[meta-multimedia,v2] libcamera: fix packaging and installation

Submitted by Andrey Konovalov on July 31, 2020, 2:39 p.m. | Patch ID: 174955

Details

Message ID 20200731143919.25825-1-andrey.konovalov@linaro.org
State Superseded
Commit da2a1e43754d4f68b2dd248b28329cc1241ff5a3
Headers show

Commit Message

Andrey Konovalov July 31, 2020, 2:39 p.m.
libcamera checks if RPATH or RUNPATH dynamic tag is present in
libcamera.so. If it does, it assumes that libcamera binaries are
run directly from the build directory without installing them, and
tries to use resorces like IPA modules from the build directory.
Mainline meson strips RPATH/RUNPATH out from libcamera.so file
at install time. But openembedded-core patches meson to disable
RPATH/RUNPATH removal. That's why  we need to remove this tag manually
in do_install_append().

IPA module is signed (with openssl dgst) after it is built. But
during packaging the OE build system 1) splits out debugging info,
and 2) strips the binaries. So the IPA module so file installed
isn't the one which the signature was calculated against. Then
the signature check fails, and libcamera tries to run the IPA
module isolated (in a sandbox), which doesn't work if the IPA
module wasn't designed to run isolated. The solution is to
recalculate the IPA modules signatures in ${PKGD} after do_package().

Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
---
 Changes in v2:
  - Recalculate the IPA modules signatures after do_package()
    instead of disabling stripping and splitting libcamera package

 .../recipes-multimedia/libcamera/libcamera.bb     | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
index 00a5c480d..30c6600e5 100644
--- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
+++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
@@ -18,13 +18,26 @@  PV = "202006+git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
-DEPENDS = "python3-pyyaml-native udev gnutls boost"
+DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
 
 RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
 
 inherit meson pkgconfig python3native
 
+do_install_append() {
+    chrpath -d ${D}${libdir}/libcamera.so
+}
+
+addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
+do_recalculate_ipa_signatures_package() {
+    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
+        if [ -f "${module%.sign}" ] ; then
+            "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}"
+        fi
+    done
+}
+
 FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
 FILES_${PN} += " ${libdir}/libcamera.so"
 

Comments

Laurent Pinchart Aug. 1, 2020, 1:01 p.m.
Hi Andrey,

Thank you for the patch.

On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote:
> libcamera checks if RPATH or RUNPATH dynamic tag is present in
> libcamera.so. If it does, it assumes that libcamera binaries are
> run directly from the build directory without installing them, and
> tries to use resorces like IPA modules from the build directory.
> Mainline meson strips RPATH/RUNPATH out from libcamera.so file
> at install time. But openembedded-core patches meson to disable
> RPATH/RUNPATH removal. That's why  we need to remove this tag manually
> in do_install_append().
> 
> IPA module is signed (with openssl dgst) after it is built. But
> during packaging the OE build system 1) splits out debugging info,
> and 2) strips the binaries. So the IPA module so file installed
> isn't the one which the signature was calculated against. Then
> the signature check fails, and libcamera tries to run the IPA
> module isolated (in a sandbox), which doesn't work if the IPA
> module wasn't designed to run isolated. The solution is to
> recalculate the IPA modules signatures in ${PKGD} after do_package().
> 
> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
> ---
>  Changes in v2:
>   - Recalculate the IPA modules signatures after do_package()
>     instead of disabling stripping and splitting libcamera package
> 
>  .../recipes-multimedia/libcamera/libcamera.bb     | 15 ++++++++++++++-
>  1 file changed, 14 insertions(+), 1 deletion(-)
> 
> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> index 00a5c480d..30c6600e5 100644
> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
> @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}"
>  
>  S = "${WORKDIR}/git"
>  
> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
>  DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
>  
>  RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
>  
>  inherit meson pkgconfig python3native
>  
> +do_install_append() {
> +    chrpath -d ${D}${libdir}/libcamera.so
> +}
> +
> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
> +do_recalculate_ipa_signatures_package() {
> +    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
> +        if [ -f "${module%.sign}" ] ; then
> +            "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}"
> +        fi
> +    done

Note that you could also use the src/ipa/ipa-sign-install.sh script,
which takes the key as the first argument followed by the list of .so
files to sign. Something along the lines of (not tested)

    local modules
    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
        module="${module%.sign}"
        if [ -f "${module}" ] ; then
	    modules="${modules} ${module}"
        fi
    done

    "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" ${modules}

I think this will lower the risk of breakage in the future, as
ipa-sign.sh will have a higher chance of being refactored than
ipa-sign-install.sh

Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

> +}
> +
>  FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
>  FILES_${PN} += " ${libdir}/libcamera.so"
Andrey Konovalov Aug. 2, 2020, 7:04 p.m.
Hi Laurent,

