From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id qHskHNdc2WZSOwAAe85BDQ:P1 (envelope-from ) for ; Thu, 05 Sep 2024 07:25:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id qHskHNdc2WZSOwAAe85BDQ (envelope-from ) for ; Thu, 05 Sep 2024 09:25:11 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; none Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4F9D73A0A4 for ; Thu, 05 Sep 2024 09:25:11 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sm6rU-0001m0-Fj; Thu, 05 Sep 2024 03:25:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sm6rS-0001lm-B7 for bug-guix@gnu.org; Thu, 05 Sep 2024 03:24:58 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sm6rS-0006ie-0U for bug-guix@gnu.org; Thu, 05 Sep 2024 03:24:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=In-Reply-To:MIME-Version:References:From:Date:To:Subject; bh=zmaMrhvZY872nWa52mrYL7yiv2UN2bGDTN65HV+VCzA=; b=njwm+o/O2HN99jeTxgBB4CVyLcyPuzili1f8dbdydenueRkQR9ybtg6q3hiRn1w7LOnSBHP+zYxOdoMcFHukhNVzsRnA72iVHhwID9tnA8zbILyvkDV71GNY+dvKgpxXo2kSIjzJkVSfR0/ry5yvHZ4K5sb4gTOcf7eQC+l2+RUThtTFVWM3WcmezqDgMCMxi5N7AQUbzzmvzyyj+x28W3/NmULSLw80iFPxBlpTh97mkCIJNfGMqNksyfw8sE8D4+oKnnEHut5oxJ5D79ylrTsRG+FvJUvP3zwS3iButfFeSg9F3ZWPVeiYu4HkQ8DyPjWws14KUgBNwgthykp5kg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sm6sU-0006pz-6s for bug-guix@gnu.org; Thu, 05 Sep 2024 03:26:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#72828: Grafting breaks libcamera signatures Resent-From: Jacopo Mondi Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 05 Sep 2024 07:26:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 72828 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Andrew Tropin Cc: Jacopo Mondi , 72828@debbugs.gnu.org, Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 72828-submit@debbugs.gnu.org id=B72828.172552111926122 (code B ref 72828); Thu, 05 Sep 2024 07:26:02 +0000 Received: (at 72828) by debbugs.gnu.org; 5 Sep 2024 07:25:19 +0000 Received: from localhost ([127.0.0.1]:36027 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sm6rm-0006nF-KC for submit@debbugs.gnu.org; Thu, 05 Sep 2024 03:25:19 -0400 Received: from perceval.ideasonboard.com ([213.167.242.64]:51924) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sm6Rx-0004dD-NY for 72828@debbugs.gnu.org; Thu, 05 Sep 2024 02:58:38 -0400 Received: from ideasonboard.com (93-61-96-190.ip145.fastwebnet.it [93.61.96.190]) by perceval.ideasonboard.com (Postfix) with ESMTPSA id 73D673E6; Thu, 5 Sep 2024 08:55:44 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ideasonboard.com; s=mail; t=1725519344; bh=xZrgGCJMI7/bD6oY79ou4Mz1msHkI3GkhCaApPM/vbQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=kJGcrY+gd1BKOaGknaXE0gcW4LbbokdBfgNHEJ8aHqetjVUaNEFvkbjWA5Ca/ak1g 5/sn0NYIafZdQ0C8GuapLViqI60dJ0t1sAMzIQj49gLLIYyNOQXbI6JtVuKrBRmn+x kW7wjl3pnxYMvz0CB750WXmlC61sbfnDW7o0N+gs= Date: Thu, 5 Sep 2024 08:56:54 +0200 From: Jacopo Mondi Message-ID: References: <87h6b6b5v3.fsf@trop.in> <2zsqyfesu5qldhngmls7owv4aweuc5gjr5ugyurxco5bmtw3nc@vli7jiwfqf5g> <877cbrcqv6.fsf@gnu.org> <87ed5zwc1y.fsf@trop.in> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="kvnurdfgu3shktsu" Content-Disposition: inline In-Reply-To: <87ed5zwc1y.fsf@trop.in> X-Mailman-Approved-At: Thu, 05 Sep 2024 03:00:18 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -4.00 X-Spam-Score: -4.00 X-Migadu-Queue-Id: 4F9D73A0A4 X-Migadu-Scanner: mx11.migadu.com X-TUID: 0Q003l4Y34SL --kvnurdfgu3shktsu Content-Type: text/plain; protected-headers=v1; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: bug#72828: Grafting breaks libcamera signatures MIME-Version: 1.0 Hi Andrew, Ludovic, On Wed, Sep 04, 2024 at 09:42:17PM GMT, Andrew Tropin wrote: > On 2024-09-04 18:42, Ludovic Court=C3=A8s wrote: > > > Hi Jacopo, > > > > Jacopo Mondi skribis: > > > >> Not exactly. In libcamera, apart from creating a library to ease all > >> the camera stack plumbing, we're creating an ecosystem of open-source > >> 3A algorithms (what we call the IPA modules). > >> > >> Camera vendors and ODMs which invested in products with specific > >> camera features, consider 3A algorithms and their tuning their secret > >> sauce and are usually not willing to consider releasing them as open > >> source