@@ -46,6 +46,14 @@ option('gstreamer',
value : 'auto',
description : 'Compile libcamera GStreamer plugin')
+option('ipa-signature-algo',
+ type : 'combo',
+ choices : [
+ 'rsa-sha256',
+ 'ml-dsa-65',
+ ],
+ description : 'Select a signature algorithm to sign IPA libraries.')
+
option('ipas',
type : 'array',
choices : ['ipu3', 'mali-c55', 'rkisp1', 'rpi/pisp', 'rpi/vc4', 'simple',
@@ -89,14 +89,26 @@ libyaml = dependency('yaml-0.1', default_options : [
# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first.
libcrypto = dependency('gnutls', required : false)
if libcrypto.found()
+ crypto_library = 'gnutls'
config_h.set('HAVE_GNUTLS', 1)
else
libcrypto = dependency('libcrypto', required : false)
if libcrypto.found()
+ crypto_library = 'openssl'
config_h.set('HAVE_CRYPTO', 1)
endif
endif
+# Verify that the library supports the selected algorithm (RSA-SHA256 or ML-DSA-65).
+if libcrypto.found()
+ ipa_signature_algo = get_option('ipa-signature-algo')
+ r = run_command(check_algo, crypto_library, ipa_signature_algo, check : false)
+ if r.returncode() != 0
+ error('Unsupported signature @0@ algorithm in @1@'
+ .format(ipa_signature_algo, crypto_library))
+ endif
+endif
+
if not libcrypto.found()
warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated')
summary({'IPA modules signed with': 'None (modules will run isolated)'},
@@ -19,7 +19,11 @@ openssl = find_program('openssl', required : false)
if openssl.found()
ipa_priv_key = custom_target('ipa-priv-key',
output : ['ipa-priv-key.pem'],
- command : [gen_ipa_priv_key, '@OUTPUT@'])
+ command : [
+ gen_ipa_priv_key,
+ get_option('ipa-signature-algo'),
+ '@OUTPUT@'
+ ])
config_h.set('HAVE_IPA_PUBKEY', 1)
ipa_sign_module = true
else
new file mode 100755
@@ -0,0 +1,37 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2026, Red Hat Inc.
+#
+# Author: Kate Hsuan <hpa@redhat.com>
+#
+# Check if the given algorithm is supported by the library
+
+tool="$1"
+algo="$2"
+
+algo=$(echo $algo | tr '[:lower:]' '[:upper:]')
+
+if [ "$tool" = "gnutls" ]; then
+ gnutls-cli -l | grep "$algo" > /dev/null
+ ret=$?
+elif [ "$tool" = "openssl" ]; then
+ if [ "$algo" = "ML-DSA-65" ]; then
+ openssl list -signature-algorithms |grep ${algo} > /dev/null
+ ret=$?
+ else
+ openssl list -signature-algorithms |grep "RSA" > /dev/null
+ ret=$?
+ if [ $ret -eq 0 ]; then
+ openssl list -digest-algorithms |grep "SHA256" > /dev/null
+ ret=$?
+ fi
+ fi
+else
+ echo "Invalid tool: $tool"
+ exit 1
+fi
+
+if [ $ret -ne 0 ]; then
+ echo "Algorithm $algo is not supported by $tool"
+ exit 1
+fi
@@ -4,8 +4,18 @@
#
# Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
#
-# Generate an RSA private key to sign IPA modules
+# Generate a private key for the given algorithm to sign IPA modules
-key="$1"
+algo="$1"
+key="$2"
-openssl genpkey -algorithm RSA -out "${key}" -pkeyopt rsa_keygen_bits:2048
+# Two possible algorithms: RSA and ML-DSA-65
+
+if [ "$algo" = "rsa-sha256" ]; then
+ openssl genpkey -algorithm RSA -out "${key}"
+elif [ "$algo" = "ml-dsa-65" ]; then
+ openssl genpkey -algorithm ML-DSA-65 -out "${key}"
+else
+ echo "Invalid algorithm: $algo"
+ exit 1
+fi
@@ -5,6 +5,9 @@ subdir('ipu3')
gen_shader_headers = files('gen-shader-headers.sh')
+## Check signature algorithm
+check_algo = files('check-algo.sh')
+
## Module signing
gen_ipa_priv_key = files('gen-ipa-priv-key.sh')
Add a combo type "ipa-signature-algo" meson option to select signature algorithms, including rsa-sha256 and ml-dsa-65. ras-sha256 is the default setting for now. Signed-off-by: Kate Hsuan <hpa@redhat.com> --- meson_options.txt | 8 ++++++++ src/libcamera/meson.build | 12 ++++++++++++ src/meson.build | 6 +++++- utils/check-algo.sh | 37 +++++++++++++++++++++++++++++++++++++ utils/gen-ipa-priv-key.sh | 16 +++++++++++++--- utils/meson.build | 3 +++ 6 files changed, 78 insertions(+), 4 deletions(-) create mode 100755 utils/check-algo.sh