summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLaurent Pinchart <laurent.pinchart@ideasonboard.com>2020-04-29 04:23:46 +0300
committerLaurent Pinchart <laurent.pinchart@ideasonboard.com>2020-04-29 15:17:42 +0300
commit7206035ee609d213156fd78cc78b14f9ce3f12dd (patch)
tree38826676a2705b0464cb8507c1b632c0f2034ceb
parent668cefa7e601f345ac34d90cd6c0bf908ab4f825 (diff)
libcamera: Regenerate IPA module signatures at install time
When the IPA modules are installed, meson strips the DT_RPATH and DT_RUNPATH from the binaries. This invalidates the signatures. Disable installation of the .sign files and add an installation script to regenerate them directly in the target directory. The .sign files still need to be created at build time to support running IPA modules from the build tree. Two alternative approaches have been considered: - meson could be taught a new target argument to preserve binary compatibility by skipping any operation that modifies files. This has been proposed in the #mesonbuild IRC channel. While this could be interesting in the longer term, we need to fix the issue now. - The module signatures could be computed on selected sections only. While skipping the .dynamic section when signing may not cause security issues, it would make signature generation and verification more complex, and wasn't deemed worth it. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
-rwxr-xr-xsrc/ipa/ipa-sign-install.sh18
-rw-r--r--src/ipa/meson.build9
-rw-r--r--src/ipa/rkisp1/meson.build3
-rw-r--r--src/ipa/vimc/meson.build3
4 files changed, 29 insertions, 4 deletions
diff --git a/src/ipa/ipa-sign-install.sh b/src/ipa/ipa-sign-install.sh
new file mode 100755
index 00000000..5317a8a2
--- /dev/null
+++ b/src/ipa/ipa-sign-install.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2020, Google Inc.
+#
+# Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+#
+# ipa-sign-install.sh - Regenerate IPA module signatures when installing
+
+libdir=$1
+key=$2
+
+ipa_sign=$(dirname "$0")/ipa-sign.sh
+
+echo "Regenerating IPA modules signatures"
+
+for module in "${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}"/*.so ; do
+ "${ipa_sign}" "${key}" "${module}" "${module}.sign"
+done
diff --git a/src/ipa/meson.build b/src/ipa/meson.build
index 145bf810..56e65eaa 100644
--- a/src/ipa/meson.build
+++ b/src/ipa/meson.build
@@ -25,3 +25,12 @@ foreach pipeline : get_option('pipelines')
subdir(pipeline)
endif
endforeach
+
+if ipa_sign_module
+ # Regenerate the signatures for all IPA modules. We can't simply install the
+ # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at
+ # install time, which invalidates the signatures.
+ meson.add_install_script('ipa-sign-install.sh',
+ ipa_install_dir,
+ ipa_priv_key.full_path())
+endif
diff --git a/src/ipa/rkisp1/meson.build b/src/ipa/rkisp1/meson.build
index 247d0429..6c6aa82f 100644
--- a/src/ipa/rkisp1/meson.build
+++ b/src/ipa/rkisp1/meson.build
@@ -14,6 +14,5 @@ if ipa_sign_module
input : mod,
output : ipa_name + '.so.sign',
command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],
- install : true,
- install_dir : ipa_install_dir)
+ install : false)
endif
diff --git a/src/ipa/vimc/meson.build b/src/ipa/vimc/meson.build
index f8650ee8..253847e1 100644
--- a/src/ipa/vimc/meson.build
+++ b/src/ipa/vimc/meson.build
@@ -14,8 +14,7 @@ if ipa_sign_module
input : mod,
output : ipa_name + '.so.sign',
command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],
- install : true,
- install_dir : ipa_install_dir)
+ install : false)
endif
subdir('data')