summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicholas Roth <nicholas@rothemail.net>2022-10-30 18:04:58 -0500
committerJacopo Mondi <jacopo@jmondi.org>2022-12-01 11:32:13 +0100
commit69050ca70469c40b90fad8bc2b3182ebe1ea4f5a (patch)
tree5cfc6f7a9aed031e6eb8e7c3e2d448718c66356c
parentac58d82c55806dea35275344f0fd12a4cf2c8904 (diff)
ipa: add a flag to disable isolation for Android
Currently, libcamera isolates any IPAs whose signatures cannot be verified. Shared objects are created at build-time, and then signed. The public signing key is embedded in a .cpp file, and libcamera verifies IPA signatures at runtime. When libcamera cannot authenticate an IPA, it runs it out-of-process. This is problematic on three levels: * IPA signing fundamentally does not work on Android for vendor modules like HALs (discussed below) * Executables built to run out-of-process are not ABI-compatible with Android, making isolation infeasible [1] * Linux phone hardware tends to be low-end because of the FOSS requirement, so the performance hit from out-of-process IPA isolation is significant IPA signing fundamentally does not work for Android vendor modules: After we "meson install" built .so files to a known location, Android explicitly access them in PREBUILT_SHARED_LIBRARY or BUILD_PREBUILIT to transform the .so files by stripping symbols among other things [2]. By modifying prebuilt libraries after we have already signed them, the build system renders our signatures useless on Android. Android distribution maintainers can use this flag to disable signature verification, which will allow them to use libcamera. [1] https://github.com/waydroid/waydroid/issues/519 [2] https://cs.android.com/android/platform/superproject/+/master:build/make/core/cc_prebuilt_internal.mk?q=cc_prebuilt_internal Signed-off-by: Nicholas Roth <nicholas@rothemail.net>
-rw-r--r--meson.build4
-rw-r--r--meson_options.txt5
-rw-r--r--src/libcamera/ipa_manager.cpp11
3 files changed, 20 insertions, 0 deletions
diff --git a/meson.build b/meson.build
index e4c0be16..2529444d 100644
--- a/meson.build
+++ b/meson.build
@@ -76,6 +76,10 @@ if cc.has_header_symbol('stdlib.h', 'secure_getenv', prefix : '#define _GNU_SOUR
config_h.set('HAVE_SECURE_GETENV', 1)
endif
+if get_option('allow_unsigned_ipas_in_process')
+ config_h.set('ALLOW_UNSIGNED_IPAS_IN_PROCESS', 1)
+endif
+
common_arguments = [
'-Wshadow',
'-include', meson.current_build_dir() / 'config.h',
diff --git a/meson_options.txt b/meson_options.txt
index 1ba6778c..3f9fe245 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -64,3 +64,8 @@ option('pycamera',
type : 'feature',
value : 'disabled',
description : 'Enable libcamera Python bindings (experimental)')
+
+option('allow_unsigned_ipas_in_process',
+ type : 'boolean',
+ value : false,
+ description : 'Allow unsigned IPAs to run in libcamera\'s address space')
diff --git a/src/libcamera/ipa_manager.cpp b/src/libcamera/ipa_manager.cpp
index 030ef43f..403cc42a 100644
--- a/src/libcamera/ipa_manager.cpp
+++ b/src/libcamera/ipa_manager.cpp
@@ -114,6 +114,14 @@ IPAManager::IPAManager()
LOG(IPAManager, Warning) << "Public key not valid";
#endif
+#if ALLOW_UNSIGNED_IPAS_IN_PROCESS
+ LOG(IPAManager, Warning)
+ << "All IPAs running in-process without signature verification."
+ << " This is recommended only for tightly-managed installs"
+ << " in contexts where both signature verification and out-of-process"
+ << " execution are infeasible, such as Android HALs.";
+#endif
+
unsigned int ipaCount = 0;
/* User-specified paths take precedence. */
@@ -281,6 +289,9 @@ IPAModule *IPAManager::module(PipelineHandler *pipe, uint32_t minVersion,
bool IPAManager::isSignatureValid([[maybe_unused]] IPAModule *ipa) const
{
+#if ALLOW_UNSIGNED_IPAS_IN_PROCESS
+ return true;
+#endif
#if HAVE_IPA_PUBKEY
char *force = utils::secure_getenv("LIBCAMERA_IPA_FORCE_ISOLATION");
if (force && force[0] != '\0') {