bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#72828: libcamera module signatures


From: Andrew Tropin
Subject: bug#72828: libcamera module signatures
Date: Mon, 02 Sep 2024 10:45:52 +0400

On 2024-08-31 21:36, Ludovic Courtès wrote:

> Hi Andrew,
>
> Andrew Tropin <andrew@trop.in> skribis:
>
>> For the last a few days I was updating and fixing libcamera package.
>>
>> The last problem I faced with it is invalid signatures:
>>
>> [0:44:16.200646504] [17247] DEBUG IPAManager ipa_manager.cpp:316 IPA module 
>> /gnu/store/pfh7adzzy8akkqsjj4wlnmvmbzmrfbvk-libcamera-0.3.1/lib/libcamera/ipa_soft_simple.so
>>  signature is not valid
>
> I was curious about those signatures so I browsed ‘ipa_module.cpp’ and
> ‘ipa_manager.cpp’.  I wondered: what is that supposed to protect against
> in the first place?  Bogus LD_LIBRARY_PATH that leads users to load
> third-party code instead of the intended module?
>
> Apparently those loadable modules can be isolated in separate processes
> when they lack a valid signature, or when LIBCAMERA_IPA_FORCE_ISOLATION
> is set.  ‘ipa_manager.cpp’ sheds some light on the rationale for so much
> sophistication:
>
>  * Module isolation is based on the module licence. Open-source modules are
>  * loaded without isolation, while closed-source module are forcefully 
> isolated.
>  * The isolation mechanism ensures that no code from a closed-source module is
>  * ever run in the libcamera process.
>
> This probably makes sense in the context that the copyright owner,
> Google, envisioned: presumably Android programs loading random
> proprietary modules coming from the app store.  But I wonder what the
> point is in the context of a free GNU/Linux distro.
>
> In Meson there’s an ‘ipa_sign_module’ boolean variable and
> ‘src/meson.build’ says this:
>
> --8<---------------cut here---------------start------------->8---
> if openssl.found()
>     ipa_priv_key = custom_target('ipa-priv-key',
>                                  output : ['ipa-priv-key.pem'],
>                                  command : [gen_ipa_priv_key, '@OUTPUT@'])
>     config_h.set('HAVE_IPA_PUBKEY', 1)
>     ipa_sign_module = true
> else
>     warning('openssl not found, all IPA modules will be isolated')
>     ipa_sign_module = false
> endif
> --8<---------------cut here---------------end--------------->8---
>
> Perhaps we should try removing ‘openssl’ from the inputs and thus have
> all the modules isolated?
>
> Ludo’.

It seems by default libcamera fallbacks to loading the module with
invalid signature in a separate process, however in my case it
segfaulted and killed pipewire in addition to that.  Not sure that all
the modules can be properly loaded in isolation, will clarify it with
libcamera devs.

Anyway, I think the current most reasonable solution is to remove
signing step at all, because the signaturs will be invalidated by
grafting anyway and make it work somehow (either by loading in
isolation if it's possible or by loading unsigned libraries without
signature check directly).

WDYT?

-- 
Best regards,
Andrew Tropin

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]