On 01.08.2020 16:01, Laurent Pinchart wrote:
> Hi Andrey,
> 
> Thank you for the patch.
> 
> On Fri, Jul 31, 2020 at 05:39:19PM +0300, Andrey Konovalov wrote:
>> libcamera checks if RPATH or RUNPATH dynamic tag is present in
>> libcamera.so. If it does, it assumes that libcamera binaries are
>> run directly from the build directory without installing them, and
>> tries to use resorces like IPA modules from the build directory.
>> Mainline meson strips RPATH/RUNPATH out from libcamera.so file
>> at install time. But openembedded-core patches meson to disable
>> RPATH/RUNPATH removal. That's why  we need to remove this tag manually
>> in do_install_append().
>>
>> IPA module is signed (with openssl dgst) after it is built. But
>> during packaging the OE build system 1) splits out debugging info,
>> and 2) strips the binaries. So the IPA module so file installed
>> isn't the one which the signature was calculated against. Then
>> the signature check fails, and libcamera tries to run the IPA
>> module isolated (in a sandbox), which doesn't work if the IPA
>> module wasn't designed to run isolated. The solution is to
>> recalculate the IPA modules signatures in ${PKGD} after do_package().
>>
>> Signed-off-by: Andrey Konovalov <andrey.konovalov@linaro.org>
>> ---
>>   Changes in v2:
>>    - Recalculate the IPA modules signatures after do_package()
>>      instead of disabling stripping and splitting libcamera package
>>
>>   .../recipes-multimedia/libcamera/libcamera.bb     | 15 ++++++++++++++-
>>   1 file changed, 14 insertions(+), 1 deletion(-)
>>
>> diff --git a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> index 00a5c480d..30c6600e5 100644
>> --- a/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> +++ b/meta-multimedia/recipes-multimedia/libcamera/libcamera.bb
>> @@ -18,13 +18,26 @@ PV = "202006+git${SRCPV}"
>>   
>>   S = "${WORKDIR}/git"
>>   
>> -DEPENDS = "python3-pyyaml-native udev gnutls boost"
>> +DEPENDS = "python3-pyyaml-native udev gnutls boost chrpath-native"
>>   DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'qt', 'qtbase qtbase-native', '', d)}"
>>   
>>   RDEPENDS_${PN} = "${@bb.utils.contains('DISTRO_FEATURES', 'wayland qt', 'qtwayland', '', d)}"
>>   
>>   inherit meson pkgconfig python3native
>>   
>> +do_install_append() {
>> +    chrpath -d ${D}${libdir}/libcamera.so
>> +}
>> +
>> +addtask do_recalculate_ipa_signatures_package after do_package before do_packagedata
>> +do_recalculate_ipa_signatures_package() {
>> +    for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
>> +        if [ -f "${module%.sign}" ] ; then
>> +            "${S}/src/ipa/ipa-sign.sh" "${B}/src/ipa-priv-key.pem" "${module%.sign}" "${module}"
>> +        fi
>> +    done
> 
> Note that you could also use the src/ipa/ipa-sign-install.sh script,
> which takes the key as the first argument followed by the list of .so
> files to sign. Something along the lines of (not tested)
> 
>      local modules
>      for module in $(find "${PKGD}/usr/lib/libcamera" -name "*.so.sign"); do
>          module="${module%.sign}"
>          if [ -f "${module}" ] ; then
> 	    modules="${modules} ${module}"
>          fi
>      done
> 
>      "${S}/src/ipa/ipa-sign-install.sh" "${B}/src/ipa-priv-key.pem" ${modules}
> 
> I think this will lower the risk of breakage in the future, as
> ipa-sign.sh will have a higher chance of being refactored than
> ipa-sign-install.sh

OK, makes sense. Thanks for the suggestion!

When creating v2 I've got the impression of ipa-sign-install.sh relying
on running in meson environment - when run as part of 'meson install'
it prefixes each module with ${MESON_INSTALL_DESTDIR_PREFIX}/.
But ipa-sign-install.sh also works OK when used in do_recalculate_ipa_signatures_package() -
"${MESON_INSTALL_DESTDIR_PREFIX}" resolves to "", and the ${modules}
use full path names.

> Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

Thanks,
Andrey

>> +}
>> +
>>   FILES_${PN}-dev = "${includedir} ${libdir}/pkgconfig"
>>   FILES_${PN} += " ${libdir}/libcamera.so"
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#86107): https://lists.openembedded.org/g/openembedded-devel/message/86107
Mute This Topic: https://lists.openembedded.org/mt/75926500/3617530
Group Owner: openembedded-devel+owner@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub  [oe-patchwork@oe-patch.openembedded.org]
-=-=-=-=-=-=-=-=-=-=-=-
Andrey Konovalov Aug. 3, 2020, 5:07 a.m.
This is a system generated Comment: Patch 174955 was automatically marked as superseded by patch 174994.