[Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Open-Source IPA shlibs need to be signed in order to be runnable within
the same process, otherwise they are deemed Closed-Source and run in
another process and communicate over IPC.
Buildroot strips debug symbols and sanitizes RPATH in a post build
process. We need to do the same before signing the IPA shlibs otherwise
the signature won't match the shlib on the rootfs.

meson gets rid of rpath while installing so we don't need to do it
manually.
However the signing process is also part of the meson install target, so
we have a chicken and the egg problem. Let's install the libs in the
target directory (and do a useless signing) to get rid of rpath, then
strip debug symbols the same way Buildroot does in post build step, then
re-sign shlibs directly in TARGET_DIR with signing script from
libcamera.

Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 package/libcamera/libcamera.mk | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/package/libcamera/libcamera.mk b/package/libcamera/libcamera.mk
index 77381ab3ca..d1303a2ff5 100644
--- a/package/libcamera/libcamera.mk
+++ b/package/libcamera/libcamera.mk
@@ -104,4 +104,25 @@ LIBCAMERA_DEPENDENCIES += libexecinfo
 LIBCAMERA_LDFLAGS = $(TARGET_LDFLAGS) -lexecinfo
 endif
 
+# Open-Source IPA shlibs need to be signed in order to be runnable within the
+# same process, otherwise they are deemed Closed-Source and run in another
+# process and communicate over IPC.
+# Buildroot strips debug symbols and sanitizes RPATH in a post build process. We
+# need to do the same before signing the IPA shlibs otherwise the signature
+# won't match the shlib on the rootfs.
+#
+# meson gets rid of rpath while installing so we don't need to do it manually.
+# However the signing process is also part of the meson install target, so we
+# have a chicken and the egg problem. Let's install the libs in the target
+# directory (and do a useless signing) to get rid of rpath, then strip debug
+# symbols the same way Buildroot does in post build step, then re-sign shlibs
+# directly in TARGET_DIR with signing script from libcamera.
+define LIBCAMERA_INSTALL_TARGET_CMDS
+	$(TARGET_MAKE_ENV) $(LIBCAMERA_NINJA_ENV) DESTDIR=$(TARGET_DIR) \
+		$(NINJA) $(NINJA_OPTS) -C $(LIBCAMERA_SRCDIR)/build install
+	find $(TARGET_DIR) -type f -name "ipa_*.so" -print0 | xargs -0 $(STRIPCMD) 2>/dev/null || true
+	MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib/libcamera/ $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
+	MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib64/libcamera/ $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
+endef
+
 $(eval $(meson-package))
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Arnout Vandecappelle]

  Hi Quentin,

On 05/05/2022 14:01, Quentin Schulz wrote:
> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> 
> Open-Source IPA shlibs need to be signed in order to be runnable within
> the same process, otherwise they are deemed Closed-Source and run in
> another process and communicate over IPC.
> Buildroot strips debug symbols and sanitizes RPATH in a post build
> process. We need to do the same before signing the IPA shlibs otherwise
> the signature won't match the shlib on the rootfs.
> 
> meson gets rid of rpath while installing so we don't need to do it
> manually.
> However the signing process is also part of the meson install target, so
> we have a chicken and the egg problem. Let's install the libs in the
> target directory (and do a useless signing) to get rid of rpath, then
> strip debug symbols the same way Buildroot does in post build step, then
> re-sign shlibs directly in TARGET_DIR with signing script from
> libcamera.
> 
> Cc: Quentin Schulz <foss+buildroot@0leil.net>
> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> ---
>   package/libcamera/libcamera.mk | 21 +++++++++++++++++++++
>   1 file changed, 21 insertions(+)
> 
> diff --git a/package/libcamera/libcamera.mk b/package/libcamera/libcamera.mk
> index 77381ab3ca..d1303a2ff5 100644
> --- a/package/libcamera/libcamera.mk
> +++ b/package/libcamera/libcamera.mk
> @@ -104,4 +104,25 @@ LIBCAMERA_DEPENDENCIES += libexecinfo
>   LIBCAMERA_LDFLAGS = $(TARGET_LDFLAGS) -lexecinfo
>   endif
>   
> +# Open-Source IPA shlibs need to be signed in order to be runnable within the
> +# same process, otherwise they are deemed Closed-Source and run in another
> +# process and communicate over IPC.
> +# Buildroot strips debug symbols and sanitizes RPATH in a post build process. We
> +# need to do the same before signing the IPA shlibs otherwise the signature
> +# won't match the shlib on the rootfs.
> +#
> +# meson gets rid of rpath while installing so we don't need to do it manually.
> +# However the signing process is also part of the meson install target, so we
> +# have a chicken and the egg problem. Let's install the libs in the target
> +# directory (and do a useless signing) to get rid of rpath, then strip debug
> +# symbols the same way Buildroot does in post build step, then re-sign shlibs
> +# directly in TARGET_DIR with signing script from libcamera.
> +define LIBCAMERA_INSTALL_TARGET_CMDS
> +	$(TARGET_MAKE_ENV) $(LIBCAMERA_NINJA_ENV) DESTDIR=$(TARGET_DIR) \
> +		$(NINJA) $(NINJA_OPTS) -C $(LIBCAMERA_SRCDIR)/build install
> +	find $(TARGET_DIR) -type f -name "ipa_*.so" -print0 | xargs -0 $(STRIPCMD) 2>/dev/null || true