with, fortunately, notable exceptions such as RaspberryPi > >> > >> Please note that all the platforms libcamera supports have an > >> open-source 3A algorithm module available part of the main code base, > >> and we consider open source 3A modules our 'first class citizens' and > >> we're willing to develop and maintain them in libcamera mainline > >> branch as free software, but at this point we have to provide a way for > >> third-parties to load binary modules if they want to. > >> > >> The alternative is to have them continue developing camera stacks > >> fully behind closed doors as it has been done so far. > > > > OK, I see, thanks for explaining the context. > > > >> As said, modules not built against the libcamera sources will not be > >> signed, as they are distributed by other means by a vendor in binary > >> form. To establish if a module has been built with the libcamera > >> sources or not, we sign it during the build with a volatile key and > >> validate the signature at run-time, when the IPA module is loaded. > >> > >> IPA modules for which the signature is not valid (either because they > >> are distributed as binaries or, as in this case, because the build > >> system strips symbols before installing the objects) are loaded in an > >> isolated process and instead of being operated with direct function > >> calls, we have implemented an IPC mechanism to communicate with them. > >> This path is way less tested by our regular users and in our daily > >> work on libcamera. Vendors that are running their binaries as isolated > >> might have fixed issues here and there but maybe they have not > >> reported the issue and the associated fix upstream (we have no control > >> over this). > >> > >> For this reason I don't suggest running modules as isolated, even more > >> if you have no reasons to do so. If all it takes is re-signing IPA mod= ules > >> after stripping them as Andrew did I would really consider doing that. > > > > Yeah, got it. The other option, with the understanding that IPA modules > > are all going to be free software here, would be to dismiss both the > > authentication and the isolation mechanism, possibly with a custom > > patch. It seems like the change wouldn=E2=80=99t be too intrusive and = it would > > solve the problem for =E2=80=9Cgrafts=E2=80=9D as well (grafts modify f= iles in a > > non-functional way). > > On 2024-09-02 10:45, Andrew Tropin via Bug reports for GNU Guix wrote: > > Anyway, I think the current most reasonable solution is to remove > > signing step at all, because the signaturs will be invalidated by > > grafting anyway and make it work somehow (either by loading in > > isolation if it's possible or by loading unsigned libraries without > > signature check directly). > > Everything indicates that we need to disable module authentication. > > Jacopo, I think I'll patch IPAManager::isSignatureValid to always return > true. > > https://git.libcamera.org/libcamera/libcamera.git/tree/src/libcamera/ipa_= manager.cpp#n285 > > Like that: > > > Everyone is ok with it? At this point is a distro decision, either if you prefer to carry an out-of-tree patch in your tree or tweak the build system. Be aware that, sooner or later, the signature mechanism will be reworked and your custom patch might not apply anymore. Up to you :) > > -- > Best regards, > Andrew Tropin --kvnurdfgu3shktsu Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEtcQ9SICaIIqPWDjAcjQGjxahVjwFAmbZVjYACgkQcjQGjxah VjwMNQ/9EZZx6uUAHkRKYUWfF9CQ0RUuzRKUjeo7z1Ab4AWu9CXyqpe9y5Ha1AU6 GgA5zY5jP5OqQ+X8Qu0yN/Dl8sdFphri0vZ75KrDshKfjHF5CUmd0f1pGDanPMmi ASLsiQwZLUCo/a5HREU88UwvyRDI1fAU9WxGMFnLeo/7775DBq4l6csYzx2IeOis eCq1AU98mAIqa4GHnpnu4o8q+1muedkbN0FP7Lwau47MzTD8ullAXlpdtKWtJqpz hrak0e/J/uMPzHVJtlTo/rQVrcBQULH9W8USon+Zf1n663byGNwB7/SfEtBTEbi2 iewJvvAtWKtqwHocS4SbpurmsWG8L62GTR7TXUH7Hujc2CI4yb3urjhStPnjoRks CmxAB+QMqKfm5iKR8PYyvAf4R4vOdfJw3SaJ+tKr6ij7B/Xa+XtRiUcbbWiAU/uN eR/ykIAkGcR8DyAtH2Q7CS5oghnu3UGCvcRcpFVgXZebWwbYsDOw5KlQyPBXUEVJ ols2cm7WDmYbdm0wv5nNX5ooMKRd2x8eJWNOpJnJbfaaBj8eltcad7sidpKe415L 3T7LiLYE5uUbK+MuB1ZmHrcd5piannjR9LWj39R/LMrc5PucBdOwkHi4PSLr8IaI ARXM+hbt49oqyhsoKL/k+PwHf86sekB+GTEitFyA4UQtN8YD0fA= =XveB -----END PGP SIGNATURE----- --kvnurdfgu3shktsu--