From patchwork Mon Aug 8 23:08:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17032 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id E7E05C3272 for ; Mon, 8 Aug 2022 23:08:47 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 9ED0B6332F; Tue, 9 Aug 2022 01:08:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1660000126; bh=3rEHwkGbYPJDL+pbRQnql4wGhuintIsXWMp+uQGOkqA=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=1zYKL8hF1o+RUVVOZN24oMtyfg9PVK3B7rRD1GZFamR6JnVr7bcpWLsAsD/sB/T9p fxszjWPEYgn2RoBD2eXut7dJSpddgSGdXGYcqKuyCysGTYgWQi6+HAtQ7kWwzPfGer 3BZ/d1DwsgcM88jhrj2u6lmXwWBuOpV33MMizbeRfZzkYU/Bov/3g/vdxXpIxaolao k/3xPN/MUiV5nfrVxaZyAEVc2EuLuJiF1LM27p36ShFj8SGkbaFSZIw8EF/J3FLyTV aW9lGHD8Kf6ruUONEvVKDuO14ZPoeUwoiMbfGESsZjZ29U8I1F00VXT+Xkk/MWgj9H ieTugy5oghCJw== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 81ADC63327 for ; Tue, 9 Aug 2022 01:08:45 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="H9z/JND/"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 192F749C; Tue, 9 Aug 2022 01:08:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1660000125; bh=3rEHwkGbYPJDL+pbRQnql4wGhuintIsXWMp+uQGOkqA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H9z/JND/ONQVmAGt5ewdzTwjpFSc5xwqpGc1sEnh7A6G8XpS6b5wrbQbxSeaoodvp 1pOKK05M1+rsYcbuSZLHZlAcLqYJFazejQ3/UyG9e4XPjZmh3PfFXMa3sfRRjspS3g FyI8NXNguGW2R4ZjkwAcjk9GXK0gsDxuvOF68cB4= To: libcamera-devel@lists.libcamera.org Date: Tue, 9 Aug 2022 02:08:30 +0300 Message-Id: <20220808230833.16275-2-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> References: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2 1/4] libcamera: meson: Use dependency() to find gnutls X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" The gnutls library ships a pkgconfig .pc file. Use the standard dependency() method to locate it, instead of cc.find_library(). Signed-off-by: Laurent Pinchart Reviewed-by: Eric Curtin Reviewed-by: Kieran Bingham --- src/libcamera/meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index b57bee7ef6ca..7cc06de4aedc 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,7 +65,7 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = cc.find_library('gnutls', required : true) +libgnutls = dependency('gnutls', required : true) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) From patchwork Mon Aug 8 23:08:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17033 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 42B1BC3272 for ; Mon, 8 Aug 2022 23:08:49 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 0751A63333; Tue, 9 Aug 2022 01:08:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1660000129; bh=VieJwiGRICkhDuun+18JfNtghQfNkU4dOuNkXashPhM=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=CnDXfk9OEt+GxgnfVFoSUYmoDFq7GEgYC54V1boVx+qAr1beIkYiCermJ+QpVq+MZ S8jaap4q1nF1JCLpqv3tlLW/47o7vFEgHvqkjq4I8NMT1bb6bynqMtG1wYtLWekBb0 q5hqCOyVum4I74Cdq9Up6BA4X+18bKfGDNfuXbswXdEPhNJfetjwfdHufJwYtcZzbk OlEyh0Y46QqunXCFPxuH4pPdJaVV7BgKCL1tH/6dVKDoeSrwXeYnAjA9yNmd1JrYCR UPL7XRTE0OBsiws/53TgaM48jfmgTuBNJ5VSOs++V0oNAVPNEe2RtE9ZrhnBZyd2w0 uKD7UMfg9b2tQ== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id DD9C06332E for ; Tue, 9 Aug 2022 01:08:46 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="TfV9WuSz"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 5846F56D; Tue, 9 Aug 2022 01:08:46 