From patchwork Mon Apr 13 13:30:46 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
X-Patchwork-Id: 3443
Return-Path: <laurent.pinchart@ideasonboard.com>
Received: from perceval.ideasonboard.com (perceval.ideasonboard.com
	[IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647])
	by lancelot.ideasonboard.com (Postfix) with ESMTPS id 2F32762E1E
	for <libcamera-devel@lists.libcamera.org>;
	Mon, 13 Apr 2020 15:31:08 +0200 (CEST)
Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key;
	unprotected) header.d=ideasonboard.com
	header.i=@ideasonboard.com
	header.b="OAE1BORj"; dkim-atps=neutral
Received: from pendragon.bb.dnainternet.fi (81-175-216-236.bb.dnainternet.fi
	[81.175.216.236])
	by perceval.ideasonboard.com (Postfix) with ESMTPSA id C26441288
	for <libcamera-devel@lists.libcamera.org>;
	Mon, 13 Apr 2020 15:31:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com;
	s=mail; t=1586784667;
	bh=c31/qGx1F09SD/xDe8w1XQf/8OBZG7pM4ZZeEYPC448=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=OAE1BORjL6wq18D3pdGacRx541YEJvbb+muBGiQLcDi3rPz5B8DtwJ+G3KwjjQF4f
	InmF3KjkDa0NQ8cA0DxkSaTDqsoGqr2LGxWNTXUGaEZFgno0iovZW7upREkd3JxQYp
	UsCT7QUbAObD9aMfAvJUSw6YFarvoZA75+VwnmpA=
From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
To: libcamera-devel@lists.libcamera.org
Date: Mon, 13 Apr 2020 16:30:46 +0300
Message-Id: <20200413133047.11913-11-laurent.pinchart@ideasonboard.com>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200413133047.11913-1-laurent.pinchart@ideasonboard.com>
References: <20200413133047.11913-1-laurent.pinchart@ideasonboard.com>
MIME-Version: 1.0
Subject: [libcamera-devel] [PATCH v2 10/11] libcamera: ipa_manager: Verify
	IPA module signature
X-BeenThere: libcamera-devel@lists.libcamera.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <libcamera-devel.lists.libcamera.org>
List-Unsubscribe: <https://lists.libcamera.org/options/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=unsubscribe>
List-Archive: <https://lists.libcamera.org/pipermail/libcamera-devel/>
List-Post: <mailto:libcamera-devel@lists.libcamera.org>
List-Help: <mailto:libcamera-devel-request@lists.libcamera.org?subject=help>
List-Subscribe: <https://lists.libcamera.org/listinfo/libcamera-devel>,
	<mailto:libcamera-devel-request@lists.libcamera.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 13:31:10 -0000

Decide whether to isolate the IPA module using the module signature
instead of its license.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Niklas Söderlund <niklas.soderlund@ragnatech.se>
---
 src/libcamera/include/ipa_manager.h |  2 ++
 src/libcamera/include/ipa_module.h  |  2 --
 src/libcamera/ipa_manager.cpp       | 22 +++++++++++++++++++++-
 src/libcamera/ipa_module.cpp        | 25 -------------------------
 4 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/src/libcamera/include/ipa_manager.h b/src/libcamera/include/ipa_manager.h
index 26edf087461e..0b5fd2ac1f12 100644
--- a/src/libcamera/include/ipa_manager.h
+++ b/src/libcamera/include/ipa_manager.h
@@ -38,6 +38,8 @@ private:
 		      std::vector<std::string> &files);
 	unsigned int addDir(const char *libDir, unsigned int maxDepth = 0);
 
+	bool isSignatureValid(IPAModule *ipa) const;
+
 	static const uint8_t publicKeyData_[];
 	static const PubKey pubKey_;
 };
diff --git a/src/libcamera/include/ipa_module.h b/src/libcamera/include/ipa_module.h
index ec3671857a61..a9a3511701d4 100644
--- a/src/libcamera/include/ipa_module.h
+++ b/src/libcamera/include/ipa_module.h
@@ -37,8 +37,6 @@ public:
 	bool match(PipelineHandler *pipe,
 		   uint32_t minVersion, uint32_t maxVersion) const;
 
-	bool isOpenSource() const;
-
 private:
 	struct IPAModuleInfo info_;
 	std::vector<uint8_t> signature_;
diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
index bcaae3564ea1..2b0112885274 100644
--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
@@ -12,6 +12,7 @@
 #include <string.h>
 #include <sys/types.h>
 
+#include "file.h"
 #include "ipa_context_wrapper.h"
 #include "ipa_module.h"
 #include "ipa_proxy.h"
@@ -271,7 +272,7 @@ std::unique_ptr<IPAInterface> IPAManager::createIPA(PipelineHandler *pipe,
 	if (!m)
 		return nullptr;
 
-	if (!m->isOpenSource()) {
+	if (!isSignatureValid(m)) {
 		IPAProxyFactory *pf = nullptr;
 		std::vector<IPAProxyFactory *> &factories = IPAProxyFactory::factories();
 
@@ -307,4 +308,23 @@ std::unique_ptr<IPAInterface> IPAManager::createIPA(PipelineHandler *pipe,
 	return std::make_unique<IPAContextWrapper>(ctx);
 }
 
+bool IPAManager::isSignatureValid(IPAModule *ipa) const
+{
+	File file{ ipa->path() };
+	if (!file.open(File::ReadOnly))
+		return false;
+
+	Span<uint8_t> data = file.map();
+	if (data.empty())
+		return false;
+
+	bool valid = pubKey_.verify(data, ipa->signature());
+
+	LOG(IPAManager, Debug)
+		<< "IPA module " << ipa->path() << " signature is "
+		<< (valid ? "valid" : "not valid");
+
+	return valid;
+}
+
 } /* namespace libcamera */
diff --git a/src/libcamera/ipa_module.cpp b/src/libcamera/ipa_module.cpp
index 51b238a698f2..96b44f13192c 100644
--- a/src/libcamera/ipa_module.cpp
+++ b/src/libcamera/ipa_module.cpp
@@ -472,29 +472,4 @@ bool IPAModule::match(PipelineHandler *pipe,
 	       !strcmp(info_.pipelineName, pipe->name());
 }
 
-/**
- * \brief Verify if the IPA module is open source
- *
- * \sa IPAModuleInfo::license
- */
-bool IPAModule::isOpenSource() const
-{
-	static const char *osLicenses[] = {
-		"GPL-2.0-only",
-		"GPL-2.0-or-later",
-		"GPL-3.0-only",
-		"GPL-3.0-or-later",
-		"LGPL-2.1-only",
-		"LGPL-2.1-or-later",
-		"LGPL-3.0-only",
-		"LGPL-3.0-or-later",
-	};
-
-	for (unsigned int i = 0; i < ARRAY_SIZE(osLicenses); i++)
-		if (!strcmp(osLicenses[i], info_.license))
-			return true;
-
-	return false;
-}
-
 } /* namespace libcamera */