GNU bug report logs - #72828
Grafting breaks libcamera signatures

Previous Next

Package: guix;

Reported by: Andrew Tropin <andrew <at> trop.in>

Date: Tue, 27 Aug 2024 10:48:02 UTC

Severity: normal

Done: Andrew Tropin <andrew <at> trop.in>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Andrew Tropin <andrew <at> trop.in>
Cc: 72828 <at> debbugs.gnu.org
Subject: bug#72828: libcamera module signatures
Date: Sat, 31 Aug 2024 21:36:49 +0200

Hi Andrew,

Andrew Tropin <andrew <at> trop.in> skribis:

> For the last a few days I was updating and fixing libcamera package.
>
> The last problem I faced with it is invalid signatures:
>
> [0:44:16.200646504] [17247] DEBUG IPAManager ipa_manager.cpp:316 IPA module /gnu/store/pfh7adzzy8akkqsjj4wlnmvmbzmrfbvk-libcamera-0.3.1/lib/libcamera/ipa_soft_simple.so signature is not valid

I was curious about those signatures so I browsed ‘ipa_module.cpp’ and
‘ipa_manager.cpp’.  I wondered: what is that supposed to protect against
in the first place?  Bogus LD_LIBRARY_PATH that leads users to load
third-party code instead of the intended module?

Apparently those loadable modules can be isolated in separate processes
when they lack a valid signature, or when LIBCAMERA_IPA_FORCE_ISOLATION
is set.  ‘ipa_manager.cpp’ sheds some light on the rationale for so much
sophistication:

 * Module isolation is based on the module licence. Open-source modules are
 * loaded without isolation, while closed-source module are forcefully isolated.
 * The isolation mechanism ensures that no code from a closed-source module is
 * ever run in the libcamera process.

This probably makes sense in the context that the copyright owner,
Google, envisioned: presumably Android programs loading random
proprietary modules coming from the app store.  But I wonder what the
point is in the context of a free GNU/Linux distro.

In Meson there’s an ‘ipa_sign_module’ boolean variable and
‘src/meson.build’ says this:

--8<---------------cut here---------------start------------->8---
if openssl.found()
    ipa_priv_key = custom_target('ipa-priv-key',
                                 output : ['ipa-priv-key.pem'],
                                 command : [gen_ipa_priv_key, '@OUTPUT@'])
    config_h.set('HAVE_IPA_PUBKEY', 1)
    ipa_sign_module = true
else
    warning('openssl not found, all IPA modules will be isolated')
    ipa_sign_module = false
endif
--8<---------------cut here---------------end--------------->8---

Perhaps we should try removing ‘openssl’ from the inputs and thus have
all the modules isolated?

Ludo’.
This bug report was last modified 319 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.