| Message ID | 20210120224444.71840-2-agraf@csgraf.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hvf: Implement Apple Silicon Support | expand |
Hi, I use your patches when running QEMU on M1 MacBook Air. I noticed that the installation process corrupts the code signature because meson modifies the file to fix dynamic shared library install names. Also, stripping apparently does not work because the signed file is not considered as "executable" by meson. Here is some change I wrote for my own use, just for reference: https://github.com/akihikodaki/qemu/commit/6a9b5d7e4ea03b1e757be1eedf256871bb6a5bdd Also, the patch series do no longer apply to master. Here is my merge with conflict resolution (It is not a rebase and was done for my own purpose. Just for reference.): https://github.com/akihikodaki/qemu/commit/b7885e4370a2fe426e80d32afe6eb5d01a71640d Regards, Akihiko Odaki On 2021/01/21 7:44, Alexander Graf wrote: > In macOS 11, QEMU only gets access to Hypervisor.framework if it has the > respective entitlement. Add an entitlement template and automatically self > sign and apply the entitlement in the build. > > Signed-off-by: Alexander Graf <agraf@csgraf.de> > Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com> > Tested-by: Roman Bolshakov <r.bolshakov@yadro.com> > > --- > > v1 -> v2: > > - Make safe to ctrl-C > > v3 -> v4: > > - Remove unused exe_full variable > - Reuse exe_name variable > --- > accel/hvf/entitlements.plist | 8 ++++++++ > meson.build | 29 +++++++++++++++++++++++++---- > scripts/entitlement.sh | 13 +++++++++++++ > 3 files changed, 46 insertions(+), 4 deletions(-) > create mode 100644 accel/hvf/entitlements.plist > create mode 100755 scripts/entitlement.sh > > diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist > new file mode 100644 > index 0000000000..154f3308ef > --- /dev/null > +++ b/accel/hvf/entitlements.plist > @@ -0,0 +1,8 @@ > +<?xml version="1.0" encoding="UTF-8"?> > +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > +<plist version="1.0"> > +<dict> > + <key>com.apple.security.hypervisor</key> > + <true/> > +</dict> > +</plist> > diff --git a/meson.build b/meson.build > index 3d889857a0..c667d64498 100644 > --- a/meson.build > +++ b/meson.build > @@ -2146,9 +2146,14 @@ foreach target : target_dirs > }] > endif > foreach exe: execs > - emulators += {exe['name']: > - executable(exe['name'], exe['sources'], > - install: true, > + exe_name = exe['name'] > + exe_sign = 'CONFIG_HVF' in config_target > + if exe_sign > + exe_name += '-unsigned' > + endif > + > + emulator = executable(exe_name, exe['sources'], > + install: not exe_sign, > c_args: c_args, > dependencies: arch_deps + deps + exe['dependencies'], > objects: lib.extract_all_objects(recursive: true), > @@ -2156,7 +2161,23 @@ foreach target : target_dirs > link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), > link_args: link_args, > gui_app: exe['gui']) > - } > + > + if exe_sign > + emulators += {exe['name'] : custom_target(exe['name'], > + install: true, > + install_dir: get_option('bindir'), > + depends: emulator, > + output: exe['name'], > + command: [ > + meson.current_source_dir() / 'scripts/entitlement.sh', > + meson.current_build_dir() / exe_name, > + meson.current_build_dir() / exe['name'], > + meson.current_source_dir() / 'accel/hvf/entitlements.plist' > + ]) > + } > + else > + emulators += {exe['name']: emulator} > + endif > > if 'CONFIG_TRACE_SYSTEMTAP' in config_host > foreach stp: [ > diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh > new file mode 100755 > index 0000000000..c540fa6435 > --- /dev/null > +++ b/scripts/entitlement.sh > @@ -0,0 +1,13 @@ > +#!/bin/sh -e > +# > +# Helper script for the build process to apply entitlements > + > +SRC="$1" > +DST="$2" > +ENTITLEMENT="$3" > + > +trap 'rm "$DST.tmp"' exit > +cp -af "$SRC" "$DST.tmp" > +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp" > +mv "$DST.tmp" "$DST" > +trap '' exit >
On 23/02/21 12:56, Akihiko Odaki wrote: > > I noticed that the installation process corrupts the code signature > because meson modifies the file to fix dynamic shared library install > names. Also, stripping apparently does not work because the signed file > is not considered as "executable" by meson. Here is some change I wrote > for my own use, just for reference: > https://github.com/akihikodaki/qemu/commit/6a9b5d7e4ea03b1e757be1eedf256871bb6a5bdd > That seems like a feasible way to do it. We could also have a single script with --build and --install as the first argument. Since entitlement support is already part of the upstream tree, would you like to submit the patch and Cc me so that I can include it? Thanks, Paolo
diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist new file mode 100644 index 0000000000..154f3308ef --- /dev/null +++ b/accel/hvf/entitlements.plist @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.hypervisor</key> + <true/> +</dict> +</plist> diff --git a/meson.build b/meson.build index 3d889857a0..c667d64498 100644 --- a/meson.build +++ b/meson.build @@ -2146,9 +2146,14 @@ foreach target : target_dirs }] endif foreach exe: execs - emulators += {exe['name']: - executable(exe['name'], exe['sources'], - install: true, + exe_name = exe['name'] + exe_sign = 'CONFIG_HVF' in config_target + if exe_sign + exe_name += '-unsigned' + endif + + emulator = executable(exe_name, exe['sources'], + install: not exe_sign, c_args: c_args, dependencies: arch_deps + deps + exe['dependencies'], objects: lib.extract_all_objects(recursive: true), @@ -2156,7 +2161,23 @@ foreach target : target_dirs link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), link_args: link_args, gui_app: exe['gui']) - } + + if exe_sign + emulators += {exe['name'] : custom_target(exe['name'], + install: true, + install_dir: get_option('bindir'), + depends: emulator, + output: exe['name'], + command: [ + meson.current_source_dir() / 'scripts/entitlement.sh', + meson.current_build_dir() / exe_name, + meson.current_build_dir() / exe['name'], + meson.current_source_dir() / 'accel/hvf/entitlements.plist' + ]) + } + else + emulators += {exe['name']: emulator} + endif if 'CONFIG_TRACE_SYSTEMTAP' in config_host foreach stp: [ diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh new file mode 100755 index 0000000000..c540fa6435 --- /dev/null +++ b/scripts/entitlement.sh @@ -0,0 +1,13 @@ +#!/bin/sh -e +# +# Helper script for the build process to apply entitlements + +SRC="$1" +DST="$2" +ENTITLEMENT="$3" + +trap 'rm "$DST.tmp"' exit +cp -af "$SRC" "$DST.tmp" +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp" +mv "$DST.tmp" "$DST" +trap '' exit