hvf: Add hypervisor entitlement to output binaries

In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
respective entitlement. Add an entitlement template and automatically self
sign and apply the entitlement in the build.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Tested-by: Roman Bolshakov <r.bolshakov@yadro.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Alexander Graf 2021-01-20 23:44:34 +01:00 committed by Peter Maydell
parent 32063086a7
commit 8a74ce618b
3 changed files with 46 additions and 4 deletions

View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.hypervisor</key>
<true/>
</dict>
</plist>

View File

@ -2167,9 +2167,14 @@ foreach target : target_dirs
}] }]
endif endif
foreach exe: execs foreach exe: execs
emulators += {exe['name']: exe_name = exe['name']
executable(exe['name'], exe['sources'], exe_sign = 'CONFIG_HVF' in config_target
install: true, if exe_sign
exe_name += '-unsigned'
endif
emulator = executable(exe_name, exe['sources'],
install: not exe_sign,
c_args: c_args, c_args: c_args,
dependencies: arch_deps + deps + exe['dependencies'], dependencies: arch_deps + deps + exe['dependencies'],
objects: lib.extract_all_objects(recursive: true), objects: lib.extract_all_objects(recursive: true),
@ -2177,7 +2182,23 @@ foreach target : target_dirs
link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []), link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
link_args: link_args, link_args: link_args,
gui_app: exe['gui']) gui_app: exe['gui'])
}
if exe_sign
emulators += {exe['name'] : custom_target(exe['name'],
install: true,
install_dir: get_option('bindir'),
depends: emulator,
output: exe['name'],
command: [
meson.current_source_dir() / 'scripts/entitlement.sh',
meson.current_build_dir() / exe_name,
meson.current_build_dir() / exe['name'],
meson.current_source_dir() / 'accel/hvf/entitlements.plist'
])
}
else
emulators += {exe['name']: emulator}
endif
if 'CONFIG_TRACE_SYSTEMTAP' in config_host if 'CONFIG_TRACE_SYSTEMTAP' in config_host
foreach stp: [ foreach stp: [

13
scripts/entitlement.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh -e
#
# Helper script for the build process to apply entitlements
SRC="$1"
DST="$2"
ENTITLEMENT="$3"
trap 'rm "$DST.tmp"' exit
cp -af "$SRC" "$DST.tmp"
codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
mv "$DST.tmp" "$DST"
trap '' exit