[libcamera-devel] ipa: Only sign IPA modules that are being installed

Message ID 20200512162822.21324-1-laurent.pinchart@ideasonboard.com
State Accepted
Commit 924778eb073c47a0defc7319e98029c712129ede
Headers show
Series
  • [libcamera-devel] ipa: Only sign IPA modules that are being installed
Related show

Commit Message

Laurent Pinchart May 12, 2020, 4:28 p.m. UTC
The ipa-sign-install.sh script, run when installing libcamera, signs all
IPA modules present in the module directory. This would result in
third-party modules being signed if any are present in the directory.
Fix it by explicitly passing the list of IPA modules to the
ipa-sign-install.sh script.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 src/ipa/ipa-sign-install.sh | 12 ++++++++----
 src/ipa/meson.build         |  6 ++++--
 2 files changed, 12 insertions(+), 6 deletions(-)

Comments

Tomasz Figa May 13, 2020, 5:58 p.m. UTC | #1
On Tue, May 12, 2020 at 6:28 PM Laurent Pinchart
<laurent.pinchart@ideasonboard.com> wrote:
>
> The ipa-sign-install.sh script, run when installing libcamera, signs all
> IPA modules present in the module directory. This would result in
> third-party modules being signed if any are present in the directory.
> Fix it by explicitly passing the list of IPA modules to the
> ipa-sign-install.sh script.
>
> Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> ---
>  src/ipa/ipa-sign-install.sh | 12 ++++++++----
>  src/ipa/meson.build         |  6 ++++--
>  2 files changed, 12 insertions(+), 6 deletions(-)
>

Thanks a lot for the fix.

Within the Chromium OS SDK, with --board=soraka:
Tested-by: Tomasz Figa <tfiga@chromium.org>

Reviewed-by: Tomasz Figa <tfiga@chromium.org>

Best regards,
Tomasz

> diff --git a/src/ipa/ipa-sign-install.sh b/src/ipa/ipa-sign-install.sh
> index 5317a8a2042b..bcedb8b5cdd1 100755
> --- a/src/ipa/ipa-sign-install.sh
> +++ b/src/ipa/ipa-sign-install.sh
> @@ -6,13 +6,17 @@
>  #
>  # ipa-sign-install.sh - Regenerate IPA module signatures when installing
>
> -libdir=$1
> -key=$2
> +key=$1
> +shift
> +modules=$*
>
>  ipa_sign=$(dirname "$0")/ipa-sign.sh
>
>  echo "Regenerating IPA modules signatures"
>
> -for module in "${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}"/*.so ; do
> -       "${ipa_sign}" "${key}" "${module}" "${module}.sign"
> +for module in ${modules} ; do
> +       module="${MESON_INSTALL_DESTDIR_PREFIX}/${module}"
> +       if [ -f "${module}" ] ; then
> +               "${ipa_sign}" "${key}" "${module}" "${module}.sign"
> +       fi
>  done
> diff --git a/src/ipa/meson.build b/src/ipa/meson.build
> index b103479c1cd0..fd4b2c30438d 100644
> --- a/src/ipa/meson.build
> +++ b/src/ipa/meson.build
> @@ -19,10 +19,12 @@ subdir('libipa')
>  ipa_sign = files('ipa-sign.sh')
>
>  ipas = ['raspberrypi', 'rkisp1', 'vimc']
> +ipa_names = []
>
>  foreach pipeline : get_option('pipelines')
>      if ipas.contains(pipeline)
>          subdir(pipeline)
> +        ipa_names += join_paths(ipa_install_dir, ipa_name + '.so')
>      endif
>  endforeach
>
> @@ -31,6 +33,6 @@ if ipa_sign_module
>      # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at
>      # install time, which invalidates the signatures.
>      meson.add_install_script('ipa-sign-install.sh',
> -                             ipa_install_dir,
> -                             ipa_priv_key.full_path())
> +                             ipa_priv_key.full_path(),
> +                             ipa_names)
>  endif
> --
> Regards,
>
> Laurent Pinchart
>

Patch

diff --git a/src/ipa/ipa-sign-install.sh b/src/ipa/ipa-sign-install.sh
index 5317a8a2042b..bcedb8b5cdd1 100755
--- a/src/ipa/ipa-sign-install.sh
+++ b/src/ipa/ipa-sign-install.sh
@@ -6,13 +6,17 @@ 
 #
 # ipa-sign-install.sh - Regenerate IPA module signatures when installing
 
-libdir=$1
-key=$2
+key=$1
+shift
+modules=$*
 
 ipa_sign=$(dirname "$0")/ipa-sign.sh
 
 echo "Regenerating IPA modules signatures"
 
-for module in "${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}"/*.so ; do
-	"${ipa_sign}" "${key}" "${module}" "${module}.sign"
+for module in ${modules} ; do
+	module="${MESON_INSTALL_DESTDIR_PREFIX}/${module}"
+	if [ -f "${module}" ] ; then
+		"${ipa_sign}" "${key}" "${module}" "${module}.sign"
+	fi
 done
diff --git a/src/ipa/meson.build b/src/ipa/meson.build
index b103479c1cd0..fd4b2c30438d 100644
--- a/src/ipa/meson.build
+++ b/src/ipa/meson.build
@@ -19,10 +19,12 @@  subdir('libipa')
 ipa_sign = files('ipa-sign.sh')
 
 ipas = ['raspberrypi', 'rkisp1', 'vimc']
+ipa_names = []
 
 foreach pipeline : get_option('pipelines')
     if ipas.contains(pipeline)
         subdir(pipeline)
+        ipa_names += join_paths(ipa_install_dir, ipa_name + '.so')
     endif
 endforeach
 
@@ -31,6 +33,6 @@  if ipa_sign_module
     # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at
     # install time, which invalidates the signatures.
     meson.add_install_script('ipa-sign-install.sh',
-                             ipa_install_dir,
-                             ipa_priv_key.full_path())
+                             ipa_priv_key.full_path(),
+                             ipa_names)
 endif