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1660000126; bh=VieJwiGRICkhDuun+18JfNtghQfNkU4dOuNkXashPhM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TfV9WuSzfhUTJyMEO8RYA7JB5F3S1fOOMQXSMVkcV64kye/us42Fj8Bi6j00CKdKA dJN9zz/K+16/SF/1itT+hl8t2vqmfSoQl8R80YnJVDXiaL3zXDbQ1FKsBRaJllwYoE hgyt1B+UuPdWhmBlE4GJCzz+xCL/hm7/pk0qjk+0= To: libcamera-devel@lists.libcamera.org Date: Tue, 9 Aug 2022 02:08:31 +0300 Message-Id: <20220808230833.16275-3-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> References: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2 2/4] libcamera: pub_key: Gracefully handle failures to load public key X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" If the public key fails to load, PubKey::isValid() function returns false. The only user of the PubKey class, the IPAManager class, doesn't check that condition, and still calls the PubKey::verify() function, which leads to a crash. Fix this by returning false from PubKey::verify() if the key isn't valid, and log a warning in the IPAManager constructor to report the issue. Signed-off-by: Laurent Pinchart Reviewed-by: Eric Curtin Reviewed-by: Kieran Bingham --- src/libcamera/ipa_manager.cpp | 3 +++ src/libcamera/pub_key.cpp | 3 +++ 2 files changed, 6 insertions(+) diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp index ec9660456960..2f96a2072fd6 100644 --- a/src/libcamera/ipa_manager.cpp +++ b/src/libcamera/ipa_manager.cpp @@ -109,6 +109,9 @@ IPAManager::IPAManager() LOG(IPAManager, Fatal) << "Multiple IPAManager objects are not allowed"; + if (!pubKey_.isValid()) + LOG(IPAManager, Warning) << "Public key not valid"; + unsigned int ipaCount = 0; /* User-specified paths take precedence. */ diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index 9bb08fda34af..b2045a103bc0 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -76,6 +76,9 @@ PubKey::~PubKey() bool PubKey::verify([[maybe_unused]] Span data, [[maybe_unused]] Span sig) const { + if (!valid_) + return false; + #if HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast(data.data()), From patchwork Mon Aug 8 23:08:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17034 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 0478FC3272 for ; Mon, 8 Aug 2022 23:08:50 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id 8A7A863332; Tue, 9 Aug 2022 01:08:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1660000129; bh=esSq5v0LGM77PEc6KrP1DoQbZGb2PDMIzBVo+hxUrvc=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=kWSElzr9CFzkQgQzTa8Pdm+DjJqXDnudFQxW4k5/lwpXIf6yVO66jcVbKZcs3+QqQ PPmiyavkt3gww0SH7sFsJ0Zd15NVPu6/++I7jZMHVLBc7KZN+feEcOzkVYrJvhojh4 cgmSM7/L1l8aMFtCWTpQWUCA7gFEmgcTcCfnEod05Ie+Y8GFGaDbncoB4r/rd8nb8k AehDCJu1gX/Tec1fTT4r7orfDwctedG0cEmn6To7oXrC8pIt5jksSegTGwCTcizS7e 4pd44g6UI2DVXNVTheH7YvFYMgnUBG5uoVJ3t3DTuosILXa4323qJoDor3tAukEQuS +aSiCC7d0wsxA== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [IPv6:2001:4b98:dc2:55:216:3eff:fef7:d647]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 0B55A6332A for ; Tue, 9 Aug 2022 01:08:48 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="jr2U574n"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 96C5273E; Tue, 9 Aug 2022 01:08:47 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1660000127; bh=esSq5v0LGM77PEc6KrP1DoQbZGb2PDMIzBVo+hxUrvc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jr2U574nzIuckM0MsWXB/BWjNBIxJlgsZ/1J5BaYGn6BG8yoXlAblvcbHSTVfGNHP 1mRR5cuiGV+/XqkrgVveHb443sCoXX6wqXLdD3ucxBlD3dgt8/ROUJcusxNp2lADQL 