From patchwork Sun Aug 7 02:14:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 16999 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id F2A77BE173 for ; Sun, 7 Aug 2022 02:15:09 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 7E7156332F; Sun, 7 Aug 2022 04:15:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1659838509; bh=J1Nu6wYo9mW9A9gT4PKiF93bUbRKLqJlJKNzkExSJyA=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=RPtduUVB/8u3ep245vM5+fog0jqVnmVSGdJ0drpyqZntZJNVy0VRguUYizhTZwLqu z9L0EX5sOLhm67FBRFkpt8hZ/pZvL2AjtoJ000W7w0llHXw8zx92L407fxOUciYK/6 IAdWPprsTIyP0+szEAgMbuF97HAhgLOb2ero72F1RNMR0JItukz2yIl6inlYBPlnfH CUOewxQt++Y8gZ3vyIRRP2cahi/11zimkI1FXJk9fR7DGcGuwsI1sEsD8OXtDA3NKT xVRmqgiZXVD/ZLE+aClXm5RH5TlbVymB5A7Vp2FklN+3sSAFbCLSc8q64PUGDOI0n0 y4ZjNf3VkRmiQ== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 592C761FAA for ; Sun, 7 Aug 2022 04:15:07 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="IDLvJpOd"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id E3DFA56D for ; Sun, 7 Aug 2022 04:15:06 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1659838507; bh=J1Nu6wYo9mW9A9gT4PKiF93bUbRKLqJlJKNzkExSJyA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=IDLvJpOdCWyeM5q8vKY+MtBso7KYD7FhlIHal8AhSOtHu7QA9A9XQykNC2mSFp4xY 2m1P0Rg6gDn8gaaIWcDgZ8roWMjCqmqsGHxtqBaiU6ZcbCvNhHZRGpuPn5YfU7a92c x8VYmUmcHB0sKOdDaUOxgRA/tPhhpFmyz3+qin8U= To: libcamera-devel@lists.libcamera.org Date: Sun, 7 Aug 2022 05:14:52 +0300 Message-Id: <20220807021456.9578-2-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> References: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 1/5] Revert "libcamera: Make IPA module signing mandatory for the meantime" X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Commit b382f67c833d ("libcamera: Make IPA module signing mandatory for the meantime") made openssl and gnutls dependencies mandatory to work around the lack of proper IPA module isolation support, which broke operation without module signatures. Now that this has been fixed, we can make the dependencies optional again. This reverts commit b382f67c833de08717cfec19273b95f5819cab27. Signed-off-by: Laurent Pinchart --- README.rst | 2 +- src/libcamera/meson.build | 2 +- src/meson.build | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.rst b/README.rst index 77374c6a72b1..ffecd5bc6552 100644 --- a/README.rst +++ b/README.rst @@ -60,7 +60,7 @@ Meson Build system: [required] for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 -for IPA module signing: [required] +for IPA module signing: [optional] libgnutls28-dev openssl for improved debugging: [optional] diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index b57bee7ef6ca..ff0e31ebcb63 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,7 +65,7 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = cc.find_library('gnutls', required : true) +libgnutls = cc.find_library('gnutls', required : false) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) diff --git a/src/meson.build b/src/meson.build index 34663a6f134d..65276fc74606 100644 --- a/src/meson.build +++ b/src/meson.build @@ -14,7 +14,7 @@ summary({ }, section : 'Paths') # Module Signing -openssl = find_program('openssl', required : true) +openssl = find_program('openssl', required : false) if openssl.found() ipa_priv_key = custom_target('ipa-priv-key', output : ['ipa-priv-key.pem'], From patchwork Sun Aug 7 02:14:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17000 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 846A3BE173 for ; Sun, 7 Aug 2022 02:15:11 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 3BC9863325; Sun, 7 Aug 2022 04:15:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1659838511; bh=iIXeeXIsd33gPVe0oayvWNkGb8tVCGWRS4H28lKPXvo=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=wMl0DEx/KKfc5xjoG2vUOjevb5L+D7H7OK//Vu0g97ERSSGoMlz2zu52PjsfDrnRs Hd5cLcR5gmv5asnA6V+AgudiBjl9klRBXKq2L+kcC/XtBp5HikIUXUXPpIs1igyU8L kFveworXWVie0LjJFO/vH9TXyJqaEcYZHPL5Wv3bAIbcOWwSFfvifVhUNh1fBTH0wa 4Zm7Zcns2Hw8Y7KcW3wPVYhCpobIzfFFKPyoRKPJ7lnofJLewK9lnHABP6bI2a1dZf TyPX5tcZ5biod1FvZ6Eo4MMUJapF28f02DeV7QZhPCjeOGNlh7OxOkJlY7M+6s/84c 2/JuQ834ZKFdQ== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 9573263325 for ; Sun, 7 Aug 2022 04:15:08 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="Lx9yVZzb"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 2FEF356D for ; Sun, 7 Aug 2022 