Questions about QEMU exception

Questions about QEMU exception

[Li, Kevin]

[-- Attachment #1: Type: text/plain, Size: 557 bytes --]

Hi qemu community,

We are working on some open source project which uses qemu on mac, and we have some signing process to sign qemu-system-x86_64.
If qemu-system-x86_64 is not signed, we don’t see any problem, but after sign it, we got the following error:

qemu-system-x86_64 -M none -netdev help]: stdout=\"Accelerators supported in QEMU binary:\\ntcg\\nhax\\nhvf\\n\", stderr=\"qemu-system-x86_64: allocate 1073741824 bytes for jit buffer: Invalid argument

Does anyone has clue about what change may result in this failure?

Thanks,
Kevin

[-- Attachment #2: Type: text/html, Size: 2476 bytes --]

Re: Questions about QEMU exception

[Alex Bennée]

"Li, Kevin" <cnkevin@amazon.com> writes:

> Hi qemu community,
>
>  
>
> We are working on some open source project which uses qemu on mac, and we have some signing process to sign
> qemu-system-x86_64.
>
> If qemu-system-x86_64 is not signed, we don’t see any problem, but after sign it, we got the following error:
>
>  
>
> qemu-system-x86_64 -M none -netdev help]: stdout=\"Accelerators supported in QEMU binary:\\ntcg\\nhax\\nhvf\\n\",
> stderr=\"qemu-system-x86_64: allocate 1073741824 bytes for jit buffer: Invalid argument
>
>  
>
> Does anyone has clue about what change may result in this failure?

Not sure about the details but I suspect this is something to do with
the way we have to jump through hoops to allocate the code buffer on
MacOSX.

You could stick some printfs around:

  alloc_code_gen_buffer_splitwx_vmremap

and

  alloc_code_gen_buffer_anon

AIUI we have to allocate a non-executable but writable buffer for the
code and then remap an executable view of the same region to execute the
generated JIT code. Maybe being a signed binary adds more restrictions
on which OS apis can be called?

-- 
Alex Bennée

Re: Questions about QEMU exception

[Peter Maydell]

On Wed, 9 Nov 2022 at 01:53, Li, Kevin <cnkevin@amazon.com> wrote:
>
> Hi qemu community,
>
>
>
> We are working on some open source project which uses qemu on mac, and we have some signing process to sign qemu-system-x86_64.
>
> If qemu-system-x86_64 is not signed, we don’t see any problem, but after sign it, we got the following error:
>
>
>
> qemu-system-x86_64 -M none -netdev help]: stdout=\"Accelerators supported in QEMU binary:\\ntcg\\nhax\\nhvf\\n\", stderr=\"qemu-system-x86_64: allocate 1073741824 bytes for jit buffer: Invalid argument
>
>
>
> Does anyone has clue about what change may result in this failure?

You don't say which QEMU version you're using. Does it still happen
with the most recent release? Does it still happen if you build
from current head-of-git ?

PS: I think the QEMU build process should already be signing the executable,
so I'm not sure why you need to sign it again (see scripts/entitlement.sh).

thanks
-- PMM

Re: Questions about QEMU exception

[Li, Kevin]

Hi Peter,

We first install via homebrew and then extract the executables (qemu-img and qemu-system-xxx) out.
We recently did this, so it should be the latest version of qemu via homebrew, and our package is for MacOS, which needs sign and notarize.
If we extract in this way, and use it on other env without signing, it will show the unidentified developer, so we sign it along with other executables.
We uses these executables to pack a pkg installer, so first we sign all the executables including qemu, and then sign the pkg, and finally notarize the pkg.
I think the previous error I mentioned maybe caused by we didn't sign qemu with the entitlement, so I signed with the entitlement with following keys:
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.hypervisor</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
However, even I signed it, qemu still show unidentified developer pop up, which doesn't not happen to other executables.
Please let me know if you have any clue or suggestion with it. Thanks in advance.

Thanks,
Kevin


On 2022-11-09, 2:10 AM, "Peter Maydell" <peter.maydell@linaro.org> wrote:

    CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.



    On Wed, 9 Nov 2022 at 01:53, Li, Kevin <cnkevin@amazon.com> wrote:
    >
    > Hi qemu community,
    >
    >
    >
    > We are working on some open source project which uses qemu on mac, and we have some signing process to sign qemu-system-x86_64.
    >
    > If qemu-system-x86_64 is not signed, we don’t see any problem, but after sign it, we got the following error:
    >
    >
    >
    > qemu-system-x86_64 -M none -netdev help]: stdout=\"Accelerators supported in QEMU binary:\\ntcg\\nhax\\nhvf\\n\", stderr=\"qemu-system-x86_64: allocate 1073741824 bytes for jit buffer: Invalid argument
    >
    >
    >
    > Does anyone has clue about what change may result in this failure?

    You don't say which QEMU version you're using. Does it still happen
    with the most recent release? Does it still happen if you build
    from current head-of-git ?

    PS: I think the QEMU build process should already be signing the executable,
    so I'm not sure why you need to sign it again (see scripts/entitlement.sh).

    thanks
    -- PMM