On Thu, Nov 26, 2020 at 10:50:10PM +0100, Alexander Graf wrote:
In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
respective entitlement. Add an entitlement template and automatically self
sign and apply the entitlement in the build.
Signed-off-by: Alexander Graf <agraf@csgraf.de>
---
accel/hvf/entitlements.plist | 8 ++++++++
meson.build | 30 ++++++++++++++++++++++++++----
scripts/entitlement.sh | 11 +++++++++++
3 files changed, 45 insertions(+), 4 deletions(-)
create mode 100644 accel/hvf/entitlements.plist
create mode 100755 scripts/entitlement.sh
Hi,
I think the patch should go ahead of other changes (with Paolo's fix for
^C) and land into 5.2 because entitlements are needed for x86_64 hvf too
since Big Sur Beta 3. Ad-hoc signing is very convenient for development.
Also, It might be good to have configure/meson option to disable signing
at all. Primarily for homebrew:
https://discourse.brew.sh/t/code-signing-installed-executables/2131/10
There's no established process how to deal with it, e.g. GDB in homebrew
has caveats section for now:
==> Caveats
gdb requires special privileges to access Mach ports.
You will need to codesign the binary. For instructions, see:
https://sourceware.org/gdb/wiki/BuildingOnDarwin
The discussion on discourse mentions some plans to do signing in
homebrew CI (with real Developer ID) but none of them are implemented
now.
For now it'd be helpful to provide a way to disable signing and install
the entitlements (if one wants to sign after installation). Similar
issue was raised to fish-shell a while ago:
https://github.com/fish-shell/fish-shell/issues/6952
https://github.com/fish-shell/fish-shell/issues/7467
diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
new file mode 100644
index 0000000000..154f3308ef
--- /dev/null
+++ b/accel/hvf/entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.hypervisor</key>
+ <true/>
+</dict>
+</plist>
diff --git a/meson.build b/meson.build
index 5062407c70..2a7ff5560c 100644
--- a/meson.build
+++ b/meson.build
@@ -1844,9 +1844,14 @@ foreach target : target_dirs
}]
endif
foreach exe: execs
- emulators += {exe['name']:
- executable(exe['name'], exe['sources'],
- install: true,
+ exe_name = exe['name']
+ exe_sign = 'CONFIG_HVF' in config_target
I don't have Apple Silicon HW but it may require different kind of
entitlements for CONFIG_TCG:
https://developer.apple.com/documentation/apple_silicon/porting_just-in-time_compilers_to_apple_silicon