  You should add --no-run-if-empty to xargs, in case there is no library at all 
(unless you're very sure that doesn't happen). Also, why is the || true needed?

> +	MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib/libcamera/ $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
> +	MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib64/libcamera/ $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))

  Instead of overriding INSTALL_TARGET_CMDS, you could also do the additional 
steps in POST_INSTALL_TARGET_HOOKS.

  However, I think it may be simpler to do the stripping in a POST_BUILD_HOOK. 
That way, you only need to do the strip; the signing is done in the install 
step, so if we make sure the .so is stripped by then, all should be well, right?

  Finally, there is one little caveat: if the libraries are installed in 
BR2_STRIP_EXCLUDE_DIRS (i.e. if BR2_STRIP_EXCLUDE_DIRS is set to /usr/lib), or 
if they match BR2_STRIP_EXCLUDE_FILES (e.g. if it is set to "ipa_*.so"), then 
the libs would be stripped while they shouldn't be. However, I don't think 
that's a big deal.

  Regards,
  Arnout


> +endef
> +
>   $(eval $(meson-package))
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Quentin Schulz]

Hi Arnout,

On 5/5/22 22:57, Arnout Vandecappelle wrote:
>   Hi Quentin,
> 
> On 05/05/2022 14:01, Quentin Schulz wrote:
>> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
>>
>> Open-Source IPA shlibs need to be signed in order to be runnable within
>> the same process, otherwise they are deemed Closed-Source and run in
>> another process and communicate over IPC.
>> Buildroot strips debug symbols and sanitizes RPATH in a post build
>> process. We need to do the same before signing the IPA shlibs otherwise
>> the signature won't match the shlib on the rootfs.
>>
>> meson gets rid of rpath while installing so we don't need to do it
>> manually.
>> However the signing process is also part of the meson install target, so
>> we have a chicken and the egg problem. Let's install the libs in the
>> target directory (and do a useless signing) to get rid of rpath, then
>> strip debug symbols the same way Buildroot does in post build step, then
>> re-sign shlibs directly in TARGET_DIR with signing script from
>> libcamera.
>>
>> Cc: Quentin Schulz <foss+buildroot@0leil.net>
>> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
>> ---
>>   package/libcamera/libcamera.mk | 21 +++++++++++++++++++++
>>   1 file changed, 21 insertions(+)
>>
>> diff --git a/package/libcamera/libcamera.mk 
>> b/package/libcamera/libcamera.mk
>> index 77381ab3ca..d1303a2ff5 100644
>> --- a/package/libcamera/libcamera.mk
>> +++ b/package/libcamera/libcamera.mk
>> @@ -104,4 +104,25 @@ LIBCAMERA_DEPENDENCIES += libexecinfo
>>   LIBCAMERA_LDFLAGS = $(TARGET_LDFLAGS) -lexecinfo
>>   endif
>> +# Open-Source IPA shlibs need to be signed in order to be runnable 
>> within the
>> +# same process, otherwise they are deemed Closed-Source and run in 
>> another
>> +# process and communicate over IPC.
>> +# Buildroot strips debug symbols and sanitizes RPATH in a post build 
>> process. We
>> +# need to do the same before signing the IPA shlibs otherwise the 
>> signature
>> +# won't match the shlib on the rootfs.
>> +#
>> +# meson gets rid of rpath while installing so we don't need to do it 
>> manually.
>> +# However the signing process is also part of the meson install 
>> target, so we
>> +# have a chicken and the egg problem. Let's install the libs in the 
>> target
>> +# directory (and do a useless signing) to get rid of rpath, then 
>> strip debug
>> +# symbols the same way Buildroot does in post build step, then 
>> re-sign shlibs
>> +# directly in TARGET_DIR with signing script from libcamera.
>> +define LIBCAMERA_INSTALL_TARGET_CMDS
>> +    $(TARGET_MAKE_ENV) $(LIBCAMERA_NINJA_ENV) DESTDIR=$(TARGET_DIR) \
>> +        $(NINJA) $(NINJA_OPTS) -C $(LIBCAMERA_SRCDIR)/build install
>> +    find $(TARGET_DIR) -type f -name "ipa_*.so" -print0 | xargs -0 
>> $(STRIPCMD) 2>/dev/null || true
> 
>   You should add --no-run-if-empty to xargs, in case there is no library 
> at all (unless you're very sure that doesn't happen). Also, why is the 
> || true needed?
> 