1Fvw/gXfZbo+95CPowwCewguAX/V+a4/ee/DsKBU= To: libcamera-devel@lists.libcamera.org Date: Tue, 9 Aug 2022 02:08:32 +0300 Message-Id: <20220808230833.16275-4-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> References: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2 3/4] libcamera: pub_key: Support openssl as an alternative to gnutls X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Support verify IPA signatures with openssl as an alternative to gnutls, to offer more flexibility in the selection of dependencies. Use gnutls by default, for no specific reason as both are equally well supported. Signed-off-by: Laurent Pinchart Reviewed-by: Eric Curtin Reviewed-by: Kieran Bingham --- Changes since v1: - Don't use functions deprecated in OpenSSL 3.0 --- README.rst | 2 +- include/libcamera/internal/pub_key.h | 8 +++-- src/libcamera/meson.build | 10 ++++-- src/libcamera/pub_key.cpp | 47 +++++++++++++++++++++++++--- 4 files changed, 57 insertions(+), 10 deletions(-) diff --git a/README.rst b/README.rst index 77374c6a72b1..3bf4685b0e15 100644 --- a/README.rst +++ b/README.rst @@ -61,7 +61,7 @@ for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 for IPA module signing: [required] - libgnutls28-dev openssl + Either libgnutls28-dev or libssl-dev, openssl for improved debugging: [optional] libdw-dev libunwind-dev diff --git a/include/libcamera/internal/pub_key.h b/include/libcamera/internal/pub_key.h index a22ba037cff6..8653a912b2d5 100644 --- a/include/libcamera/internal/pub_key.h +++ b/include/libcamera/internal/pub_key.h @@ -11,7 +11,9 @@ #include -#if HAVE_GNUTLS +#if HAVE_CRYPTO +struct evp_pkey_st; +#elif HAVE_GNUTLS struct gnutls_pubkey_st; #endif @@ -28,7 +30,9 @@ public: private: bool valid_; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + struct evp_pkey_st *pubkey_; +#elif HAVE_GNUTLS struct gnutls_pubkey_st *pubkey_; #endif }; diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index 7cc06de4aedc..401fc498cfbc 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -65,12 +65,16 @@ subdir('pipeline') subdir('proxy') libdl = cc.find_library('dl') -libgnutls = dependency('gnutls', required : true) libudev = dependency('libudev', required : false) libyaml = dependency('yaml-0.1', required : false) -if libgnutls.found() +# Use one of gnutls or libcrypto (provided by OpenSSL), trying gnutls first. +libcrypto = dependency('gnutls2', required : false) +if libcrypto.found() config_h.set('HAVE_GNUTLS', 1) +else + libcrypto = dependency('libcrypto', required : true) + config_h.set('HAVE_CRYPTO', 1) endif if liblttng.found() @@ -135,8 +139,8 @@ libcamera_deps = [ libatomic, libcamera_base, libcamera_base_private, + libcrypto, libdl, - libgnutls, liblttng, libudev, libyaml, diff --git a/src/libcamera/pub_key.cpp b/src/libcamera/pub_key.cpp index b2045a103bc0..64dfa23497c2 100644 --- a/src/libcamera/pub_key.cpp +++ b/src/libcamera/pub_key.cpp @@ -7,7 +7,12 @@ #include "libcamera/internal/pub_key.h" -#if HAVE_GNUTLS +#if HAVE_CRYPTO +#include +#include +#include +#include +#elif HAVE_GNUTLS #include #endif @@ -33,7 +38,14 @@ namespace libcamera { PubKey::PubKey([[maybe_unused]] Span key) : valid_(false) { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + const uint8_t *data = key.data(); + pubkey_ = d2i_PUBKEY(nullptr, &data, key.size()); + if (!pubkey_) + return; + + valid_ = true; +#elif HAVE_GNUTLS int