From patchwork Fri Jan 29 10:59:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 373303 Delivered-To: patch@linaro.org Received: by 2002:a02:a60d:0:0:0:0:0 with SMTP id c13csp2095902jam; Fri, 29 Jan 2021 03:12:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJwneVcE62vg3pbF353IRtVOwG5QV2BSrS8dPyI2l3pJn5nJRMmzpqJiD3W3jV4rnMSkacB7 X-Received: by 2002:a25:3345:: with SMTP id z66mr5298124ybz.466.1611918729251; Fri, 29 Jan 2021 03:12:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611918729; cv=none; d=google.com; s=arc-20160816; b=vBkNP6uZkdPJeqAjlNJ4+tOPjg1+G27N6OAHdd0R1QbF1enKIXbeb7mHs95OPs+SNB a1aw9Gszo4ve4eSZkQ7/lIH3N8tsKlZE+X0Uilg7FcAQ8W0tWD6Dx80LGwJe6ND7Rbj/ viMsM/0Q4gKyag50SDShRDMbWLzfFJMmJsLIpNnv97f5AXSma75dM07H5h5U0SWlqrDr NcrldS+1ZrbVXvkP31bisMAikkPGwwAtIzNgV4h3leblk/x3QCeBNsFDs9fUrvB5z9cj PabYh1xV09RqorysXyNp9xehBNIPOulg2+gIp9uqg5PML1jUlsZdqzeyomSUDcYmSeab MDIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=5j5YtwYEiYqHm2x1vtSGXh1Wa3+6ylbZXN+3XxjeIHQ=; b=oPaT8AdtriQOqjSfn6zlKoJBsxQkdorJx/OCf0w0jDnfArhze2KP5c0XilZpfvm1CJ hLvfhOM/lcsPWlQnY3gcHI6c8Ys0E9Q/yv61jeEr7ZBZMmwkNEoItIPYOEQ437zA0RFa WIx4gAgTmvQoEfnulkO+RZ8qLSarOhCrFsGYEWjP4lCaq3yLs2hyMhbbD8hXFbtpNGWf 6ULXIWaA9rF441ZWGayHCLhK6UGlkXaLJuCZc+3VKQv9fuz8I7fM0zNLIEf5cxz1KBPv dEGngCKO+AFtJNrpq0s8swZL+MUovG4pIVJ581hgD4rlQjy1TwDR5keAOMjAFXwWjM3Y GK5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wMbftcIM; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id f36si9475747ybi.328.2021.01.29.03.12.09 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 29 Jan 2021 03:12:09 -0800 (PST) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wMbftcIM; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:44076 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l5RhA-0004nb-MW for patch@linaro.org; Fri, 29 Jan 2021 06:12:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:59856) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l5RWC-0004jD-HP for qemu-devel@nongnu.org; Fri, 29 Jan 2021 06:00:48 -0500 Received: from mail-wr1-x429.google.com ([2a00:1450:4864:20::429]:33001) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1l5RVx-00070E-Je for qemu-devel@nongnu.org; Fri, 29 Jan 2021 06:00:48 -0500 Received: by mail-wr1-x429.google.com with SMTP id 7so8418873wrz.0 for ; Fri, 29 Jan 2021 03:00:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=5j5YtwYEiYqHm2x1vtSGXh1Wa3+6ylbZXN+3XxjeIHQ=; b=wMbftcIMZfYx+MvX84r64dVIN0UIEpg1pDR9E1yjyLAXgc8RqofgfHU0yrcZWTOohr lHI4gDbSIf7QjseY0CYC6l8v5HBlocP+rURSwFTd9vmKuyEjoxpPqNrnuMSW64azaNdo 0QxG3HC0CHpNXgGY957C/2pUGCtw86nokRqMAzkxqAv+jNVzRP3/PJWOMKgIKQTVF16C Rj9EIbcrXEWcPGfQa9ZgCOBhPrybMG0VES3Ghbp+5p//6/WoGucPid521lCgfKDRG8rT BxOiaqe6xe3kIv9gOO6bvN0iLKbJbfjZtCgqr9eEPRNBAa4t+8MzwOZGe9JnUCc/q+hH nIJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5j5YtwYEiYqHm2x1vtSGXh1Wa3+6ylbZXN+3XxjeIHQ=; b=VTstXkSaCBp8jqe6CVTJ4kGF9HyOPSDQSR+9VtzA8gDaOgcWqi4Ugf0QTuxRh8FbUU +DfVFq2mUPHGUmkClQOlJLyX5MdcqSDjpw5ahG1mmyxmoc8HLVPTvYgJGC2rPeRZdl1Z wJpi/kwCouB7pHDDoxs/1ds6JFULD67wCibu1ZjJX9jebssjm3X1ps7DM8Q1oIxEXvMr VnsJAkiaPgj1EF6S9/GKcUxK+pk62YQzB0kXxmaLos+eXfgwgBRVkLglPi3G8qM9KAEp hjKzPvxfaI5nziECAfsaQ0DTRkOQqouDssUSkF4plZ8OxrIJZ5aPVkH9Y/GUz126HAXv P/Mg== X-Gm-Message-State: AOAM533j059QWMXq7+DrO5ImMXLzA+hjsJ0muOVuBzKcm6hRjyJK9MTs e/vw/IpNfWibzeM6eUxu1aRVweCMPvcyZA== X-Received: by 2002:adf:f749:: with SMTP id z9mr3750893wrp.327.1611918030333; Fri, 29 Jan 2021 03:00:30 -0800 (PST) Received: from orth.archaic.org.uk (orth.archaic.org.uk. [81.2.115.148]) by smtp.gmail.com with ESMTPSA id w20sm9268761wmm.12.2021.01.29.03.00.