Re: [PATCH v6 01/11] hvf: Add hypervisor entitlement to output binaries

From: Akihiko Odaki <akihiko.odaki@gmail.com>
To: Alexander Graf <agraf@csgraf.de>, qemu-devel@nongnu.org
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Eduardo Habkost <ehabkost@redhat.com>,
	Richard Henderson <richard.henderson@linaro.org>,
	Cameron Esfahani <dirty@apple.com>,
	Roman Bolshakov <r.bolshakov@yadro.com>,
	qemu-arm@nongnu.org, Frank Yang <lfy@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Peter Collingbourne <pcc@google.com>
Subject: Re: [PATCH v6 01/11] hvf: Add hypervisor entitlement to output binaries
Date: Tue, 23 Feb 2021 20:56:24 +0900	[thread overview]
Message-ID: <a41a39e5-951f-c178-d50e-6041eec63cbe@gmail.com> (raw)
In-Reply-To: <20210120224444.71840-2-agraf@csgraf.de>

Hi,

I use your patches when running QEMU on M1 MacBook Air.

I noticed that the installation process corrupts the code signature 
because meson modifies the file to fix dynamic shared library install 
names. Also, stripping apparently does not work because the signed file 
is not considered as "executable" by meson. Here is some change I wrote 
for my own use, just for reference:
https://github.com/akihikodaki/qemu/commit/6a9b5d7e4ea03b1e757be1eedf256871bb6a5bdd

Also, the patch series do no longer apply to master. Here is my merge 
with conflict resolution (It is not a rebase and was done for my own 
purpose. Just for reference.):
https://github.com/akihikodaki/qemu/commit/b7885e4370a2fe426e80d32afe6eb5d01a71640d

Regards,
Akihiko Odaki

On 2021/01/21 7:44, Alexander Graf wrote:
> In macOS 11, QEMU only gets access to Hypervisor.framework if it has the
> respective entitlement. Add an entitlement template and automatically self
> sign and apply the entitlement in the build.
> 
> Signed-off-by: Alexander Graf <agraf@csgraf.de>
> Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
> Tested-by: Roman Bolshakov <r.bolshakov@yadro.com>
> 
> ---
> 
> v1 -> v2:
> 
>    - Make safe to ctrl-C
> 
> v3 -> v4:
> 
>    - Remove unused exe_full variable
>    - Reuse exe_name variable
> ---
>   accel/hvf/entitlements.plist |  8 ++++++++
>   meson.build                  | 29 +++++++++++++++++++++++++----
>   scripts/entitlement.sh       | 13 +++++++++++++
>   3 files changed, 46 insertions(+), 4 deletions(-)
>   create mode 100644 accel/hvf/entitlements.plist
>   create mode 100755 scripts/entitlement.sh
> 
> diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist
> new file mode 100644
> index 0000000000..154f3308ef
> --- /dev/null
> +++ b/accel/hvf/entitlements.plist
> @@ -0,0 +1,8 @@
> +<?xml version="1.0" encoding="UTF-8"?>
> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> +<plist version="1.0">
> +<dict>
> +    <key>com.apple.security.hypervisor</key>
> +    <true/>
> +</dict>
> +</plist>
> diff --git a/meson.build b/meson.build
> index 3d889857a0..c667d64498 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -2146,9 +2146,14 @@ foreach target : target_dirs
>       }]
>     endif
>     foreach exe: execs
> -    emulators += {exe['name']:
> -         executable(exe['name'], exe['sources'],
> -               install: true,
> +    exe_name = exe['name']
> +    exe_sign = 'CONFIG_HVF' in config_target
> +    if exe_sign
> +      exe_name += '-unsigned'
> +    endif
> +
> +    emulator = executable(exe_name, exe['sources'],
> +               install: not exe_sign,
>                  c_args: c_args,
>                  dependencies: arch_deps + deps + exe['dependencies'],
>                  objects: lib.extract_all_objects(recursive: true),
> @@ -2156,7 +2161,23 @@ foreach target : target_dirs
>                  link_depends: [block_syms, qemu_syms] + exe.get('link_depends', []),
>                  link_args: link_args,
>                  gui_app: exe['gui'])
> -    }
> +
> +    if exe_sign
> +      emulators += {exe['name'] : custom_target(exe['name'],
> +                   install: true,
> +                   install_dir: get_option('bindir'),
> +                   depends: emulator,
> +                   output: exe['name'],
> +                   command: [
> +                     meson.current_source_dir() / 'scripts/entitlement.sh',
> +                     meson.current_build_dir() / exe_name,
> +                     meson.current_build_dir() / exe['name'],
> +                     meson.current_source_dir() / 'accel/hvf/entitlements.plist'
> +                   ])
> +      }
> +    else
> +      emulators += {exe['name']: emulator}
> +    endif
>   
>       if 'CONFIG_TRACE_SYSTEMTAP' in config_host
>         foreach stp: [
> diff --git a/scripts/entitlement.sh b/scripts/entitlement.sh
> new file mode 100755
> index 0000000000..c540fa6435
> --- /dev/null
> +++ b/scripts/entitlement.sh
> @@ -0,0 +1,13 @@
> +#!/bin/sh -e
> +#
> +# Helper script for the build process to apply entitlements
> +
> +SRC="$1"
> +DST="$2"
> +ENTITLEMENT="$3"
> +
> +trap 'rm "$DST.tmp"' exit
> +cp -af "$SRC" "$DST.tmp"
> +codesign --entitlements "$ENTITLEMENT" --force -s - "$DST.tmp"
> +mv "$DST.tmp" "$DST"
> +trap '' exit
> 