Shamelessly stolen from main Makefile :) 
https://git.busybox.net/buildroot/tree/Makefile#n758

But yes, no guarantee today that an IPA shlib will be installed by 
libcamera package, so I'll add this option to xargs command. Thanks for 
the heads up.

Will remove the redirect and the || true as they are not really useful 
in that package.

>> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib/libcamera/ 
>> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem 
>> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
>> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib64/libcamera/ 
>> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem 
>> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
> 
>   Instead of overriding INSTALL_TARGET_CMDS, you could also do the 
> additional steps in POST_INSTALL_TARGET_HOOKS.
> 

Was not aware of those hooks, neat :)

>   However, I think it may be simpler to do the stripping in a 
> POST_BUILD_HOOK. That way, you only need to do the strip; the signing is 
> done in the install step, so if we make sure the .so is stripped by 
> then, all should be well, right?
> 

If having the staging shlibs stripped is fine, then this shouldn't be an 
issue indeed.

>   Finally, there is one little caveat: if the libraries are installed in 
> BR2_STRIP_EXCLUDE_DIRS (i.e. if BR2_STRIP_EXCLUDE_DIRS is set to 
> /usr/lib), or if they match BR2_STRIP_EXCLUDE_FILES (e.g. if it is set 
> to "ipa_*.so"), then the libs would be stripped while they shouldn't be. 
> However, I don't think that's a big deal.
> 

Does not hurt to use the same logic as in STRIP_FIND_CMD in main 
Makefile, so will do.

Will send a v2 soon, thanks!

Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Kieran Bingham]

