| Message ID | 20201202190408.2041-2-agraf@csgraf.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hvf: Implement Apple Silicon Support | expand |
On Wed, Dec 02, 2020 at 08:03:59PM +0100, Alexander Graf wrote: > In macOS 11, QEMU only gets access to Hypervisor.framework if it has the > respective entitlement. Add an entitlement template and automatically self > sign and apply the entitlement in the build. > > Signed-off-by: Alexander Graf <agraf@csgraf.de> > > --- > > v1 -> v2: > > - Make safe to ctrl-C > --- > accel/hvf/entitlements.plist | 8 ++++++++ > meson.build | 30 ++++++++++++++++++++++++++---- > scripts/entitlement.sh | 13 +++++++++++++ > 3 files changed, 47 insertions(+), 4 deletions(-) > create mode 100644 accel/hvf/entitlements.plist > create mode 100755 scripts/entitlement.sh > > diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist > new file mode 100644 > index 0000000000..154f3308ef > --- /dev/null > +++ b/accel/hvf/entitlements.plist > @@ -0,0 +1,8 @@ > +<?xml version="1.0" encoding="UTF-8"?> > +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > +<plist version="1.0"> > +<dict> > + <key>com.apple.security.hypervisor</key> > + <true/> > +</dict> > +</plist> > diff --git a/meson.build b/meson.build > index 5062407c70..2a7ff5560c 100644 > --- a/meson.build > +++ b/meson.build > @@ -1844,9 +1844,14 @@ foreach target : target_dirs > }] > endif > foreach exe: execs > - emulators += {exe['name']: > - executable(exe['name'], exe['sources'], > - install: true, > + exe_name = exe['name'] > + exe_sign = 'CONFIG_HVF' in config_target > + if exe_sign > + exe_name += '-unsigned' > + endif > + > + emulator = executable(exe_name, exe['sources'], > + install: not exe_sign, > c_args: c_args, > dependencies: arch_deps + deps + exe['dependencies'], > objects: lib.extract_all_objects(recursive: true), > @@ -1854,7 +1859,24 @@ foreach target : target_dirs > link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), > link_args: link_args, > gui_app: exe['gui']) > - } > + > + if exe_sign > + exe_full = meson.current_build_dir() / exe['name'] It's defined but not used. > + emulators += {exe['name'] : custom_target(exe['name'], > + install: true, > + install_dir: get_option('bindir'), > + depends: emulator, > + output: exe['name'], > + command: [ > + meson.current_source_dir() / 'scripts/entitlement.sh', > + meson.current_build_dir() / exe['name'] + '-unsigned', exe_name might be used instead of: exe['name'] + '-unsigned' Thanks, Roman > + meson.current_build_dir() / exe['name'], > + meson.current_source_dir() / 'accel/hvf/entitlements.plist' > + ]) > + } > + else > + emulators += {exe['name']: emulator} > + endif > > if 'CONFIG_TRACE_SYSTEMTAP' in config_host > foreach stp: [ > diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh > new file mode 100755 > index 0000000000..c540fa6435 > --- /dev/null > +++ b/scripts/entitlement.sh > @@ -0,0 +1,13 @@ > +#!/bin/sh -e > +# > +# Helper script for the build process to apply entitlements > + > +SRC="$1" > +DST="$2" > +ENTITLEMENT="$3" > + > +trap 'rm "$DST.tmp"' exit > +cp -af "$SRC" "$DST.tmp" > +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp" > +mv "$DST.tmp" "$DST" > +trap '' exit > -- > 2.24.3 (Apple Git-128) >
diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist new file mode 100644 index 0000000000..154f3308ef --- /dev/null +++ b/accel/hvf/entitlements.plist @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.hypervisor</key> + <true/> +</dict> +</plist> diff --git a/meson.build b/meson.build index 5062407c70..2a7ff5560c 100644 --- a/meson.build +++ b/meson.build @@ -1844,9 +1844,14 @@ foreach target : target_dirs }] endif foreach exe: execs - emulators += {exe['name']: - executable(exe['name'], exe['sources'], - install: true, + exe_name = exe['name'] + exe_sign = 'CONFIG_HVF' in config_target + if exe_sign + exe_name += '-unsigned' + endif + + emulator = executable(exe_name, exe['sources'], + install: not exe_sign, c_args: c_args, dependencies: arch_deps + deps + exe['dependencies'], objects: lib.extract_all_objects(recursive: true), @@ -1854,7 +1859,24 @@ foreach target : target_dirs link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), link_args: link_args, gui_app: exe['gui']) - } + + if exe_sign + exe_full = meson.current_build_dir() / exe['name'] + emulators += {exe['name'] : custom_target(exe['name'], + install: true, + install_dir: get_option('bindir'), + depends: emulator, + output: exe['name'], + command: [ + meson.current_source_dir() / 'scripts/entitlement.sh', + meson.current_build_dir() / exe['name'] + '-unsigned', + meson.current_build_dir() / exe['name'], + meson.current_source_dir() / 'accel/hvf/entitlements.plist' + ]) + } + else + emulators += {exe['name']: emulator} + endif if 'CONFIG_TRACE_SYSTEMTAP' in config_host foreach stp: [ diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh new file mode 100755 index 0000000000..c540fa6435 --- /dev/null +++ b/scripts/entitlement.sh @@ -0,0 +1,13 @@ +#!/bin/sh -e +# +# Helper script for the build process to apply entitlements + +SRC="$1" +DST="$2" +ENTITLEMENT="$3" + +trap 'rm "$DST.tmp"' exit +cp -af "$SRC" "$DST.tmp" +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp" +mv "$DST.tmp" "$DST" +trap '' exit
In macOS 11, QEMU only gets access to Hypervisor.framework if it has the respective entitlement. Add an entitlement template and automatically self sign and apply the entitlement in the build. Signed-off-by: Alexander Graf <agraf@csgraf.de> --- v1 -> v2: - Make safe to ctrl-C --- accel/hvf/entitlements.plist | 8 ++++++++ meson.build | 30 ++++++++++++++++++++++++++---- scripts/entitlement.sh | 13 +++++++++++++ 3 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 accel/hvf/entitlements.plist create mode 100755 scripts/entitlement.sh