Hi Andrew,
Andrew Tropin <[email protected]> skribis:
> For the last a few days I was updating and fixing libcamera package.
>
> The last problem I faced with it is invalid signatures:
>
> [0:44:16.200646504] [17247] DEBUG IPAManager ipa_manager.cpp:316 IPA module
> /gnu/store/pfh7adzzy8akkqsjj4wlnmvmbzmrfbvk-libcamera-0.3.1/lib/libcamera/ipa_soft_simple.so
> signature is not valid
I was curious about those signatures so I browsed ‘ipa_module.cpp’ and
‘ipa_manager.cpp’. I wondered: what is that supposed to protect against
in the first place? Bogus LD_LIBRARY_PATH that leads users to load
third-party code instead of the intended module?
Apparently those loadable modules can be isolated in separate processes
when they lack a valid signature, or when LIBCAMERA_IPA_FORCE_ISOLATION
is set. ‘ipa_manager.cpp’ sheds some light on the rationale for so much
sophistication:
* Module isolation is based on the module licence. Open-source modules are
* loaded without isolation, while closed-source module are forcefully isolated.
* The isolation mechanism ensures that no code from a closed-source module is
* ever run in the libcamera process.
This probably makes sense in the context that the copyright owner,
Google, envisioned: presumably Android programs loading random
proprietary modules coming from the app store. But I wonder what the
point is in the context of a free GNU/Linux distro.
In Meson there’s an ‘ipa_sign_module’ boolean variable and
‘src/meson.build’ says this:
--8<---------------cut here---------------start------------->8---
if openssl.found()
ipa_priv_key = custom_target('ipa-priv-key',
output : ['ipa-priv-key.pem'],
command : [gen_ipa_priv_key, '@OUTPUT@'])
config_h.set('HAVE_IPA_PUBKEY', 1)
ipa_sign_module = true
else
warning('openssl not found, all IPA modules will be isolated')
ipa_sign_module = false
endif
--8<---------------cut here---------------end--------------->8---
Perhaps we should try removing ‘openssl’ from the inputs and thus have
all the modules isolated?
Ludo’.
