On Wed, Dec 02, 2020 at 08:03:59PM +0100, Alexander Graf wrote:
> In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
> respective entitlement. Add an entitlement template and automatically self
> sign and apply the entitlement in the build.
>
> Signed-off-by: Alexander Graf <ag...@csgraf.de>
>
> ---
>
> v1 -> v2:
>
> - Make safe to ctrl-C
> ---
> accel/hvf/entitlements.plist | 8 ++++++++
> meson.build | 30 ++++++++++++++++++++++++++----
> scripts/entitlement.sh | 13 +++++++++++++
> 3 files changed, 47 insertions(+), 4 deletions(-)
> create mode 100644 accel/hvf/entitlements.plist
> create mode 100755 scripts/entitlement.sh
>
> diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
> new file mode 100644
> index 0000000000..154f3308ef
> --- /dev/null
> +++ b/accel/hvf/entitlements.plist
> @@ -0,0 +1,8 @@
> +<?xml version="1.0" encoding="UTF-8"?>
> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
> +<plist version="1.0">
> +<dict>
> + <key>com.apple.security.hypervisor</key>
> + <true/>
> +</dict>
> +</plist>
> diff --git a/meson.build b/meson.build
> index 5062407c70..2a7ff5560c 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -1844,9 +1844,14 @@ foreach target : target_dirs
> }]
> endif
> foreach exe: execs
> - emulators += {exe['name']:
> - executable(exe['name'], exe['sources'],
> - install: true,
> + exe_name = exe['name']
> + exe_sign = 'CONFIG_HVF' in config_target
> + if exe_sign
> + exe_name += '-unsigned'
> + endif
> +
> + emulator = executable(exe_name, exe['sources'],
> + install: not exe_sign,
> c_args: c_args,
> dependencies: arch_deps + deps + exe['dependencies'],
> objects: lib.extract_all_objects(recursive: true),
> @@ -1854,7 +1859,24 @@ foreach target : target_dirs
> link_depends: [block_syms, qemu_syms] +
> exe.get('link_depends', []),
> link_args: link_args,
> gui_app: exe['gui'])
> - }
> +
> + if exe_sign
> + exe_full = meson.current_build_dir() / exe['name']
It's defined but not used.
> + emulators += {exe['name'] : custom_target(exe['name'],
> + install: true,
> + install_dir: get_option('bindir'),
> + depends: emulator,
> + output: exe['name'],
> + command: [
> + meson.current_source_dir() / 'scripts/entitlement.sh',
> + meson.current_build_dir() / exe['name'] + '-unsigned',
exe_name might be used instead of:
exe['name'] + '-unsigned'
Thanks,
Roman
> + meson.current_build_dir() / exe['name'],
> + meson.current_source_dir() /
> 'accel/hvf/entitlements.plist'
> + ])
> + }
> + else
> + emulators += {exe['name']: emulator}
> + endif
>
> if 'CONFIG_TRACE_SYSTEMTAP' in config_host
> foreach stp: [
> diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
> new file mode 100755
> index 0000000000..c540fa6435
> --- /dev/null
> +++ b/scripts/entitlement.sh
> @@ -0,0 +1,13 @@
> +#!/bin/sh -e
> +#
> +# Helper script for the build process to apply entitlements
> +
> +SRC="$1"
> +DST="$2"
> +ENTITLEMENT="$3"
> +
> +trap 'rm "$DST.tmp"' exit
> +cp -af "$SRC" "$DST.tmp"
> +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
> +mv "$DST.tmp" "$DST"
> +trap '' exit
> --
> 2.24.3 (Apple Git-128)
>
