[libcamera-devel,meta-multimedia,v3] libcamera: fix packaging and installation
diff mbox series

Message ID 20200802190719.9358-1-andrey.konovalov@linaro.org
State Superseded
Headers show
Series
  • [libcamera-devel,meta-multimedia,v3] libcamera: fix packaging and installation
Related show

Commit Message

Andrey Konovalov Aug. 2, 2020, 7:07 p.m. UTC 
libcamera checks if RPATH or RUNPATH dynamic tag is present in
libcamera.so. If it does, it assumes that libcamera binaries are
run directly from the build directory without installing them, and
tries to use resorces like IPA modules from the build directory.
Mainline meson strips RPATH/RUNPATH out from libcamera.so file
at install time. But openembedded-core patches meson to disable
RPATH/RUNPATH removal. That's why  we need to remove this tag manually
in do_install_append().

IPA module is signed (with openssl dgst) after it is built. But
during packaging the OE build system 1) splits out debugging info,
and 2) strips the binaries. So the IPA module so file installed
isn't the one which the signature was calculated against. Then
the signature check fails, and libcamera tries to run the IPA
module isolated (in a sandbox), which doesn't work if the IPA
module wasn't designed to run isolated. The solution is to
recalculate the IPA modules signatures in ${PKGD} after do_package().

Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
---
 Changes in v3:
  - As suggested by Laurent Pinchart, use ipa-sign-install.sh script
    to recalculate the signatures instead of ipa-sign.sh.

 Changes in v2:
  - Recalculate the IPA modules signatures after do_package()
    instead of disabling stripping and splitting libcamera package

 .../recipes-multimedia/libcamera/libcamera.bb | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

Comments

Khem Raj Aug. 3, 2020, 5:48 p.m. UTC | #1 
fails with https://errors.yoctoproject.org/Errors/Details/427980/

On Sun, Aug 2, 2020 at 12:07 PM Andrey Konovalov
<andrey.konovalov@linaro.org> wrote:
>
> libcamera checks if RPATH or RUNPATH dynamic tag is present in
> libcamera.so. If it does, it assumes that libcamera binaries are
> run directly from the build directory without installing them, and
> tries to use resorces like IPA modules from the build directory.
> Mainline meson strips RPATH/RUNPATH out from libcamera.so file
> at install time. But openembedded-core patches meson to disable
> RPATH/RUNPATH removal. That's why  we need to remove this tag manually
> in do_install_append().
>
> IPA module is signed (with openssl dgst) after it is built. But
> during packaging the OE build system 1) splits out debugging info,
> and 2) strips the binaries. So the IPA module so file installed
> isn't the one which the signature was calculated against. Then
> the signature check fails, and libcamera tries to run the IPA
> module isolated (in a sandbox), which doesn't work if the IPA
> module wasn't designed to run isolated. The solution is to
> recalculate the IPA modules signatures in ${PKGD} after do_package().
>
> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> ---
>  Changes in v3:
>   - As suggested by Laurent Pinchart, use ipa-sign-install.sh script
>     to recalculate the signatures instead of ipa-sign.sh.
>
>  Changes in v2:
>   - Recalculate the IPA modules signatures after do_package()
>     instead of disabling stripping and splitting libcamera package
>
>  .../recipes-multimedia/libcamera/libcamera.bb | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> index 00a5c480d..b34d673bd 100644
> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> @@ -18,13 +18,30 @@ PV = "202006+git${SRCPV}"
>
>  S = "${WORKDIR}/git"
>
> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
>  DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
>
>  RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
>
>  inherit meson pkgconfig python3native
>
> +do_install_append() {
> +    chrpath -d ${D}${libdir}/libcamera.so
> +}
> +
> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
> +do_recalculate_ipa_signatures_package() {
> +    local modules
> +    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
> +        module="${module%.sign}"
> +        if [ -f "${module}" ] ; then
> +            modules="${modules} ${module}"
> +        fi
> +    done
> +
> +    "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" "${modules}"
> +}
> +
>  FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
>  FILES_${PN} += " ${libdir}/libcamera.so"
>
> --
> 2.17.1
>
Andrey Konovalov Aug. 13, 2020, 8:32 p.m. UTC | #2 
Hi Khem,

I wasn't able to reproduce this error on my system even with the same
machine/distro/target system combination as from the error report.

Anyway, it looks like the error is due to bitbake failing to expand
some variables under quotation marks, so I am posting v4 which tries
to address that. (Both v3 and v4 patches work OK at my desk.)

Thanks,
Andrey

On 03.08.2020 20:48, Khem Raj wrote:
> fails with https://errors.yoctoproject.org/Errors/Details/427980/
> 
> On Sun, Aug 2, 2020 at 12:07 PM Andrey Konovalov
> <andrey.konovalov@linaro.org> wrote:
>>
>> libcamera checks if RPATH or RUNPATH dynamic tag is present in
>> libcamera.so. If it does, it assumes that libcamera binaries are
>> run directly from the build directory without installing them, and
>> tries to use resorces like IPA modules from the build directory.
>> Mainline meson strips RPATH/RUNPATH out from libcamera.so file
>> at install time. But openembedded-core patches meson to disable
>> RPATH/RUNPATH removal. That's why  we need to remove this tag manually
>> in do_install_append().
>>
>> IPA module is signed (with openssl dgst) after it is built. But
>> during packaging the OE build system 1) splits out debugging info,
>> and 2) strips the binaries. So the IPA module so file installed
>> isn't the one which the signature was calculated against. Then
>> the signature check fails, and libcamera tries to run the IPA
>> module isolated (in a sandbox), which doesn't work if the IPA
>> module wasn't designed to run isolated. The solution is to
>> recalculate the IPA modules signatures in ${PKGD} after do_package().
>>
>> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
>> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
>> ---
>>   Changes in v3:
>>    - As suggested by Laurent Pinchart, use ipa-sign-install.sh script
>>      to recalculate the signatures instead of ipa-sign.sh.
>>
>>   Changes in v2:
>>    - Recalculate the IPA modules signatures after do_package()
>>      instead of disabling stripping and splitting libcamera package
>>
>>   .../recipes-multimedia/libcamera/libcamera.bb | 19 ++++++++++++++++++-
>>   1 file changed, 18 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> index 00a5c480d..b34d673bd 100644
>> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> @@ -18,13 +18,30 @@ PV = "202006+git${SRCPV}"
>>
>>   S = "${WORKDIR}/git"
>>
>> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
>> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
>>   DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
>>
>>   RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
>>
>>   inherit meson pkgconfig python3native
>>
>> +do_install_append() {
>> +    chrpath -d ${D}${libdir}/libcamera.so
>> +}
>> +
>> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
>> +do_recalculate_ipa_signatures_package() {
>> +    local modules
>> +    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
>> +        module="${module%.sign}"
>> +        if [ -f "${module}" ] ; then
>> +            modules="${modules} ${module}"
>> +        fi
>> +    done
>> +
>> +    "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" "${modules}"
>> +}
>> +
>>   FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
>>   FILES_${PN} += " ${libdir}/libcamera.so"
>>
>> --
>> 2.17.1
>>

Patch
diff mbox series 

diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
index 00a5c480d..b34d673bd 100644
--- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
+++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
@@ -18,13 +18,30 @@  PV = "202006+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
-DEPENDS = "python3-pyyaml-native udev gnutls boost"
+DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
 
 RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
 
 inherit meson pkgconfig python3native
 
+do_install_append() {
+    chrpath -d ${D}${libdir}/libcamera.so
+}
+
+addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
+do_recalculate_ipa_signatures_package() {
+    local modules
+    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
+        module="${module%.sign}"
+        if [ -f "${module}" ] ; then
+            modules="${modules} ${module}"
+        fi
+    done
+
+    "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" "${modules}"
+}
+
 FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
 FILES_${PN} += " ${libdir}/libcamera.so"