Quoting Quentin Schulz (2022-05-06 09:56:36)
> Hi Arnout,
> 
> On 5/5/22 22:57, Arnout Vandecappelle wrote:
> >   Hi Quentin,
> > 
> > On 05/05/2022 14:01, Quentin Schulz wrote:
> >> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> >>
> >> Open-Source IPA shlibs need to be signed in order to be runnable within
> >> the same process, otherwise they are deemed Closed-Source and run in
> >> another process and communicate over IPC.
> >> Buildroot strips debug symbols and sanitizes RPATH in a post build
> >> process. We need to do the same before signing the IPA shlibs otherwise
> >> the signature won't match the shlib on the rootfs.
> >>
> >> meson gets rid of rpath while installing so we don't need to do it
> >> manually.
> >> However the signing process is also part of the meson install target, so
> >> we have a chicken and the egg problem. Let's install the libs in the
> >> target directory (and do a useless signing) to get rid of rpath, then
> >> strip debug symbols the same way Buildroot does in post build step, then
> >> re-sign shlibs directly in TARGET_DIR with signing script from
> >> libcamera.
> >>
> >> Cc: Quentin Schulz <foss+buildroot@0leil.net>
> >> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> >> ---
> >>   package/libcamera/libcamera.mk | 21 +++++++++++++++++++++
> >>   1 file changed, 21 insertions(+)
> >>
> >> diff --git a/package/libcamera/libcamera.mk 
> >> b/package/libcamera/libcamera.mk
> >> index 77381ab3ca..d1303a2ff5 100644
> >> --- a/package/libcamera/libcamera.mk
> >> +++ b/package/libcamera/libcamera.mk
> >> @@ -104,4 +104,25 @@ LIBCAMERA_DEPENDENCIES += libexecinfo
> >>   LIBCAMERA_LDFLAGS = $(TARGET_LDFLAGS) -lexecinfo
> >>   endif
> >> +# Open-Source IPA shlibs need to be signed in order to be runnable 
> >> within the
> >> +# same process, otherwise they are deemed Closed-Source and run in 
> >> another
> >> +# process and communicate over IPC.
> >> +# Buildroot strips debug symbols and sanitizes RPATH in a post build 
> >> process. We
> >> +# need to do the same before signing the IPA shlibs otherwise the 
> >> signature
> >> +# won't match the shlib on the rootfs.
> >> +#
> >> +# meson gets rid of rpath while installing so we don't need to do it 
> >> manually.
> >> +# However the signing process is also part of the meson install 
> >> target, so we
> >> +# have a chicken and the egg problem. Let's install the libs in the 
> >> target
> >> +# directory (and do a useless signing) to get rid of rpath, then 
> >> strip debug
> >> +# symbols the same way Buildroot does in post build step, then 
> >> re-sign shlibs
> >> +# directly in TARGET_DIR with signing script from libcamera.
> >> +define LIBCAMERA_INSTALL_TARGET_CMDS
> >> +    $(TARGET_MAKE_ENV) $(LIBCAMERA_NINJA_ENV) DESTDIR=$(TARGET_DIR) \
> >> +        $(NINJA) $(NINJA_OPTS) -C $(LIBCAMERA_SRCDIR)/build install
> >> +    find $(TARGET_DIR) -type f -name "ipa_*.so" -print0 | xargs -0 
> >> $(STRIPCMD) 2>/dev/null || true
> > 
> >   You should add --no-run-if-empty to xargs, in case there is no library 
> > at all (unless you're very sure that doesn't happen). Also, why is the 
> > || true needed?
> > 
> 
> Shamelessly stolen from main Makefile :) 
> https://git.busybox.net/buildroot/tree/Makefile#n758
> 
> But yes, no guarantee today that an IPA shlib will be installed by 
> libcamera package, so I'll add this option to xargs command. Thanks for 
> the heads up.
> 
> Will remove the redirect and the || true as they are not really useful 
> in that package.
> 
> >> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib/libcamera/ 
> >> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem 
> >> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
> >> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib64/libcamera/ 
> >> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem 
> >> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
> > 
> >   Instead of overriding INSTALL_TARGET_CMDS, you could also do the 
> > additional steps in POST_INSTALL_TARGET_HOOKS.
> > 
> 
> Was not aware of those hooks, neat :)

Are these hooks called after any modifcations to the files by buildroot,
or before?

If it's after then resigning at that point would be reasonable I think.

> 
> >   However, I think it may be simpler to do the stripping in a 
> > POST_BUILD_HOOK. That way, you only need to do the strip; the signing is 
> > done in the install step, so if we make sure the .so is stripped by 
> > then, all should be well, right?
> > 
> 
> If having the staging shlibs stripped is fine, then this shouldn't be an 
> issue indeed.

This sounds fine to me too though.