ret = gnutls_pubkey_init(&pubkey_); if (ret < 0) return; @@ -52,7 +64,9 @@ PubKey::PubKey([[maybe_unused]] Span key) PubKey::~PubKey() { -#if HAVE_GNUTLS +#if HAVE_CRYPTO + EVP_PKEY_free(pubkey_); +#elif HAVE_GNUTLS gnutls_pubkey_deinit(pubkey_); #endif } @@ -79,7 +93,32 @@ bool PubKey::verify([[maybe_unused]] Span data, if (!valid_) return false; -#if HAVE_GNUTLS +#if HAVE_CRYPTO + /* + * Create and initialize a public key algorithm context for signature + * verification. + */ + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(pubkey_, nullptr); + if (!ctx) + return false; + + if (EVP_PKEY_verify_init(ctx) <= 0 || + EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0 || + EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) { + EVP_PKEY_CTX_free(ctx); + return false; + } + + /* Calculate the SHA256 digest of the data. */ + uint8_t digest[SHA256_DIGEST_LENGTH]; + SHA256(data.data(), data.size(), digest); + + /* Decrypt the signature and verify it matches the digest. */ + int ret = EVP_PKEY_verify(ctx, sig.data(), sig.size(), digest, + SHA256_DIGEST_LENGTH); + EVP_PKEY_CTX_free(ctx); + return ret == 1; +#elif HAVE_GNUTLS const gnutls_datum_t gnuTlsData{ const_cast(data.data()), static_cast(data.size()) From patchwork Mon Aug 8 23:08:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Laurent Pinchart X-Patchwork-Id: 17035 Return-Path: X-Original-To: parsemail@patchwork.libcamera.org Delivered-To: parsemail@patchwork.libcamera.org Received: from lancelot.ideasonboard.com (lancelot.ideasonboard.com [92.243.16.209]) by patchwork.libcamera.org (Postfix) with ESMTPS id 2EFBDC3272 for ; Mon, 8 Aug 2022 23:08:52 +0000 (UTC) Received: from lancelot.ideasonboard.com (localhost [IPv6:::1]) by lancelot.ideasonboard.com (Postfix) with ESMTP id E631F63335; Tue, 9 Aug 2022 01:08:51 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=libcamera.org; s=mail; t=1660000131; bh=I0nOdXe8I8/IfijM5XsxJ3QWb+s+Q6YbCvLOOYcDfbo=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To: From; b=fkEIKavjXbEAseXaVf18Xt0CA673IEx+70/ZiVnpVlGOPPCmHzgpWBd/H201p3lC2 CFT78E0cajP+f6OUjTKG8iZKzhlfhgODslvoS3dIZikafnYFREdVSat5XhB57wNREm aHmWMAdgfJUsar4GFVmRKwzI9aKygsWdwMDqYEwfya0aLNMcyAmp8TiQZXyWQlqReD Ddm7P71GOdBqCS3szgIpFliPDuB8v+SpbZHrb7XleyqdKDJQjdUbXrNHHN1PGzr5hG kP/sP0Jeje0TPekkbD/A5t+v2g78mqY6gWG/OUeD2Z3WRnrnztu9xRRL2d7iD56lbJ cRwaj0PfqpV0A== Received: from perceval.ideasonboard.com (perceval.ideasonboard.com [213.167.242.64]) by lancelot.ideasonboard.com (Postfix) with ESMTPS id 53BAA63331 for ; Tue, 9 Aug 2022 01:08:49 +0200 (CEST) Authentication-Results: lancelot.ideasonboard.com; dkim=pass (1024-bit key; unprotected) header.d=ideasonboard.com header.i=@ideasonboard.com header.b="cPpXg7DY"; dkim-atps=neutral Received: from pendragon.ideasonboard.com (62-78-145-57.bb.dnainternet.fi [62.78.145.57]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id D1884481; Tue, 9 Aug 2022 01:08:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1660000129; bh=I0nOdXe8I8/IfijM5XsxJ3QWb+s+Q6YbCvLOOYcDfbo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cPpXg7DYkwO+xL5Ubj52H8zp00Zs6OK+hczczAdzV4ugCu6w7tS2UX4DvtAy113pX XexVn5jdU0IJOX6MzorB/YaOumKtPJubr47j8F0RJz1Rq0JEsXPs3t9T8a9ivdZU4V Ht8NnaaPsLcKqQmjPGRI+YOtjPbpHRe6YpvlbPdw= To: libcamera-devel@lists.libcamera.org Date: Tue, 9 Aug 2022 02:08:33 +0300 Message-Id: <20220808230833.16275-5-laurent.pinchart@ideasonboard.