Message ID | 20200731143919.25825-1-andrey.konovalov@linaro.org |
---|---|
State | Superseded |
Headers | show |
Series |
|
Related | show |
Hi Andrey, Thank you for the patch. On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote: > libcamera checks if RPATH or RUNPATH dynamic tag is present in > libcamera.so. If it does, it assumes that libcamera binaries are > run directly from the build directory without installing them, and > tries to use resorces like IPA modules from the build directory. > Mainline meson strips RPATH/RUNPATH out from libcamera.so file > at install time. But openembedded-core patches meson to disable > RPATH/RUNPATH removal. That's why we need to remove this tag manually > in do_install_append(). > > IPA module is signed (with openssl dgst) after it is built. But > during packaging the OE build system 1) splits out debugging info, > and 2) strips the binaries. So the IPA module so file installed > isn't the one which the signature was calculated against. Then > the signature check fails, and libcamera tries to run the IPA > module isolated (in a sandbox), which doesn't work if the IPA > module wasn't designed to run isolated. The solution is to > recalculate the IPA modules signatures in ${PKGD} after do_package(). > > Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org> > --- > Changes in v2: > - Recalculate the IPA modules signatures after do_package() > instead of disabling stripping and splitting libcamera package > > .../recipes-multimedia/libcamera/libcamera.bb | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb > index 00a5c480d..30c6600e5 100644 > --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb > +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb > @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}" > > S = "${WORKDIR}/git" > > -DEPENDS = "python3-pyyaml-native udev gnutls boost" > +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native" > DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}" > > RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}" > > inherit meson pkgconfig python3native > > +do_install_append() { > + chrpath -d ${D}${libdir}/libcamera.so > +} > + > +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata > +do_recalculate_ipa_signatures_package() { > + for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do > + if [ -f "${module%.sign}" ] ; then > + "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}" > + fi > + done Note that you could also use the src/ipa/ipa-sign-install.sh script, which takes the key as the first argument followed by the list of .so files to sign. Something along the lines of (not tested) local modules for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do module="${module%.sign}" if [ -f "${module}" ] ; then modules="${modules} ${module}" fi done "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" ${modules} I think this will lower the risk of breakage in the future, as ipa-sign.sh will have a higher chance of being refactored than ipa-sign-install.sh Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> > +} > + > FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig" > FILES_${PN} += " ${libdir}/libcamera.so"
Hi Laurent, On 01.08.2020 16:01, Laurent Pinchart wrote: > Hi Andrey, > > Thank you for the patch. > > On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote: >> libcamera checks if RPATH or RUNPATH dynamic tag is present in >> libcamera.so. If it does, it assumes that libcamera binaries are >> run directly from the build directory without installing them, and >> tries to use resorces like IPA modules from the build directory. >> Mainline meson strips RPATH/RUNPATH out from libcamera.so file >> at install time. But openembedded-core patches meson to disable >> RPATH/RUNPATH removal. That's why we need to remove this tag manually >> in do_install_append(). >> >> IPA module is signed (with openssl dgst) after it is built. But >> during packaging the OE build system 1) splits out debugging info, >> and 2) strips the binaries. So the IPA module so file installed >> isn't the one which the signature was calculated against. Then >> the signature check fails, and libcamera tries to run the IPA >> module isolated (in a sandbox), which doesn't work if the IPA >> module wasn't designed to run isolated. The solution is to >> recalculate the IPA modules signatures in ${PKGD} after do_package(). >> >> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org> >> --- >> Changes in v2: >> - Recalculate the IPA modules signatures after do_package() >> instead of disabling stripping and splitting libcamera package >> >> .../recipes-multimedia/libcamera/libcamera.bb | 15 ++++++++++++++- >> 1 file changed, 14 insertions(+), 1 deletion(-) >> >> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb >> index 00a5c480d..30c6600e5 100644 >> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb >> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb >> @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}" >> >> S = "${WORKDIR}/git" >> >> -DEPENDS = "python3-pyyaml-native udev gnutls boost" >> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native" >> DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}" >> >> RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}" >> >> inherit meson pkgconfig python3native >> >> +do_install_append() { >> + chrpath -d ${D}${libdir}/libcamera.so >> +} >> + >> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata >> +do_recalculate_ipa_signatures_package() { >> + for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do >> + if [ -f "${module%.sign}" ] ; then >> + "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}" >> + fi >> + done > > Note that you could also use the src/ipa/ipa-sign-install.sh script, > which takes the key as the first argument followed by the list of .so > files to sign. Something along the lines of (not tested) > > local modules > for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do > module="${module%.sign}" > if [ -f "${module}" ] ; then > modules="${modules} ${module}" > fi > done > > "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" ${modules} > > I think this will lower the risk of breakage in the future, as > ipa-sign.sh will have a higher chance of being refactored than > ipa-sign-install.sh OK, makes sense. Thanks for the suggestion! When creating v2 I've got the impression of ipa-sign-install.sh relying on running in meson environment - when run as part of 'meson install' it prefixes each module with ${MESON_INSTALL_DESTDIR_PREFIX}/. But ipa-sign-install.sh also works OK when used in do_recalculate_ipa_signatures_package() - "${MESON_INSTALL_DESTDIR_PREFIX}" resolves to "", and the ${modules} use full path names. > Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Thanks, Andrey >> +} >> + >> FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig" >> FILES_${PN} += " ${libdir}/libcamera.so" >
diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb index 00a5c480d..30c6600e5 100644 --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}" S = "${WORKDIR}/git" -DEPENDS = "python3-pyyaml-native udev gnutls boost" +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native" DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}" RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}" inherit meson pkgconfig python3native +do_install_append() { + chrpath -d ${D}${libdir}/libcamera.so +} + +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata +do_recalculate_ipa_signatures_package() { + for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do + if [ -f "${module%.sign}" ] ; then + "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}" + fi + done +} + FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig" FILES_${PN} += " ${libdir}/libcamera.so"
libcamera checks if RPATH or RUNPATH dynamic tag is present in libcamera.so. If it does, it assumes that libcamera binaries are run directly from the build directory without installing them, and tries to use resorces like IPA modules from the build directory. Mainline meson strips RPATH/RUNPATH out from libcamera.so file at install time. But openembedded-core patches meson to disable RPATH/RUNPATH removal. That's why we need to remove this tag manually in do_install_append(). IPA module is signed (with openssl dgst) after it is built. But during packaging the OE build system 1) splits out debugging info, and 2) strips the binaries. So the IPA module so file installed isn't the one which the signature was calculated against. Then the signature check fails, and libcamera tries to run the IPA module isolated (in a sandbox), which doesn't work if the IPA module wasn't designed to run isolated. The solution is to recalculate the IPA modules signatures in ${PKGD} after do_package(). Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org> --- Changes in v2: - Recalculate the IPA modules signatures after do_package() instead of disabling stripping and splitting libcamera package .../recipes-multimedia/libcamera/libcamera.bb | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-)