> 
> >   Finally, there is one little caveat: if the libraries are installed in 
> > BR2_STRIP_EXCLUDE_DIRS (i.e. if BR2_STRIP_EXCLUDE_DIRS is set to 
> > /usr/lib), or if they match BR2_STRIP_EXCLUDE_FILES (e.g. if it is set 
> > to "ipa_*.so"), then the libs would be stripped while they shouldn't be. 
> > However, I don't think that's a big deal.
> > 
> 
> Does not hurt to use the same logic as in STRIP_FIND_CMD in main 
> Makefile, so will do.
> 
> Will send a v2 soon, thanks!
> 
> Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Quentin Schulz]

Hi Kieran,

On 5/6/22 11:04, Kieran Bingham wrote:
> Quoting Quentin Schulz (2022-05-06 09:56:36)
>> Hi Arnout,
>>
>> On 5/5/22 22:57, Arnout Vandecappelle wrote:
>>>    Hi Quentin,
>>>
>>> On 05/05/2022 14:01, Quentin Schulz wrote:
>>>> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
>>>>
>>>> Open-Source IPA shlibs need to be signed in order to be runnable within
>>>> the same process, otherwise they are deemed Closed-Source and run in
>>>> another process and communicate over IPC.
>>>> Buildroot strips debug symbols and sanitizes RPATH in a post build
>>>> process. We need to do the same before signing the IPA shlibs otherwise
>>>> the signature won't match the shlib on the rootfs.
>>>>
>>>> meson gets rid of rpath while installing so we don't need to do it
>>>> manually.
>>>> However the signing process is also part of the meson install target, so
>>>> we have a chicken and the egg problem. Let's install the libs in the
>>>> target directory (and do a useless signing) to get rid of rpath, then
>>>> strip debug symbols the same way Buildroot does in post build step, then
>>>> re-sign shlibs directly in TARGET_DIR with signing script from
>>>> libcamera.
>>>>
>>>> Cc: Quentin Schulz <foss+buildroot@0leil.net>
>>>> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
>>>> ---
>>>>    package/libcamera/libcamera.mk | 21 +++++++++++++++++++++
>>>>    1 file changed, 21 insertions(+)
>>>>
>>>> diff --git a/package/libcamera/libcamera.mk
>>>> b/package/libcamera/libcamera.mk
>>>> index 77381ab3ca..d1303a2ff5 100644
>>>> --- a/package/libcamera/libcamera.mk
>>>> +++ b/package/libcamera/libcamera.mk
>>>> @@ -104,4 +104,25 @@ LIBCAMERA_DEPENDENCIES += libexecinfo
>>>>    LIBCAMERA_LDFLAGS = $(TARGET_LDFLAGS) -lexecinfo
>>>>    endif
>>>> +# Open-Source IPA shlibs need to be signed in order to be runnable
>>>> within the
>>>> +# same process, otherwise they are deemed Closed-Source and run in
>>>> another
>>>> +# process and communicate over IPC.
>>>> +# Buildroot strips debug symbols and sanitizes RPATH in a post build
>>>> process. We
>>>> +# need to do the same before signing the IPA shlibs otherwise the
>>>> signature
>>>> +# won't match the shlib on the rootfs.
>>>> +#
>>>> +# meson gets rid of rpath while installing so we don't need to do it
>>>> manually.
>>>> +# However the signing process is also part of the meson install
>>>> target, so we
>>>> +# have a chicken and the egg problem. Let's install the libs in the
>>>> target
>>>> +# directory (and do a useless signing) to get rid of rpath, then
>>>> strip debug
>>>> +# symbols the same way Buildroot does in post build step, then
>>>> re-sign shlibs
>>>> +# directly in TARGET_DIR with signing script from libcamera.
>>>> +define LIBCAMERA_INSTALL_TARGET_CMDS
>>>> +    $(TARGET_MAKE_ENV) $(LIBCAMERA_NINJA_ENV) DESTDIR=$(TARGET_DIR) \
>>>> +        $(NINJA) $(NINJA_OPTS) -C $(LIBCAMERA_SRCDIR)/build install
>>>> +    find $(TARGET_DIR) -type f -name "ipa_*.so" -print0 | xargs -0
>>>> $(STRIPCMD) 2>/dev/null || true
>>>
>>>    You should add --no-run-if-empty to xargs, in case there is no library
>>> at all (unless you're very sure that doesn't happen). Also, why is the
>>> || true needed?
>>>
>>
>> Shamelessly stolen from main Makefile :)
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__git.busybox.net_buildroot_tree_Makefile-23n758&d=DwIFaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=v7wKLvb2dSEca5qoEy27u1GlltwWpk-os-gDEP8xPgINiPx_Wi0sl33H9p0IWbhB&s=1cdGHSGxMYhIJBf276S9PZjGtNuSRmIceB_oL1bI4FY&e=
>>
>> But yes, no guarantee today that an IPA shlib will be installed by
>> libcamera package, so I'll add this option to xargs command. Thanks for
>> the heads up.
>>
>> Will remove the redirect and the || true as they are not really useful
>> in that package.
>>
>>>> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib/libcamera/
>>>> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem
>>>> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
>>>> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib64/libcamera/
>>>> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem
>>>> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
>>>
>>>    Instead of overriding INSTALL_TARGET_CMDS, you could also do the
>>> additional steps in POST_INSTALL_TARGET_HOOKS.
>>>
>>
>> Was not aware of those hooks, neat :)
> 
> Are these hooks called after any modifcations to the files by buildroot,
> or before?
>  > If it's after then resigning at that point would be reasonable I think.
> 

