK1wccyBF 57vkv8UOKAC2JwCNdTDR1OOUhAo/79ylcO48p9D1p5tjhJIa/35r2i/KhTniLU+iYTbv y5SIkd0W6zPmvxzzV8eVhAShmlw1aifzGA7KR9TfcENojhBkiftDdKZPXADiAw1avDLV kWAwFW6pGwJ271HsRz7umINMzk1k6mUqUFhSq3wg1mQUnW3BE9E08lo818UeTuJRlQ0f goLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Dw+n/49NUNVR6SvuGKucupCVs8imNjPtbMgx2nr5rec=; b=EeXE0ir84rT7H9XXK7M8UX3yMJ/22ntnXRL6yfKPwMvO0fVe2H1HKn4HzlRgnGzmKY p2OymPsmfmt2wpb6aUzImbZhyI8x7cZuy1d7RBm/m99nloU6iiqiDkFf3Q1BxqgC1sOR 4DDX7HEo4zD/Q7zsIkzmxWmvw71QOBB8xcRZEnYZbKkzyZ2bRRjQ0OTCGVUYAv3HRuOT ZGuYXlL6GCVFD4O4jOY7NERsEh+b+8LgdDKTExlxHhNR0Rt0zPniuS+U5ax2oFt4lZaG ODUZYZK5P8E26eqK6phGpKqESit1uMbo9ezFwK2dw9DH/EPovPX5dcJ+J4eBjufgjYyS 3vXg== X-Gm-Message-State: ACrzQf08OHFRJ4/nRsx5S7/rCW/GBXhXKG7YbzO7fxOQxxzczT/4pmC3 nw0KKkQ150LI4Yw+aMp3TqE1H1HWxh+Mbw== X-Google-Smtp-Source: AMsMyM7WddGrDI7dXYLMSz0Wu2z4P8ycwRgkquee+MuEL79vz9/OmEqILpRzOivbChpkfoqjWGTOkw== X-Received: by 2002:a05:6830:4104:b0:661:ac13:43ff with SMTP id w4-20020a056830410400b00661ac1343ffmr5276587ott.44.1667171117970; Sun, 30 Oct 2022 16:05:17 -0700 (PDT) Received: from nroth-pc.attlocal.net (104-5-61-214.lightspeed.austtx.sbcglobal.net. [104.5.61.214]) by smtp.gmail.com with ESMTPSA id u4-20020a056871008400b0013c8ae74a14sm2269403oaa.42.2022.10.30.16.05.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Oct 2022 16:05:17 -0700 (PDT) To: libcamera-devel@lists.libcamera.org Date: Sun, 30 Oct 2022 18:04:58 -0500 Message-Id: <20221030230500.74842-4-nicholas@rothemail.net> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221030230500.74842-1-nicholas@rothemail.net> References: <20221030230500.74842-1-nicholas@rothemail.net> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v6 3/5] ipa: add a flag to disable isolation for Android X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Nicholas Roth via libcamera-devel From: Nicholas Roth Reply-To: Nicholas Roth Cc: Nicholas Roth Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Currently, libcamera isolates any IPAs whose signatures cannot be verified. Shared objects are created at build-time, and then signed. The public signing key is embedded in a .cpp file, and libcamera verifies IPA signatures at runtime. When libcamera cannot authenticate an IPA, it runs it out-of-process. This is problematic on three levels: * IPA signing fundamentally does not work on Android for vendor modules like HALs (discussed below) * Executables built to run out-of-process are not ABI-compatible with Android, making isolation infeasible [1] * Linux phone hardware tends to be low-end because of the FOSS requirement, so the performance hit from out-of-process IPA isolation is significant IPA signing fundamentally does not work for Android vendor modules: After we "meson install" built .so files to a known location, Android explicitly access them in PREBUILT_SHARED_LIBRARY or BUILD_PREBUILIT to transform the .so files by stripping symbols among other things [2]. By modifying prebuilt libraries after we have already signed them, the build system renders our signatures useless on Android. Android distribution maintainers can use this flag to disable signature verification, which will allow them to use libcamera. [1] https://github.com/waydroid/waydroid/issues/519 [2] https://cs.android.com/android/platform/superproject/+/master:build/make/core/cc_prebuilt_internal.mk?q=cc_prebuilt_internal Signed-off-by: Nicholas Roth --- meson.build | 4 ++++ meson_options.txt | 5 +++++ src/libcamera/ipa_manager.cpp | 11 +++++++++++ 3 files changed, 20 insertions(+) diff --git a/meson.build b/meson.build index f218b8c2..917d0ae4 100644 --- a/meson.build +++ b/meson.build @@ -76,6 +76,10 @@ if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR config_h.set('HAVE_SECURE_GETENV', 1) endif +if get_option('allow_unsigned_ipas_in_process') + config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1) +endif + common_arguments = [ '-Wshadow', '-include', meson.current_build_dir() / 'config.h', diff --git a/meson_options.txt b/meson_options.txt index f1d67808..77b21b9a 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -64,3 +64,8 @@ option('pycamera', type : 'feature', value : 'disabled', description : 'Enable libcamera Python bindings (experimental)') + +option('allow_unsigned_ipas_in_process', + type : 'boolean', + value : false, + description : 'Allow unsigned IPAs to run in libcamera\'s address space') diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp index 030ef43f..403cc42a 100644 --- a/src/libcamera/ipa_manager.cpp +++ b/src/libcamera/ipa_manager.cpp @@ -114,6 +114,14 @@ IPAManager::IPAManager() LOG(IPAManager, Warning) << "Public key not valid"; #endif +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + LOG(IPAManager, Warning) + << "All IPAs running in-process without signature verification." + << " This is recommended only for tightly-managed installs" + << " in contexts where both signature verification and out-of-process" + << " execution are infeasible, such as Android HALs."; +#endif + unsigned int ipaCount = 0; /* User-specified paths take precedence. */ @@ -281,6 +289,9 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion, bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const { +#if ALLOW_UNSIGNED_IPAS_IN_PROCESS + return true; +#endif #if HAVE_IPA_PUBKEY char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION"); if (force && force[0] != '\0') {