On 2024-08-31 21:36, Ludovic Courtès wrote: > Hi Andrew, > > Andrew Tropin skribis: > >> For the last a few days I was updating and fixing libcamera package. >> >> The last problem I faced with it is invalid signatures: >> >> [0:44:16.200646504] [17247] DEBUG IPAManager ipa_manager.cpp:316 IPA module /gnu/store/pfh7adzzy8akkqsjj4wlnmvmbzmrfbvk-libcamera-0.3.1/lib/libcamera/ipa_soft_simple.so signature is not valid > > I was curious about those signatures so I browsed ‘ipa_module.cpp’ and > ‘ipa_manager.cpp’. I wondered: what is that supposed to protect against > in the first place? Bogus LD_LIBRARY_PATH that leads users to load > third-party code instead of the intended module? > > Apparently those loadable modules can be isolated in separate processes > when they lack a valid signature, or when LIBCAMERA_IPA_FORCE_ISOLATION > is set. ‘ipa_manager.cpp’ sheds some light on the rationale for so much > sophistication: > > * Module isolation is based on the module licence. Open-source modules are > * loaded without isolation, while closed-source module are forcefully isolated. > * The isolation mechanism ensures that no code from a closed-source module is > * ever run in the libcamera process. > > This probably makes sense in the context that the copyright owner, > Google, envisioned: presumably Android programs loading random > proprietary modules coming from the app store. But I wonder what the > point is in the context of a free GNU/Linux distro. > > In Meson there’s an ‘ipa_sign_module’ boolean variable and > ‘src/meson.build’ says this: > > --8<---------------cut here---------------start------------->8--- > if openssl.found() > ipa_priv_key = custom_target('ipa-priv-key', > output : ['ipa-priv-key.pem'], > command : [gen_ipa_priv_key, '@OUTPUT@']) > config_h.set('HAVE_IPA_PUBKEY', 1) > ipa_sign_module = true > else > warning('openssl not found, all IPA modules will be isolated') > ipa_sign_module = false > endif > --8<---------------cut here---------------end--------------->8--- > > Perhaps we should try removing ‘openssl’ from the inputs and thus have > all the modules isolated? > > Ludo’. It seems by default libcamera fallbacks to loading the module with invalid signature in a separate process, however in my case it segfaulted and killed pipewire in addition to that. Not sure that all the modules can be properly loaded in isolation, will clarify it with libcamera devs. Anyway, I think the current most reasonable solution is to remove signing step at all, because the signaturs will be invalidated by grafting anyway and make it work somehow (either by loading in isolation if it's possible or by loading unsigned libraries without signature check directly). WDYT? -- Best regards, Andrew Tropin