From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Quentin Schulz <foss+buildroot@0leil.net>
Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>,
Kieran Bingham <kieran.bingham@ideasonboard.com>,
buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2] package/libcamera: strip symbols before signing IPA libs
Date: Mon, 4 Jul 2022 22:04:26 +0200 [thread overview]
Message-ID: <20220704200426.GJ2521@scaer> (raw)
In-Reply-To: <20220506104658.3174243-1-foss+buildroot@0leil.net>
Quentin, All,
Kieran, some question for you toward the end... ;-)
On 2022-05-06 12:46 +0200, Quentin Schulz spake thusly:
> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
>
> Open-Source IPA shlibs need to be signed in order to be runnable within
> the same process, otherwise they are deemed Closed-Source and run in
> another process and communicate over IPC.
>
> The shlib installed on the target should be the same as the one signed
> by libcamera during package creation otherwise the signature won't match
> the shlib.
>
> Buildroot sanitizes RPATH in a post build process. meson gets rid of
> rpath while installing so we don't need to do it manually.
>
> Buildroot may strip symbols, so we need to do the same before signing.
> Since meson install target is also signing the IPA shlibs, let's strip
> them before this happens.
>
> Cc: Quentin Schulz <foss+buildroot@0leil.net>
> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Applied to master, thanks.
However, this is a bit fragile, since libcamera may ultimately decide to
do the signing during the build phase (the install step is supposed to
be just about copying files around in theory).
So maybe:
1. Buildroot needs to learn about FOO_STRIP_EXCLUDE_FILES/DIRS
2. libcamera needs an option -Dstip-ipa=true/false
3. libcamera.mk needs to set LIBCAMERA_STRIP_EXCLUDE_FILES/DIRS
Kieran, what do you think?
Regards,
Yann E. MORIN.
> ---
>
> v2:
> - use LIBCAMERA_POST_BUILD_HOOKS instead of replacing
> LIBCAMERA_INSTALL_TARGET_CMDS,
> - add handling of BR2_STRIP_EXCLUDE_FILES to not strip files which
> shouldn't,
> - added --no-run-if-empty to xargs, in case no IPA is selected,
> - removed stderr redirect and pipe to true to not hide useful
> information or fail the build if strip does not work,
>
> package/libcamera/libcamera.mk | 20 ++++++++++++++++++++
> 1 file changed, 20 insertions(+)
>
> diff --git a/package/libcamera/libcamera.mk b/package/libcamera/libcamera.mk
> index 77381ab3ca..41d6a5abef 100644
> --- a/package/libcamera/libcamera.mk
> +++ b/package/libcamera/libcamera.mk
> @@ -104,4 +104,24 @@ LIBCAMERA_DEPENDENCIES += libexecinfo
> LIBCAMERA_LDFLAGS = $(TARGET_LDFLAGS) -lexecinfo
> endif
>
> +# Open-Source IPA shlibs need to be signed in order to be runnable within the
> +# same process, otherwise they are deemed Closed-Source and run in another
> +# process and communicate over IPC.
> +# Buildroot sanitizes RPATH in a post build process. meson gets rid of rpath
> +# while installing so we don't need to do it manually here.
> +# Buildroot may strip symbols, so we need to do the same before signing
> +# otherwise the signature won't match the shlib on the rootfs. Since meson
> +# install target is signing the shlibs, we need to strip them before.
> +LIBCAMERA_STRIP_FIND_CMD = \
> + find $(@D)/build/src/ipa \
> + $(if $(call qstrip,$(BR2_STRIP_EXCLUDE_FILES)), \
> + -not \( $(call findfileclauses,$(call qstrip,$(BR2_STRIP_EXCLUDE_FILES))) \) ) \
> + -type f -name 'ipa_*.so' -print0
> +
> +define LIBCAMERA_BUILD_STRIP_IPA_SO
> + $(LIBCAMERA_STRIP_FIND_CMD) | xargs --no-run-if-empty -0 $(STRIPCMD)
> +endef
> +
> +LIBCAMERA_POST_BUILD_HOOKS += LIBCAMERA_BUILD_STRIP_IPA_SO
> +
> $(eval $(meson-package))
> --
> 2.35.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2022-07-04 20:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-06 10:46 [Buildroot] [PATCH v2] package/libcamera: strip symbols before signing IPA libs Quentin Schulz
2022-05-31 10:13 ` Quentin Schulz
2022-07-04 15:25 ` Quentin Schulz
2022-07-04 17:29 ` James Hilliard
2022-07-04 19:13 ` Kieran Bingham
2022-07-04 19:45 ` James Hilliard
2022-07-04 21:49 ` Kieran Bingham
2022-07-04 22:18 ` James Hilliard
2022-07-04 20:09 ` Yann E. MORIN
2022-07-04 20:18 ` James Hilliard
2022-07-04 20:04 ` Yann E. MORIN [this message]
2022-07-04 22:16 ` Kieran Bingham
2022-07-04 22:23 ` James Hilliard
2022-07-22 8:32 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220704200426.GJ2521@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=foss+buildroot@0leil.net \
--cc=kieran.bingham@ideasonboard.com \
--cc=quentin.schulz@theobroma-systems.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox