[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#72828: libcamera module signatures
From: |
Andrew Tropin |
Subject: |
bug#72828: libcamera module signatures |
Date: |
Mon, 02 Sep 2024 10:45:52 +0400 |
On 2024-08-31 21:36, Ludovic Courtès wrote:
> Hi Andrew,
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> For the last a few days I was updating and fixing libcamera package.
>>
>> The last problem I faced with it is invalid signatures:
>>
>> [0:44:16.200646504] [17247] DEBUG IPAManager ipa_manager.cpp:316 IPA module
>> /gnu/store/pfh7adzzy8akkqsjj4wlnmvmbzmrfbvk-libcamera-0.3.1/lib/libcamera/ipa_soft_simple.so
>> signature is not valid
>
> I was curious about those signatures so I browsed ‘ipa_module.cpp’ and
> ‘ipa_manager.cpp’. I wondered: what is that supposed to protect against
> in the first place? Bogus LD_LIBRARY_PATH that leads users to load
> third-party code instead of the intended module?
>
> Apparently those loadable modules can be isolated in separate processes
> when they lack a valid signature, or when LIBCAMERA_IPA_FORCE_ISOLATION
> is set. ‘ipa_manager.cpp’ sheds some light on the rationale for so much
> sophistication:
>
> * Module isolation is based on the module licence. Open-source modules are
> * loaded without isolation, while closed-source module are forcefully
> isolated.
> * The isolation mechanism ensures that no code from a closed-source module is
> * ever run in the libcamera process.
>
> This probably makes sense in the context that the copyright owner,
> Google, envisioned: presumably Android programs loading random
> proprietary modules coming from the app store. But I wonder what the
> point is in the context of a free GNU/Linux distro.
>
> In Meson there’s an ‘ipa_sign_module’ boolean variable and
> ‘src/meson.build’ says this:
>
> --8<---------------cut here---------------start------------->8---
> if openssl.found()
> ipa_priv_key = custom_target('ipa-priv-key',
> output : ['ipa-priv-key.pem'],
> command : [gen_ipa_priv_key, '@OUTPUT@'])
> config_h.set('HAVE_IPA_PUBKEY', 1)
> ipa_sign_module = true
> else
> warning('openssl not found, all IPA modules will be isolated')
> ipa_sign_module = false
> endif
> --8<---------------cut here---------------end--------------->8---
>
> Perhaps we should try removing ‘openssl’ from the inputs and thus have
> all the modules isolated?
>
> Ludo’.
It seems by default libcamera fallbacks to loading the module with
invalid signature in a separate process, however in my case it
segfaulted and killed pipewire in addition to that. Not sure that all
the modules can be properly loaded in isolation, will clarify it with
libcamera devs.
Anyway, I think the current most reasonable solution is to remove
signing step at all, because the signaturs will be invalidated by
grafting anyway and make it work somehow (either by loading in
isolation if it's possible or by loading unsigned libraries without
signature check directly).
WDYT?
--
Best regards,
Andrew Tropin
signature.asc
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#72828: libcamera module signatures,
Andrew Tropin <=