AFAIK, before.

Buildroot runs all requested tasks/steps for each package, then remove 
rpath and strips symbols in target/ directory.

POST_INSTALL_TARGET_HOOKS is run right after the install task/step for 
the package is run (basically after ninja install is executed).

POST_BUILD_HOOK is happening right after the build task/step (after 
ninja is executed) of the package is run.

We anyway need to strip the shlibs manually in the package makefile 
because nothing does it and I don't think there's a way to hook 
something from a package makefile to happen after Buildroot "main" post 
build script is run (not the one in package makefiles, the one run right 
before creating the rootfs).

>>
>>>    However, I think it may be simpler to do the stripping in a
>>> POST_BUILD_HOOK. That way, you only need to do the strip; the signing is
>>> done in the install step, so if we make sure the .so is stripped by
>>> then, all should be well, right?
>>>
>>
>> If having the staging shlibs stripped is fine, then this shouldn't be an
>> issue indeed.
> 
> This sounds fine to me too though.
> 
> 
>>
>>>    Finally, there is one little caveat: if the libraries are installed in
>>> BR2_STRIP_EXCLUDE_DIRS (i.e. if BR2_STRIP_EXCLUDE_DIRS is set to
>>> /usr/lib), or if they match BR2_STRIP_EXCLUDE_FILES (e.g. if it is set
>>> to "ipa_*.so"), then the libs would be stripped while they shouldn't be.
>>> However, I don't think that's a big deal.
>>>
>>
>> Does not hurt to use the same logic as in STRIP_FIND_CMD in main
>> Makefile, so will do.
>>

Can't use the logic for BR2_STRIP_EXCLUDE_DIRS because the dir in the 
build directory of libcamera is different from the one installed on the 
rootfs (i.e. build/src/ipa/*/ipa_*.so while on the target it'd be 
/usr/lib{64,}/libcamera/ipa_*.so).

For BR2_STRIP_EXCLUDE_FILES, if just a filename should be given, the 
find command will not care about intermediary directories so we're fine.

Meanwhile, I realised that STRIPCMD in package makefiles might not be 
the same as the one in the main Makefile. Namely, it's /bin/true if 
BR2_STRIP_strip is unset. So I'll need to use a hardcoded version 
instead of STRIPCMD variable unfortunately :/ Testing this to make sure 
I didn't misread the code.

Cheers,
Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [RFC PATCH] package/libcamera: remove rpath and strip debug symbols before signing IPA libs

[Arnout Vandecappelle]

On 06/05/2022 11:24, Quentin Schulz wrote:
> Hi Kieran,
> 
> On 5/6/22 11:04, Kieran Bingham wrote:
>> Quoting Quentin Schulz (2022-05-06 09:56:36)
>>> Hi Arnout,
>>>
>>> On 5/5/22 22:57, Arnout Vandecappelle wrote:
>>>>    Hi Quentin,
>>>>
>>>> On 05/05/2022 14:01, Quentin Schulz wrote:
>>>>> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

