diff options
author | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2020-04-29 04:23:46 +0300 |
---|---|---|
committer | Laurent Pinchart <laurent.pinchart@ideasonboard.com> | 2020-04-29 15:17:42 +0300 |
commit | 7206035ee609d213156fd78cc78b14f9ce3f12dd (patch) | |
tree | 38826676a2705b0464cb8507c1b632c0f2034ceb | |
parent | 668cefa7e601f345ac34d90cd6c0bf908ab4f825 (diff) |
libcamera: Regenerate IPA module signatures at install time
When the IPA modules are installed, meson strips the DT_RPATH and
DT_RUNPATH from the binaries. This invalidates the signatures. Disable
installation of the .sign files and add an installation script to
regenerate them directly in the target directory. The .sign files still
need to be created at build time to support running IPA modules from the
build tree.
Two alternative approaches have been considered:
- meson could be taught a new target argument to preserve binary
compatibility by skipping any operation that modifies files. This has
been proposed in the #mesonbuild IRC channel. While this could be
interesting in the longer term, we need to fix the issue now.
- The module signatures could be computed on selected sections only.
While skipping the .dynamic section when signing may not cause
security issues, it would make signature generation and verification
more complex, and wasn't deemed worth it.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
-rwxr-xr-x | src/ipa/ipa-sign-install.sh | 18 | ||||
-rw-r--r-- | src/ipa/meson.build | 9 | ||||
-rw-r--r-- | src/ipa/rkisp1/meson.build | 3 | ||||
-rw-r--r-- | src/ipa/vimc/meson.build | 3 |
4 files changed, 29 insertions, 4 deletions
diff --git a/src/ipa/ipa-sign-install.sh b/src/ipa/ipa-sign-install.sh new file mode 100755 index 00000000..5317a8a2 --- /dev/null +++ b/src/ipa/ipa-sign-install.sh @@ -0,0 +1,18 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# Copyright (C) 2020, Google Inc. +# +# Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +# +# ipa-sign-install.sh - Regenerate IPA module signatures when installing + +libdir=$1 +key=$2 + +ipa_sign=$(dirname "$0")/ipa-sign.sh + +echo "Regenerating IPA modules signatures" + +for module in "${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}"/*.so ; do + "${ipa_sign}" "${key}" "${module}" "${module}.sign" +done diff --git a/src/ipa/meson.build b/src/ipa/meson.build index 145bf810..56e65eaa 100644 --- a/src/ipa/meson.build +++ b/src/ipa/meson.build @@ -25,3 +25,12 @@ foreach pipeline : get_option('pipelines') subdir(pipeline) endif endforeach + +if ipa_sign_module + # Regenerate the signatures for all IPA modules. We can't simply install the + # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at + # install time, which invalidates the signatures. + meson.add_install_script('ipa-sign-install.sh', + ipa_install_dir, + ipa_priv_key.full_path()) +endif diff --git a/src/ipa/rkisp1/meson.build b/src/ipa/rkisp1/meson.build index 247d0429..6c6aa82f 100644 --- a/src/ipa/rkisp1/meson.build +++ b/src/ipa/rkisp1/meson.build @@ -14,6 +14,5 @@ if ipa_sign_module input : mod, output : ipa_name + '.so.sign', command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ], - install : true, - install_dir : ipa_install_dir) + install : false) endif diff --git a/src/ipa/vimc/meson.build b/src/ipa/vimc/meson.build index f8650ee8..253847e1 100644 --- a/src/ipa/vimc/meson.build +++ b/src/ipa/vimc/meson.build @@ -14,8 +14,7 @@ if ipa_sign_module input : mod, output : ipa_name + '.so.sign', command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ], - install : true, - install_dir : ipa_install_dir) + install : false) endif subdir('data') |