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> References: <20220808230833.16275-1-laurent.pinchart@ideasonboard.com> MIME-Version: 1.0 Subject: [libcamera-devel] [PATCH v2 4/4] libcamera: Make IPA module signing recommended instead of mandatory X-BeenThere: libcamera-devel@lists.libcamera.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Laurent Pinchart via libcamera-devel From: Laurent Pinchart Reply-To: Laurent Pinchart Errors-To: libcamera-devel-bounces@lists.libcamera.org Sender: "libcamera-devel" Commit b382f67c833d ("libcamera: Make IPA module signing mandatory for the meantime") made openssl and gnutls dependencies mandatory to work around the lack of proper IPA module isolation support, which broke operation without module signatures. This has now been fixed, so IPA module isolation isn't strictly required anymore. There are few use cases for disabling module signing completely, given that the openssl or gnutls dependencies are available on the vast majority of systems and the overheard introduced by isolating all IPA modules when signatures are not available is better avoided. Nonetheless, libcamera should operate properly with forced IPA module isolation, so we can support those use cases. Adopt a middle-ground approach to avoid unintentional isolation by documenting the dependencies as recommended, and warn at meson setup time if they are not found. Signed-off-by: Laurent Pinchart Reviewed-by: Eric Curtin Reviewed-by: Kieran Bingham --- README.rst | 5 ++++- src/libcamera/meson.build | 10 ++++++++-- src/meson.build | 3 ++- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/README.rst b/README.rst index 3bf4685b0e15..e9dd4207ae55 100644 --- a/README.rst +++ b/README.rst @@ -60,9 +60,12 @@ Meson Build system: [required] for the libcamera core: [required] libyaml-dev python3-yaml python3-ply python3-jinja2 -for IPA module signing: [required] +for IPA module signing: [recommended] Either libgnutls28-dev or libssl-dev, openssl + Without IPA module signing, all IPA modules will be isolated in a + separate process. This adds an unnecessary extra overhead at runtime. + for improved debugging: [optional] libdw-dev libunwind-dev diff --git a/src/libcamera/meson.build b/src/libcamera/meson.build index 401fc498cfbc..0efa8fd5df7f 100644 --- a/src/libcamera/meson.build +++ b/src/libcamera/meson.build @@ -73,8 +73,14 @@ libcrypto = dependency('gnutls2', required : false) if libcrypto.found() config_h.set('HAVE_GNUTLS', 1) else - libcrypto = dependency('libcrypto', required : true) - config_h.set('HAVE_CRYPTO', 1) + libcrypto = dependency('libcrypto', required : false) + if libcrypto.found() + config_h.set('HAVE_CRYPTO', 1) + endif +endif + +if not libcrypto.found() + warning('Neither gnutls nor libcrypto found, all IPA modules will be isolated') endif if liblttng.found() diff --git a/src/meson.build b/src/meson.build index 34663a6f134d..f37c44ca9f60 100644 --- a/src/meson.build +++ b/src/meson.build @@ -14,7 +14,7 @@ summary({ }, section : 'Paths') # Module Signing -openssl = find_program('openssl', required : true) +openssl = find_program('openssl', required : false) if openssl.found() ipa_priv_key = custom_target('ipa-priv-key', output : ['ipa-priv-key.pem'], @@ -22,6 +22,7 @@ if openssl.found() config_h.set('HAVE_IPA_PUBKEY', 1) ipa_sign_module = true else + warning('openssl not found, all IPA modules will be isolated') ipa_sign_module = false endif