04:15:08 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1659838508; bh=iIXeeXIsd33gPVe0oayvWNkGb8tVCGWRS4H28lKPXvo=; h=From:To:Subject:Date:In-Reply-To:References:From; b=Lx9yVZzbgtyDL7pS3EYDUSqBDI6xCRuKVlOx8JhHMaUkS1ZDlZhzkIzH5eXAP/X+5 5QlTf0Tp8m15dwJ0stOFNJtKKSOjYFHA8WKTKwPshsOECWAO9XcyHqsySnLH+nlBaf J1PLAUNVlbAYV8JEr+7pGHABftKz+3Bkoa1ZwX+o= To: libcamera-devel@lists.libcamera.org Date: Sun, 7 Aug 2022 05:14:53 +0300 Message-Id: <20220807021456.9578-3-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> References: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 2/5] libcamera: Make openssl and gnutls dependencies recommended X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" While gnutls and openssl are not strictly required, the overheard introduced by isolating all IPA modules when signatures are not available is better avoided. Document the dependencies as recommended, and warn at meson setup time if they are not found. Signed-off-by: Laurent Pinchart --- README.rst | 5 ++++- src/libcamera/meson.build | 2 ++ src/meson.build | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/README.rst b/README.rst index ffecd5bc6552..3606057ff706 100644 --- a/README.rst +++ b/README.rst @@ -60,9 +60,12 @@ Meson Build system: [required] for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 -for IPA module signing: [optional] +for IPA module signing: [recommended] libgnutls28-dev openssl + Without IPA module signing, all IPA modules will be isolated in a + separate process. This adds an unnecessary extra overhead at runtime. + for improved debugging: [optional] libdw-dev libunwind-dev diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index ff0e31ebcb63..8580feed3846 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -71,6 +71,8 @@ libyaml = dependency('yaml-0.1', required : false) if libgnutls.found() config_h.set('HAVE_GNUTLS', 1) +else + warning('gnutls not found, all IPA modules will be isolated') endif if liblttng.found() diff --git a/src/meson.build b/src/meson.build index 65276fc74606..f37c44ca9f60 100644 --- a/src/meson.build +++ b/src/meson.build @@ -22,6 +22,7 @@ if openssl.found() config_h.set('HAVE_IPA_PUBKEY', 1) ipa_sign_module = true else + warning('openssl not found, all IPA modules will be isolated') ipa_sign_module = false endif From patchwork Sun Aug 7 02:14:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17001 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 145F1BE173 for ; Sun, 7 Aug 2022 02:15:13 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id BF8FE6332E; Sun, 7 Aug 2022 04:15:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1659838512; bh=YdDrRki1KgPmCcZK8nxcmSBOu9X86AgIXvUzcqi/uSI=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=bOt5EM6cVKePlca0nppIKDxZCHHIbDsRYJs/uzLYI1XeihpHev8fN9bNao0naegKA I4zlqn/HmHMl6g21qqmrJIVySuca/NrHxSj6nO0NREk4bQLMyJ41LoEF4k5vN3uMZf Or1nGsd9/bi2o1j+8cRCqg2E7wNlhSSD5htzzvs0cpp6lXJ8Pd39b5SI79NHZl469K RXHHPfPUIjKsv/5Wcdf4oUI2xS4nFsd1lke4+KGpy3w9jrEH9hcu97m5RUPDZh0Uu0 BqdpcMj30UgJPFIfA4gQgRl6LTHMW3HlnKXfgl5ESl42IO074eF0yT9hm8f1zCjQJp brkUhA2JDLzQg== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id EE6AE61FAA for ; Sun, 7 Aug 2022 04:15:09 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="kB+KMUP5"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 63904749 for ; Sun, 7 Aug 2022 04:15:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1659838509; bh=YdDrRki1KgPmCcZK8nxcmSBOu9X86AgIXvUzcqi/uSI=; h=From:To:Subject:Date:In-Reply-To:References:From; b=kB+KMUP52lOhcY2iy9AfejHOZHlHX3pzy1fOJnHAwKS3w34knoX18nGhOAcVvfgut 04R2t6RzesjxlrRre0bzwdNgTm77QyYxMd9C1ksxLNN+OdBU/gYYZICyaBUbOu890Q nF9wcZsloyrM3c733uP3tZrjLilquufabyO8UxqQ= To: libcamera-devel@lists.libcamera.org Date: Sun, 7 Aug 2022 05:14:54 +0300 Message-Id: <20220807021456.9578-4-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> References: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 3/5] libcamera: meson: Use dependency() to find gnutls X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" The gnutls library ships a pkgconfig .pc file. Use the standard dependency() method to locate it, instead of cc.find_library(). Signed-off-by: Laurent Pinchart --- src/libcamera/meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index 8580feed3846..e144d4f9ae70 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,7 +65,7 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = cc.find_library('gnutls', required : false) +libgnutls = dependency('gnutls', required : false) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) From patchwork Sun Aug 7 02:14:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17002 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 80D63BE173 for ; Sun, 7 Aug 2022 02:15:15 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 3B05663334; Sun, 7 Aug 2022 04:15:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1659838515; bh=VieJwiGRICkhDuun+18JfNtghQfNkU4dOuNkXashPhM=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=OTcNnhYBNexNk1URqO4NGgFWP9VFBJZ9I0FPKFVvE9mAR9lDewD4NyGcG6xDo7cEN 7I0ALnbctOEH/nReQnfs8c3ZeINIBZlJ/tjGyEaYZtI8bW4uVvQv3Xp8Dha6v09eZq 7eLWj3LZTlpcxIX3cr8uTnBNK75SCcGJzqbTE1IMzu3ATl/Yf9uwrEcXui2fHfJ0Yo R4bcEmvR9eto04IoD6RCK32+1OFR5xmbVOWO3VD6TIzwIVCyAisUQy+lV/mGepxDOC wjsdWqo13ssOhocMvF3QS0Rrp5O04DBB6KvuPZ6XyZRhIiuM9REzdrLzTBgDT7fDIU EZyNHwNzZs2oA== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 189C063330 for ; Sun, 7 Aug 2022 04:15:11 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="ZbTIbCaV"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id A5C3C749 for ; Sun, 7 Aug 2022 04:15:10 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1659838510; bh=VieJwiGRICkhDuun+18JfNtghQfNkU4dOuNkXashPhM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=ZbTIbCaVsS98Kxl10wPRuko2/bTClp7SfsIy5xDwIK4uLjngb/dUq/ac2PnjWrBM7 26qocfWglXCVnZi/fyN6BAIak6y0pyb/mhYkmV0dUd3uOYZOMLhk0iadeQZ0EWtJUv tnG/8VbQPb9EKAYFn+9XM1aWTTWfu9PozLNPzJA0= To: libcamera-devel@lists.libcamera.org Date: Sun, 7 Aug 2022 05:14:55 +0300 Message-Id: <20220807021456.9578-5-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> References: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 4/5] libcamera: pub_key: Gracefully handle failures to load public key X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" If the public key fails to load, PubKey::isValid() function returns false. The only user of the PubKey class, the IPAManager class, doesn't check that condition, and still calls the PubKey::verify() function, which leads to a crash. Fix this by returning false from PubKey::verify() if the key isn't valid, and log a warning in the IPAManager constructor to report the issue. Signed-off-by: Laurent Pinchart --- src/libcamera/ipa_manager.cpp | 3 +++ src/libcamera/pub_key.cpp | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp index ec9660456960..2f96a2072fd6 100644 --- a/src/libcamera/ipa_manager.cpp +++ b/src/libcamera/ipa_manager.cpp @@ -109,6 +109,9 @@ IPAManager::IPAManager() LOG(IPAManager, Fatal) << "Multiple IPAManager objects are not allowed"; + if (!pubKey_.isValid()) + LOG(IPAManager, Warning) << "Public key not valid"; + unsigned int ipaCount = 0; /* User-specified paths take precedence. */ diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index 9bb08fda34af..b2045a103bc0 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -76,6 +76,9 @@ PubKey::~PubKey() bool PubKey::verify([[maybe_unused]] Span data, [[maybe_unused]] Span sig) const { + if (!valid_) + return false; + #if HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast(data.data()), From patchwork Sun Aug 7 02:14:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17003 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 0ED9DC3275 for ; Sun, 7 Aug 2022 02:15:16 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id CB20963339; Sun, 7 Aug 2022 04:15:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1659838515; bh=NQ40KL5ezQj70dfWmfSu3R7EhQSSDX7qm+FRJ6vTIBg=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=wCIUV+Fq5Ih/zti0+KNjPCvssak43lcLNGyLjfxLdm8JBxfJTvKiS5q8VJWY/mcAj jj8mwVsJvaDpBV+HlcebRwIx4EOVHNyBAo6GkWkc1ARvrf2j7ke7EdCcYw/+yjEtym 7FY513t87t34/Zf0Y0tgtSivNhm0kcImcaGHT4RY+7mhb17/Xidc3wS9ew7/PojLue v7SdOqXS3pUpsxVz3WxZ+aOyDMA3DtzwmDAkJqewZpxKmtVrbsNr8ilTd6Zz/F1oAC IuxNmRz7lVIP06bLzkG+qFwXrYFJBnjKb73jn/WFhgZvyaLZgiiL7fOpbGYq4Exy7y neH29U6lANgUQ== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 5BB5663330 for ; Sun, 7 Aug 2022 04:15:12 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="E/qzqoZT"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id E8864749 for ; Sun, 7 Aug 2022 04:15:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1659838512; bh=NQ40KL5ezQj70dfWmfSu3R7EhQSSDX7qm+FRJ6vTIBg=; h=From:To:Subject:Date:In-Reply-To:References:From; b=E/qzqoZTNnbR+vQLUW432SXgA0um/HvtBmyLwl/tAlW5KQzBbvEzXIoljJVT41mxZ GbWYf1jesqJnTMq4hTwtjB9vROk1Vq/6GOd6YniJe2hEsTLuJ84ivpZvcSheOX/ex0 MZF7B3vZDUxN6ajBqV+G0MIflvVbYjARDZMH01KU= To: libcamera-devel@lists.libcamera.org Date: Sun, 7 Aug 2022 05:14:56 +0300 Message-Id: <20220807021456.9578-6-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> References: <20220807021456.9578-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH 5/5] libcamera: pub_key: Support openssl as an alternative to gnutls X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Support verify IPA signatures with openssl as an alternative to gnutls, to offer more flexibility in the selection of dependencies. Use gnutls by default, for no specific reason as both are equally well supported. Signed-off-by: Laurent Pinchart --- README.rst | 2 +- include/libcamera/internal/pub_key.h | 8 +++++-- src/libcamera/meson.build | 16 +++++++++---- src/libcamera/pub_key.cpp | 35 ++++++++++++++++++++++++---- 4 files changed, 50 insertions(+), 11 deletions(-) diff --git a/README.rst b/README.rst index 3606057ff706..e9dd4207ae55 100644 --- a/README.rst +++ b/README.rst @@ -61,7 +61,7 @@ for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 for IPA module signing: [recommended] - libgnutls28-dev openssl + Either libgnutls28-dev or libssl-dev, openssl Without IPA module signing, all IPA modules will be isolated in a separate process. This adds an unnecessary extra overhead at runtime. diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h index a22ba037cff6..ea7d9af84515 100644 --- a/include/libcamera/internal/pub_key.h +++ b/include/libcamera/internal/pub_key.h @@ -11,7 +11,9 @@ #include -#if HAVE_GNUTLS +#if HAVE_CRYPTO +struct rsa_st; +#elif HAVE_GNUTLS struct gnutls_pubkey_st; #endif @@ -28,7 +30,9 @@ public: private: bool valid_; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + struct rsa_st *pubkey_; +#elif HAVE_GNUTLS struct gnutls_pubkey_st *pubkey_; #endif }; diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index e144d4f9ae70..ce1f0f2f3ef6 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,14 +65,22 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = dependency('gnutls', required : false) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) -if libgnutls.found() +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. +libcrypto = dependency('gnutls', required : false) +if libcrypto.found() config_h.set('HAVE_GNUTLS', 1) else - warning('gnutls not found, all IPA modules will be isolated') + libcrypto = dependency('libcrypto', required : false) + if libcrypto.found() + config_h.set('HAVE_CRYPTO', 1) + endif +endif + +if not libcrypto.found() + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') endif if liblttng.found() @@ -137,8 +145,8 @@ libcamera_deps = [ libatomic, libcamera_base, libcamera_base_private, + libcrypto, libdl, - libgnutls, liblttng, libudev, libyaml, diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index b2045a103bc0..723f311b91a2 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -7,7 +7,12 @@ #include "libcamera/internal/pub_key.h" -#if HAVE_GNUTLS +#if HAVE_CRYPTO +#include +#include +#include +#include +#elif HAVE_GNUTLS #include #endif @@ -33,7 +38,14 @@ namespace libcamera { PubKey::PubKey([[maybe_unused]] Span key) : valid_(false) { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + const uint8_t *data = key.data(); + pubkey_ = d2i_RSA_PUBKEY(nullptr, &data, key.size()); + if (!pubkey_) + return; + + valid_ = true; +#elif HAVE_GNUTLS int ret = gnutls_pubkey_init(&pubkey_); if (ret < 0) return; @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key) PubKey::~PubKey() { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + RSA_free(pubkey_); +#elif HAVE_GNUTLS gnutls_pubkey_deinit(pubkey_); #endif } @@ -79,7 +93,20 @@ bool PubKey::verify([[maybe_unused]] Span data, if (!valid_) return false; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + /* Calculate the SHA256 digest of the data. */ + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, data.data(), data.size()); + + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256_Final(digest, &ctx); + + /* Decrypt the signature and verify it matches the digest. */ + int ret = RSA_verify(NID_sha256, digest, SHA256_DIGEST_LENGTH, + sig.data(), sig.size(), pubkey_); + return ret == 1; +#elif HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast(data.data()), static_cast(data.size())