Re: [PATCH v3 01/10] hvf: Add hypervisor entitlement to output binaries

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: Roman Bolshakov <r.bolshakov@yadro.com>
To: Alexander Graf <agraf@csgraf.de>
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	qemu-devel@nongnu.org, Cameron Esfahani <dirty@apple.com>,
	qemu-arm@nongnu.org, Frank Yang <lfy@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Peter Collingbourne <pcc@google.com>
Subject: Re: [PATCH v3 01/10] hvf: Add hypervisor entitlement to output binaries
Date: Thu, 3 Dec 2020 02:32:00 +0300	[thread overview]
Message-ID: <20201202233200.GA34964@SPB-NB-133.local> (raw)
In-Reply-To: <20201202190408.2041-2-agraf@csgraf.de>

On Wed, Dec 02, 2020 at 08:03:59PM +0100, Alexander Graf wrote:
> In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
> respective entitlement. Add an entitlement template and automatically self
> sign and apply the entitlement in the build.
> 
> Signed-off-by: Alexander Graf <agraf@csgraf.de>
> 
> ---
> 
> v1 -> v2:
> 
>   - Make safe to ctrl-C
> ---
>  accel/hvf/entitlements.plist |  8 ++++++++
>  meson.build                  | 30 ++++++++++++++++++++++++++----
>  scripts/entitlement.sh       | 13 +++++++++++++
>  3 files changed, 47 insertions(+), 4 deletions(-)
>  create mode 100644 accel/hvf/entitlements.plist
>  create mode 100755 scripts/entitlement.sh
> 
> diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
> new file mode 100644
> index 0000000000..154f3308ef
> --- /dev/null
> +++ b/accel/hvf/entitlements.plist
> @@ -0,0 +1,8 @@
> +<?xml version="1.0" encoding="UTF-8"?>
> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> +<plist version="1.0">
> +<dict>
> +    <key>com.apple.security.hypervisor</key>
> +    <true/>
> +</dict>
> +</plist>
> diff --git a/meson.build b/meson.build
> index 5062407c70..2a7ff5560c 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -1844,9 +1844,14 @@ foreach target : target_dirs
>      }]
>    endif
>    foreach exe: execs
> -    emulators += {exe['name']:
> -         executable(exe['name'], exe['sources'],
> -               install: true,
> +    exe_name = exe['name']
> +    exe_sign = 'CONFIG_HVF' in config_target
> +    if exe_sign
> +      exe_name += '-unsigned'
> +    endif
> +
> +    emulator = executable(exe_name, exe['sources'],
> +               install: not exe_sign,
>                 c_args: c_args,
>                 dependencies: arch_deps + deps + exe['dependencies'],
>                 objects: lib.extract_all_objects(recursive: true),
> @@ -1854,7 +1859,24 @@ foreach target : target_dirs
>                 link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
>                 link_args: link_args,
>                 gui_app: exe['gui'])
> -    }
> +
> +    if exe_sign
> +      exe_full = meson.current_build_dir() / exe['name']

It's defined but not used.

> +      emulators += {exe['name'] : custom_target(exe['name'],
> +                   install: true,
> +                   install_dir: get_option('bindir'),
> +                   depends: emulator,
> +                   output: exe['name'],
> +                   command: [
> +                     meson.current_source_dir() / 'scripts/entitlement.sh',
> +                     meson.current_build_dir() / exe['name'] + '-unsigned',

exe_name might be used instead of:
exe['name'] + '-unsigned'

Thanks,
Roman

> +                     meson.current_build_dir() / exe['name'],
> +                     meson.current_source_dir() / 'accel/hvf/entitlements.plist'
> +                   ])
> +      }
> +    else
> +      emulators += {exe['name']: emulator}
> +    endif
>  
>      if 'CONFIG_TRACE_SYSTEMTAP' in config_host
>        foreach stp: [
> diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
> new file mode 100755
> index 0000000000..c540fa6435
> --- /dev/null
> +++ b/scripts/entitlement.sh
> @@ -0,0 +1,13 @@
> +#!/bin/sh -e
> +#
> +# Helper script for the build process to apply entitlements
> +
> +SRC="$1"
> +DST="$2"
> +ENTITLEMENT="$3"
> +
> +trap 'rm "$DST.tmp"' exit
> +cp -af "$SRC" "$DST.tmp"
> +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
> +mv "$DST.tmp" "$DST"
> +trap '' exit
> -- 
> 2.24.3 (Apple Git-128)
>

next prev parent reply	other threads:[~2020-12-02 23:33 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-02 19:03 [PATCH v3 00/10] hvf: Implement Apple Silicon Support Alexander Graf
2020-12-02 19:03 ` [PATCH v3 01/10] hvf: Add hypervisor entitlement to output binaries Alexander Graf
2020-12-02 23:32   ` Roman Bolshakov [this message]
2020-12-02 19:04 ` [PATCH v3 02/10] hvf: Move common code out Alexander Graf
2020-12-03  0:20   ` Roman Bolshakov
2020-12-02 19:04 ` [PATCH v3 03/10] hvf: Introduce hvf vcpu struct Alexander Graf
2020-12-03  0:41   ` Roman Bolshakov
2020-12-02 19:04 ` [PATCH v3 04/10] arm: Set PSCI to 0.2 for HVF Alexander Graf
2020-12-03  1:03   ` Roman Bolshakov
2020-12-02 19:04 ` [PATCH v3 05/10] hvf: arm: Mark CPU as dirty on reset Alexander Graf
2020-12-03  1:52   ` Roman Bolshakov
2020-12-03 10:55     ` Alexander Graf
2020-12-03 13:02       ` Roman Bolshakov
2020-12-03 14:13         ` Alexander Graf
2020-12-02 19:04 ` [PATCH v3 06/10] hvf: Add Apple Silicon support Alexander Graf
2020-12-03  5:21   ` Roman Bolshakov
2020-12-03 14:26     ` Alexander Graf
2020-12-02 19:04 ` [PATCH v3 07/10] arm: Add Hypervisor.framework build target Alexander Graf
2020-12-03  5:25   ` Roman Bolshakov
2020-12-02 19:04 ` [PATCH v3 08/10] arm/hvf: Add a WFI handler Alexander Graf
2020-12-03 10:39   ` Roman Bolshakov
2020-12-03 18:18     ` Peter Collingbourne
2020-12-04 18:15       ` Roman Bolshakov
2020-12-02 19:04 ` [PATCH v3 09/10] hvf: arm: Add support for GICv3 Alexander Graf
2020-12-02 19:04 ` [PATCH v3 10/10] hvf: arm: Implement -cpu host Alexander Graf
2020-12-02 19:27 ` [PATCH v3 00/10] hvf: Implement Apple Silicon Support no-reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201202233200.GA34964@SPB-NB-133.local \
    --to=r.bolshakov@yadro.com \
    --cc=agraf@csgraf.de \
    --cc=dirty@apple.com \
    --cc=ehabkost@redhat.com \
    --cc=lfy@google.com \
    --cc=pbonzini@redhat.com \
    --cc=pcc@google.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-arm@nongnu.org \
    --cc=qemu-devel@nongnu.org \
    --cc=richard.henderson@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).