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Jan 2021 03:00:29 -0800 (PST) From: Peter Maydell To: qemu-devel@nongnu.org Subject: [PULL 17/46] hvf: Add hypervisor entitlement to output binaries Date: Fri, 29 Jan 2021 10:59:43 +0000 Message-Id: <20210129110012.8660-18-peter.maydell@linaro.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210129110012.8660-1-peter.maydell@linaro.org> References: <20210129110012.8660-1-peter.maydell@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2a00:1450:4864:20::429; envelope-from=peter.maydell@linaro.org; helo=mail-wr1-x429.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" From: Alexander Graf In macOS 11, QEMU only gets access to Hypervisor.framework if it has the respective entitlement. Add an entitlement template and automatically self sign and apply the entitlement in the build. Signed-off-by: Alexander Graf Reviewed-by: Roman Bolshakov Tested-by: Roman Bolshakov Signed-off-by: Peter Maydell --- meson.build | 29 +++++++++++++++++++++++++---- accel/hvf/entitlements.plist | 8 ++++++++ scripts/entitlement.sh | 13 +++++++++++++ 3 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 accel/hvf/entitlements.plist create mode 100755 scripts/entitlement.sh -- 2.20.1 diff --git a/meson.build b/meson.build index 9ecb09dfe21..f00b7754fd4 100644 --- a/meson.build +++ b/meson.build @@ -2167,9 +2167,14 @@ foreach target : target_dirs }] endif foreach exe: execs - emulators += {exe['name']: - executable(exe['name'], exe['sources'], - install: true, + exe_name = exe['name'] + exe_sign = 'CONFIG_HVF' in config_target + if exe_sign + exe_name += '-unsigned' + endif + + emulator = executable(exe_name, exe['sources'], + install: not exe_sign, c_args: c_args, dependencies: arch_deps + deps + exe['dependencies'], objects: lib.extract_all_objects(recursive: true), @@ -2177,7 +2182,23 @@ foreach target : target_dirs link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), link_args: link_args, gui_app: exe['gui']) - } + + if exe_sign + emulators += {exe['name'] : custom_target(exe['name'], + install: true, + install_dir: get_option('bindir'), + depends: emulator, + output: exe['name'], + command: [ + meson.current_source_dir() / 'scripts/entitlement.sh', + meson.current_build_dir() / exe_name, + meson.current_build_dir() / exe['name'], + meson.current_source_dir() / 'accel/hvf/entitlements.plist' + ]) + } + else + emulators += {exe['name']: emulator} + endif if 'CONFIG_TRACE_SYSTEMTAP' in config_host foreach stp: [ diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist new file mode 100644 index 00000000000..154f3308ef2 --- /dev/null +++ b/accel/hvf/entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.hypervisor + + + diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh new file mode 100755 index 00000000000..c540fa6435f --- /dev/null +++ b/scripts/entitlement.sh @@ -0,0 +1,13 @@ +#!/bin/sh -e +# +# Helper script for the build process to apply entitlements + +SRC="$1" +DST="$2" +ENTITLEMENT="$3" + +trap 'rm "$DST.tmp"' exit +cp -af "$SRC" "$DST.tmp" +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp" +mv "$DST.tmp" "$DST" +trap '' exit