Re: [libcamera-devel] [meta-multimedia][PATCH] libcamera: fix packaging and installation

["Laurent Pinchart" <laurent.pinchart@ideasonboard.com>]

Hi Andrey,

On Mon, Jul 27, 2020 at 06:36:28PM +0300, Andrey Konovalov wrote:
> On 27.07.2020 18:28, Khem Raj wrote:
> > On Mon, Jul 27, 2020 at 2:21 AM Andrey Konovalov wrote:
> >>
> >> libcamera checks if RPATH or RUNPATH dynamic tag is present in
> >> libcamera.so. If it does, it assumes that libcamera binaries are
> >> run directly from the build directory without installing them, and
> >> tries to use resorces like IPA modules from the build directory.
> >> Mainline meson strips RPATH/RUNPATH out at install time (for
> >> meson versions up to 0.54; the things are somewhat changed in 0.55).
> >> But openembedded-core patches meson to disable RPATH/RUNPATH removal.
> >> That's why we need to remove this tag manually in do_install_append().
> >>
> >> IPA module is signed (with openssl dgst) after it is built. But
> >> during packaging the OE build system 1) splits out debugging info,
> >> and 2) strips the binaries. So the IPA module *.so file installed
> >> isn't the one which the signature was calculated against. Then
> >> the signature check fails, and libcamera tries to run the IPA
> >> module isolated (in a sandbox), which doesn't work if the IPA
> >> module wasn't designed to run isolated. The easiest way to fix that
> >> is to disable splitting out debug information and stripping the binaries
> >> during packaging with INHIBIT_PACKAGE_DEBUG_SPLIT and
> >> INHIBIT_PACKAGE_STRIP.
> >>
> >> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
> >> ---
> >>   .../recipes-multimedia/libcamera/libcamera.bb            | 9 ++++++++-
> >>   1 file changed, 8 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> >> index 00a5c480d..573366f08 100644
> >> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> >> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> >> @@ -18,13 +18,20 @@ PV = "202006+git${SRCPV}"
> >>
> >>   S = "${WORKDIR}/git"
> >>
> >> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
> >> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
> >>   DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
> >>
> >>   RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
> >>
> >>   inherit meson pkgconfig python3native
> >>
> >> +do_install_append() {
> >> +        chrpath -d ${D}${libdir}/libcamera.so
> >> +}
> >> +
> >>   FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
> >>   FILES_${PN} += " ${libdir}/libcamera.so"
> >>
> >> +INHIBIT_PACKAGE_DEBUG_SPLIT = "1"
> >> +INHIBIT_PACKAGE_STRIP = "1"
> > 
> > I think this is sub-optimal, it means we can not have stripped
> > binaries and it will increase the size unnecessarily
> 
> Indeed.
> 
> But the alternative is to recalculate the signature on the stripped binary in do_install_append(),
> and the drawback of this is moving part of the module signature implementation into the recipe.
> 
> Or the libcamera implementation is to be changed to handle stripped binaries.

We could calculate the signature on selected sections only, but that
would make the implementation much more complex. Could the
src/ipa/ipa-sign-install.sh resign script could be used by the recipe ?
We can also improve the script to facilitate its usage.

> >> +

-- 
Regards,

Laurent Pinchart