[snip]
>>>>> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib/libcamera/
>>>>> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem
>>>>> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
>>>>> +    MESON_INSTALL_DESTDIR_PREFIX=$(TARGET_DIR)/usr/lib64/libcamera/
>>>>> $(@D)/src/ipa/ipa-sign-install.sh $(@D)/build/src/ipa-priv-key.pem
>>>>> $(addprefix ipa_,$(addsuffix .so,$(LIBCAMERA_PIPELINES-y)))
>>>>
>>>>    Instead of overriding INSTALL_TARGET_CMDS, you could also do the
>>>> additional steps in POST_INSTALL_TARGET_HOOKS.
>>>>
>>>
>>> Was not aware of those hooks, neat :)
>>
>> Are these hooks called after any modifcations to the files by buildroot,
>> or before?
>>  > If it's after then resigning at that point would be reasonable I think.
>>
> 
> AFAIK, before.
> 
> Buildroot runs all requested tasks/steps for each package, then remove rpath and 
> strips symbols in target/ directory.
> 
> POST_INSTALL_TARGET_HOOKS is run right after the install task/step for the 
> package is run (basically after ninja install is executed).
> 
> POST_BUILD_HOOK is happening right after the build task/step (after ninja is 
> executed) of the package is run.
> 
> We anyway need to strip the shlibs manually in the package makefile because 
> nothing does it and I don't think there's a way to hook something from a package 
> makefile to happen after Buildroot "main" post build script is run (not the one 
> in package makefiles, the one run right before creating the rootfs).

  Actually, there is, I didn't think of that! $(PKG)_ROOTFS_PRE_CMD_HOOKS gets 
executed right before the rootfs is created. Note that this is during the rootfs 
creation step and is done in a temporary directory (TARGET_DIR is overridden 
with the name of that temporary directory, so you can still use TARGET_DIR).

  It's actually meant for stuff that needs to be run under fakeroot, but it can 
be used for this as well.

  With that approach, we still have the unstripped libraries in STAGING_DIR 
(which is useful for debugging), and we don't need to re-create the strip 
commands. The disadvantages are:
- contents of target are not usable as is (signature will be wrong);
- we still need to "manually" call ipa-sign-install.sh.

  So all in all, I'm not sure that that option is better than your v2.

  (There is also $(PKG)_TARGET_FINALIZE_HOOKS, but those get called before 
stripping, so not useful here.)


  Regards,
  Arnout


> 
>>>
>>>>    However, I think it may be simpler to do the stripping in a
>>>> POST_BUILD_HOOK. That way, you only need to do the strip; the signing is
>>>> done in the install step, so if we make sure the .so is stripped by
>>>> then, all should be well, right?
>>>>
>>>
>>> If having the staging shlibs stripped is fine, then this shouldn't be an
>>> issue indeed.
>>
>> This sounds fine to me too though.
>>
>>
>>>
>>>>    Finally, there is one little caveat: if the libraries are installed in
>>>> BR2_STRIP_EXCLUDE_DIRS (i.e. if BR2_STRIP_EXCLUDE_DIRS is set to
>>>> /usr/lib), or if they match BR2_STRIP_EXCLUDE_FILES (e.g. if it is set
>>>> to "ipa_*.so"), then the libs would be stripped while they shouldn't be.
>>>> However, I don't think that's a big deal.
>>>>
>>>
>>> Does not hurt to use the same logic as in STRIP_FIND_CMD in main
>>> Makefile, so will do.
>>>
> 
> Can't use the logic for BR2_STRIP_EXCLUDE_DIRS because the dir in the build 
> directory of libcamera is different from the one installed on the rootfs (i.e. 
> build/src/ipa/*/ipa_*.so while on the target it'd be 
> /usr/lib{64,}/libcamera/ipa_*.so).
> 
> For BR2_STRIP_EXCLUDE_FILES, if just a filename should be given, the find 
> command will not care about intermediary directories so we're fine.
> 
> Meanwhile, I realised that STRIPCMD in package makefiles might not be the same 
> as the one in the main Makefile. Namely, it's /bin/true if BR2_STRIP_strip is 
> unset. So I'll need to use a hardcoded version instead of STRIPCMD variable 
> unfortunately :/ Testing this to make sure I didn't misread the code.
> 
> Cheers,
> Quentin
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot