libcamera: Regenerate IPA module signatures at install time

When the IPA modules are installed, meson strips the DT_RPATH and DT_RUNPATH from the binaries. This invalidates the signatures. Disable installation of the .sign files and add an installation script to regenerate them directly in the target directory. The .sign files still need to be created at build time to support running IPA modules from the build tree. Two alternative approaches have been considered: - meson could be taught a new target argument to preserve binary compatibility by skipping any operation that modifies files. This has been proposed in the #mesonbuild IRC channel. While this could be interesting in the longer term, we need to fix the issue now. - The module signatures could be computed on selected sections only. While skipping the .dynamic section when signing may not cause security issues, it would make signature generation and verification more complex, and wasn't deemed worth it. Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
2020-04-29 04:23:46 +03:00 · 2020-04-29 04:23:46 +03:00 · 7206035ee6
commit 7206035ee6
parent 668cefa7e6
4 changed files with 29 additions and 4 deletions
--- a/src/ipa/ipa-sign-install.sh
+++ b/src/ipa/ipa-sign-install.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (C) 2020, Google Inc.
+#
+# Author: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+#
+# ipa-sign-install.sh - Regenerate IPA module signatures when installing
+
+libdir=$1
+key=$2
+
+ipa_sign=$(dirname "$0")/ipa-sign.sh
+
+echo "Regenerating IPA modules signatures"
+
+for module in "${MESON_INSTALL_DESTDIR_PREFIX}/${libdir}"/*.so ; do
+	"${ipa_sign}" "${key}" "${module}" "${module}.sign"
+done
--- a/src/ipa/meson.build
+++ b/src/ipa/meson.build
@ -25,3 +25,12 @@ foreach pipeline : get_option('pipelines')
        subdir(pipeline)
    endif
 endforeach
+
+if ipa_sign_module
+    # Regenerate the signatures for all IPA modules. We can't simply install the
+    # .sign files, as meson strips the DT_RPATH and DT_RUNPATH from binaries at
+    # install time, which invalidates the signatures.
+    meson.add_install_script('ipa-sign-install.sh',
+                             ipa_install_dir,
+                             ipa_priv_key.full_path())
+endif
--- a/src/ipa/rkisp1/meson.build
+++ b/src/ipa/rkisp1/meson.build
@ -14,6 +14,5 @@ if ipa_sign_module
                  input : mod,
                  output : ipa_name + '.so.sign',
                  command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],
-                  install : true,
-                  install_dir : ipa_install_dir)
+                  install : false)
 endif
--- a/src/ipa/vimc/meson.build
+++ b/src/ipa/vimc/meson.build
@ -14,8 +14,7 @@ if ipa_sign_module
                  input : mod,
                  output : ipa_name + '.so.sign',
                  command : [ ipa_sign, ipa_priv_key, '@INPUT@', '@OUTPUT@' ],
-                  install : true,
-                  install_dir : ipa_install_dir)
+                  install : false)
 endif

 subdir('data')