[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/8] hvf: Add hypervisor entitlement to output binaries

From: Alexander Graf
Subject: Re: [PATCH 1/8] hvf: Add hypervisor entitlement to output binaries
Date: Fri, 27 Nov 2020 22:51:16 +0100
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:84.0) Gecko/20100101 Thunderbird/84.0

On 27.11.20 20:44, Roman Bolshakov wrote:
On Thu, Nov 26, 2020 at 10:50:10PM +0100, Alexander Graf wrote:
In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
respective entitlement. Add an entitlement template and automatically self
sign and apply the entitlement in the build.

Signed-off-by: Alexander Graf <agraf@csgraf.de>
  accel/hvf/entitlements.plist |  8 ++++++++
  meson.build                  | 30 ++++++++++++++++++++++++++----
  scripts/entitlement.sh       | 11 +++++++++++
  3 files changed, 45 insertions(+), 4 deletions(-)
  create mode 100644 accel/hvf/entitlements.plist
  create mode 100755 scripts/entitlement.sh

I think the patch should go ahead of other changes (with Paolo's fix for
^C) and land into 5.2 because entitlements are needed for x86_64 hvf too
since Big Sur Beta 3. Ad-hoc signing is very convenient for development.

Also, It might be good to have configure/meson option to disable signing
at all. Primarily for homebrew:


There's no established process how to deal with it, e.g. GDB in homebrew
has caveats section for now:

   ==> Caveats
   gdb requires special privileges to access Mach ports.
   You will need to codesign the binary. For instructions, see:


The discussion on discourse mentions some plans to do signing in
homebrew CI (with real Developer ID) but none of them are implemented

For now it'd be helpful to provide a way to disable signing and install
the entitlements (if one wants to sign after installation). Similar
issue was raised to fish-shell a while ago:


All binaries are signed in Big Sur by the linker as far as I understand, so I don't quite see the point in not signing :). If the build system doesn't have access to codesign, it sounds to me like one should fix the build system instead? Worst case by injecting a fake codesign binary that just calls /bin/true.

diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
new file mode 100644
index 0000000000..154f3308ef
--- /dev/null
+++ b/accel/hvf/entitlements.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
+<plist version="1.0">
+    <key>com.apple.security.hypervisor</key>
+    <true/>
diff --git a/meson.build b/meson.build
index 5062407c70..2a7ff5560c 100644
--- a/meson.build
+++ b/meson.build
@@ -1844,9 +1844,14 @@ foreach target : target_dirs
    foreach exe: execs
-    emulators += {exe['name']:
-         executable(exe['name'], exe['sources'],
-               install: true,
+    exe_name = exe['name']
+    exe_sign = 'CONFIG_HVF' in config_target
I don't have Apple Silicon HW but it may require different kind of
entitlements for CONFIG_TCG:


You only need the JIT entitlement for the App Store. Locally signed applications work just fine without. I don't know about binaries you download from the internet that were signed with a developer key though.

Keep in mind that for this to work you also need the MAP_JIT and RWX toggle changes from another patch set on the ML.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]