On 27.11.20 20:44, Roman Bolshakov wrote:
On Thu, Nov 26, 2020 at 10:50:10PM +0100, Alexander Graf wrote:
In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
respective entitlement. Add an entitlement template and automatically self
sign and apply the entitlement in the build.
Signed-off-by: Alexander Graf <ag...@csgraf.de>
---
accel/hvf/entitlements.plist | 8 ++++++++
meson.build | 30 ++++++++++++++++++++++++++----
scripts/entitlement.sh | 11 +++++++++++
3 files changed, 45 insertions(+), 4 deletions(-)
create mode 100644 accel/hvf/entitlements.plist
create mode 100755 scripts/entitlement.sh
Hi,
I think the patch should go ahead of other changes (with Paolo's fix for
^C) and land into 5.2 because entitlements are needed for x86_64 hvf too
since Big Sur Beta 3. Ad-hoc signing is very convenient for development.
Also, It might be good to have configure/meson option to disable signing
at all. Primarily for homebrew:
https://discourse.brew.sh/t/code-signing-installed-executables/2131/10
There's no established process how to deal with it, e.g. GDB in homebrew
has caveats section for now:
==> Caveats
gdb requires special privileges to access Mach ports.
You will need to codesign the binary. For instructions, see:
https://sourceware.org/gdb/wiki/BuildingOnDarwin
The discussion on discourse mentions some plans to do signing in
homebrew CI (with real Developer ID) but none of them are implemented
now.
For now it'd be helpful to provide a way to disable signing and install
the entitlements (if one wants to sign after installation). Similar
issue was raised to fish-shell a while ago:
https://github.com/fish-shell/fish-shell/issues/6952
https://github.com/fish-shell/fish-shell/issues/7467
All binaries are signed in Big Sur by the linker as far as I understand,
so I don't quite see the point in not signing :). If the build system
doesn't have access to codesign, it sounds to me like one should fix the
build system instead? Worst case by injecting a fake codesign binary
that just calls /bin/true.
diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
new file mode 100644
index 0000000000..154f3308ef
--- /dev/null
+++ b/accel/hvf/entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.hypervisor</key>
+ <true/>
+</dict>
+</plist>
diff --git a/meson.build b/meson.build
index 5062407c70..2a7ff5560c 100644
--- a/meson.build
+++ b/meson.build
@@ -1844,9 +1844,14 @@ foreach target : target_dirs
}]
endif
foreach exe: execs
- emulators += {exe['name']:
- executable(exe['name'], exe['sources'],
- install: true,
+ exe_name = exe['name']
+ exe_sign = 'CONFIG_HVF' in config_target
I don't have Apple Silicon HW but it may require different kind of
entitlements for CONFIG_TCG:
https://developer.apple.com/documentation/apple_silicon/porting_just-in-time_compilers_to_apple_silicon
You only need the JIT entitlement for the App Store. Locally signed
applications work just fine without. I don't know about binaries you
download from the internet that were signed with a developer key though.
Keep in mind that for this to work you also need the MAP_JIT and RWX
toggle changes from another patch set on the ML.
Alex
