All of lore.kernel.org
 help / color / mirror / Atom feed
* [meta-multimedia][PATCH v2] libcamera: fix packaging and installation
@ 2020-07-31 14:39 Andrey Konovalov
  2020-08-01 13:01 ` [libcamera-devel] " Laurent Pinchart
  0 siblings, 1 reply; 3+ messages in thread
From: Andrey Konovalov @ 2020-07-31 14:39 UTC (permalink / raw)
  To: openembedded-devel
  Cc: madhavan.krishnan, raj.khem, peter.griffin, libcamera-devel,
	Andrey Konovalov

libcamera checks if RPATH or RUNPATH dynamic tag is present in
libcamera.so. If it does, it assumes that libcamera binaries are
run directly from the build directory without installing them, and
tries to use resorces like IPA modules from the build directory.
Mainline meson strips RPATH/RUNPATH out from libcamera.so file
at install time. But openembedded-core patches meson to disable
RPATH/RUNPATH removal. That's why  we need to remove this tag manually
in do_install_append().

IPA module is signed (with openssl dgst) after it is built. But
during packaging the OE build system 1) splits out debugging info,
and 2) strips the binaries. So the IPA module so file installed
isn't the one which the signature was calculated against. Then
the signature check fails, and libcamera tries to run the IPA
module isolated (in a sandbox), which doesn't work if the IPA
module wasn't designed to run isolated. The solution is to
recalculate the IPA modules signatures in ${PKGD} after do_package().

Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
---
 Changes in v2:
  - Recalculate the IPA modules signatures after do_package()
    instead of disabling stripping and splitting libcamera package

 .../recipes-multimedia/libcamera/libcamera.bb     | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
index 00a5c480d..30c6600e5 100644
--- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
+++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
@@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
-DEPENDS = "python3-pyyaml-native udev gnutls boost"
+DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
 
 RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
 
 inherit meson pkgconfig python3native
 
+do_install_append() {
+    chrpath -d ${D}${libdir}/libcamera.so
+}
+
+addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
+do_recalculate_ipa_signatures_package() {
+    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
+        if [ -f "${module%.sign}" ] ; then
+            "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}"
+        fi
+    done
+}
+
 FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
 FILES_${PN} += " ${libdir}/libcamera.so"
 
-- 
2.17.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [libcamera-devel] [meta-multimedia][PATCH v2] libcamera: fix packaging and installation
  2020-07-31 14:39 [meta-multimedia][PATCH v2] libcamera: fix packaging and installation Andrey Konovalov
@ 2020-08-01 13:01 ` Laurent Pinchart
  2020-08-02 19:04   ` Andrey Konovalov
  0 siblings, 1 reply; 3+ messages in thread
From: Laurent Pinchart @ 2020-08-01 13:01 UTC (permalink / raw)
  To: Andrey Konovalov
  Cc: openembedded-devel, libcamera-devel, raj.khem, madhavan.krishnan

Hi Andrey,

Thank you for the patch.

On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote:
> libcamera checks if RPATH or RUNPATH dynamic tag is present in
> libcamera.so. If it does, it assumes that libcamera binaries are
> run directly from the build directory without installing them, and
> tries to use resorces like IPA modules from the build directory.
> Mainline meson strips RPATH/RUNPATH out from libcamera.so file
> at install time. But openembedded-core patches meson to disable
> RPATH/RUNPATH removal. That's why  we need to remove this tag manually
> in do_install_append().
> 
> IPA module is signed (with openssl dgst) after it is built. But
> during packaging the OE build system 1) splits out debugging info,
> and 2) strips the binaries. So the IPA module so file installed
> isn't the one which the signature was calculated against. Then
> the signature check fails, and libcamera tries to run the IPA
> module isolated (in a sandbox), which doesn't work if the IPA
> module wasn't designed to run isolated. The solution is to
> recalculate the IPA modules signatures in ${PKGD} after do_package().
> 
> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
> ---
>  Changes in v2:
>   - Recalculate the IPA modules signatures after do_package()
>     instead of disabling stripping and splitting libcamera package
> 
>  .../recipes-multimedia/libcamera/libcamera.bb     | 15 ++++++++++++++-
>  1 file changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> index 00a5c480d..30c6600e5 100644
> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}"
>  
>  S = "${WORKDIR}/git"
>  
> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
>  DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
>  
>  RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
>  
>  inherit meson pkgconfig python3native
>  
> +do_install_append() {
> +    chrpath -d ${D}${libdir}/libcamera.so
> +}
> +
> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
> +do_recalculate_ipa_signatures_package() {
> +    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
> +        if [ -f "${module%.sign}" ] ; then
> +            "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}"
> +        fi
> +    done

Note that you could also use the src/ipa/ipa-sign-install.sh script,
which takes the key as the first argument followed by the list of .so
files to sign. Something along the lines of (not tested)

    local modules
    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
        module="${module%.sign}"
        if [ -f "${module}" ] ; then
	    modules="${modules} ${module}"
        fi
    done

    "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" ${modules}

I think this will lower the risk of breakage in the future, as
ipa-sign.sh will have a higher chance of being refactored than
ipa-sign-install.sh

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> +}
> +
>  FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
>  FILES_${PN} += " ${libdir}/libcamera.so"

-- 
Regards,

Laurent Pinchart

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [libcamera-devel] [meta-multimedia][PATCH v2] libcamera: fix packaging and installation
  2020-08-01 13:01 ` [libcamera-devel] " Laurent Pinchart
@ 2020-08-02 19:04   ` Andrey Konovalov
  0 siblings, 0 replies; 3+ messages in thread
From: Andrey Konovalov @ 2020-08-02 19:04 UTC (permalink / raw)
  To: Laurent Pinchart
  Cc: openembedded-devel, libcamera-devel, raj.khem, madhavan.krishnan

Hi Laurent,

On 01.08.2020 16:01, Laurent Pinchart wrote:
> Hi Andrey,
> 
> Thank you for the patch.
> 
> On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote:
>> libcamera checks if RPATH or RUNPATH dynamic tag is present in
>> libcamera.so. If it does, it assumes that libcamera binaries are
>> run directly from the build directory without installing them, and
>> tries to use resorces like IPA modules from the build directory.
>> Mainline meson strips RPATH/RUNPATH out from libcamera.so file
>> at install time. But openembedded-core patches meson to disable
>> RPATH/RUNPATH removal. That's why  we need to remove this tag manually
>> in do_install_append().
>>
>> IPA module is signed (with openssl dgst) after it is built. But
>> during packaging the OE build system 1) splits out debugging info,
>> and 2) strips the binaries. So the IPA module so file installed
>> isn't the one which the signature was calculated against. Then
>> the signature check fails, and libcamera tries to run the IPA
>> module isolated (in a sandbox), which doesn't work if the IPA
>> module wasn't designed to run isolated. The solution is to
>> recalculate the IPA modules signatures in ${PKGD} after do_package().
>>
>> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
>> ---
>>   Changes in v2:
>>    - Recalculate the IPA modules signatures after do_package()
>>      instead of disabling stripping and splitting libcamera package
>>
>>   .../recipes-multimedia/libcamera/libcamera.bb     | 15 ++++++++++++++-
>>   1 file changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> index 00a5c480d..30c6600e5 100644
>> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}"
>>   
>>   S = "${WORKDIR}/git"
>>   
>> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
>> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
>>   DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
>>   
>>   RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
>>   
>>   inherit meson pkgconfig python3native
>>   
>> +do_install_append() {
>> +    chrpath -d ${D}${libdir}/libcamera.so
>> +}
>> +
>> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
>> +do_recalculate_ipa_signatures_package() {
>> +    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
>> +        if [ -f "${module%.sign}" ] ; then
>> +            "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}"
>> +        fi
>> +    done
> 
> Note that you could also use the src/ipa/ipa-sign-install.sh script,
> which takes the key as the first argument followed by the list of .so
> files to sign. Something along the lines of (not tested)
> 
>      local modules
>      for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
>          module="${module%.sign}"
>          if [ -f "${module}" ] ; then
> 	    modules="${modules} ${module}"
>          fi
>      done
> 
>      "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" ${modules}
> 
> I think this will lower the risk of breakage in the future, as
> ipa-sign.sh will have a higher chance of being refactored than
> ipa-sign-install.sh

OK, makes sense. Thanks for the suggestion!

When creating v2 I've got the impression of ipa-sign-install.sh relying
on running in meson environment - when run as part of 'meson install'
it prefixes each module with ${MESON_INSTALL_DESTDIR_PREFIX}/.
But ipa-sign-install.sh also works OK when used in do_recalculate_ipa_signatures_package() -
"${MESON_INSTALL_DESTDIR_PREFIX}" resolves to "", and the ${modules}
use full path names.

> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

Thanks,
Andrey

>> +}
>> +
>>   FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
>>   FILES_${PN} += " ${libdir}/libcamera.so"
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-08-02 19:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-31 14:39 [meta-multimedia][PATCH v2] libcamera: fix packaging and installation Andrey Konovalov
2020-08-01 13:01 ` [libcamera-devel] " Laurent Pinchart
2020-08-02 19:04   ` Andrey Konovalov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.