VirtualBox

Changeset 97631 in vbox for trunk


Ignore:
Timestamp:
Nov 21, 2022 3:30:47 PM (23 months ago)
Author:
vboxsync
Message:

Config.kmk: Introduce support for adhoc signing mode on the darwin (aka macOS) target. adhoc signing mode allows running locally built binaries on the same machine without requiring a proper developer certificate, including required entitlements like getting access to the hypervisor, bugref:10327

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Config.kmk

    r97372 r97631  
    11451145# Continue to support Vista w/o any service pack, at least for now.
    11461146VBOX_WITH_VISTA_NO_SP = 1
    1147 # Enable image verification on darwin @bugref{9232}.
    1148 VBOX_WITH_DARWIN_R0_DARWIN_IMAGE_VERIFICATION = 1
     1147ifdef VBOX_WITH_VBOXDRV
     1148 # Enable image verification on darwin @bugref{9232}.
     1149 VBOX_WITH_DARWIN_R0_DARWIN_IMAGE_VERIFICATION = 1
     1150endif
    11491151## @}
    11501152
     
    16671669  VBOX_USE_KSUBMIT :=
    16681670 endif
     1671endif
     1672
     1673#
     1674# Requested permissions to the host OS (only the entitlements
     1675# crap on darwin for now).
     1676#
     1677ifeq ($(KBUILD_TARGET),darwin)
     1678 #
     1679 # The first two entitlements are required to get everything working
     1680 # on Catalina which we want to keep supported for now.
     1681 #
     1682 VBOX_DARWIN_ENTITLEMENTS_LIST := \
     1683        com.apple.security.cs.allow-unsigned-executable-memory \
     1684        com.apple.security.cs.disable-executable-page-protection \
     1685        com.apple.security.device.audio-input \
     1686        com.apple.security.device.camera \
     1687        com.apple.security.device.usb
     1688
     1689 #
     1690 # The hypervisor entitlement is required in adhoc signing mode
     1691 # to get access to the Hypervisor framework. For release signing
     1692 # the entitlement is included in our developer certificate.
     1693 #
     1694 # The device-access and networking entitlemnents are reserved for
     1695 # only specific vendors and are only available in release mode signing
     1696 # (binaries signed with these entitlements in adhoc mode will just crash
     1697 # with a code signing error).
     1698 #
     1699 ifeq ($(VBOX_SIGNING_MODE),adhoc)
     1700  VBOX_DARWIN_ENTITLEMENTS_LIST += \
     1701        com.apple.security.hypervisor
     1702 else
     1703  VBOX_DARWIN_ENTITLEMENTS_LIST += \
     1704        com.apple.vm.device-access \
     1705        com.apple.vm.networking
     1706 endif
     1707
     1708 # Where the dynamic generated entitlements can be found.
     1709 VBOX_DARWIN_ENTITLEMENTS_FILE := $(PATH_OUT)/Entitlements.plist
    16691710endif
    16701711
     
    39694010#    people, like the ones the build servers create.  As much as possible is
    39704011#    signed and timestamped.
     4012#  - The 'adhoc' mode is specific to building on macOS and is similar to 'test'
     4013#    mode but doesn't require any certificates but a host set up for development work.
     4014#    Binaries are signed in adhoc mode and include required entitlements as appropriate
     4015#    (something we would only do in the 'packing' target). This seem to be the only working
     4016#    way with newer versions of macOS (tested with Ventura) with 'test' not working anymore.
    39714017#
    39724018ifdef VBOX_SIGNING_MODE
    39734019 VBOX_SIGNING_MODE := $(strip $(VBOX_SIGNING_MODE))
    3974  ifn1of ($(VBOX_SIGNING_MODE), test release)
    3975   $(error VBOX_SIGNING_MODE must be either 'test' or 'release'. The value '$(VBOX_SIGNING_MODE)' is not recognized.)
     4020 ifn1of ($(VBOX_SIGNING_MODE), test release adhoc)
     4021  $(error VBOX_SIGNING_MODE must be either 'test', 'release' or 'adhoc'. The value '$(VBOX_SIGNING_MODE)' is not recognized.)
     4022 endif
     4023 if "$(VBOX_SIGNING_MODE)" == "adhoc" && "$(KBUILD_TARGET)" != "darwin"
     4024  $(error 'adhoc' signing mode is only available on macOS)
    39764025 endif
    39774026 VBOX_RETRY    ?= $(ASH) $(KBUILD_DEVTOOLS)/bin/retry.sh
     
    42964345
    42974346 else ifeq ($(KBUILD_HOST),darwin)
     4347
     4348  ## Sign a VM process binary with the given entitlements
     4349  # @param 1  The file to sign.
     4350  # @param 2  Identifier, optional.
     4351  ifeq ($(VBOX_SIGNING_MODE),adhoc)
     4352  if $(intersects darwin all 1,$(VBOX_WITH_CORP_CODE_SIGNING))
     4353   ## @todo cannot handle $(2), the identifier.
     4354   VBOX_SIGN_IMAGE_FN = $(call MSG_TOOL,SIGNTOOL,,$(1),$(2))$(NLTAB) \
     4355        $(call VBOX_CCS_SIGN_CMD,binary,$(1),,$(subst --entitlements=,-entitlement_file_path ,$(3)) \
     4356                $(if $(VBOX_WITH_MACOS_HARDENED_RUNTIME),-hardened_runtime))
     4357  else
     4358   VBOX_SIGN_IMAGE_FN = $(call MSG_TOOL,SIGNTOOL,,$(1),$(2))$(NLTAB)$(VBOX_CODESIGN) \
     4359        --verbose=9 \
     4360        --force \
     4361        $(if-expr $(KBUILD_HOST_VERSION_MAJOR) <= 14,--digest-algorithm sha256,) \
     4362        $(if $(VBOX_WITH_MACOS_HARDENED_RUNTIME),$(if-expr $(KBUILD_HOST_VERSION_MAJOR) <= 16,--options 0x10000,--options runtime)) \
     4363        --file-list - \
     4364        $(if-expr defined(VBOX_TSA_URL),--timestamp="$(VBOX_TSA_URL)") \
     4365        $(VBOX_CERTIFICATE_SUBJECT_NAME_ARGS) \
     4366        --entitlements="$(VBOX_DARWIN_ENTITLEMENTS_FILE)" \
     4367        "$(1)" \
     4368        $(if $(2),--identifier "$(2)",)
     4369  endif
     4370  else
     4371    VBOX_SIGN_IMAGE_FN =
     4372  endif
     4373
    42984374  #
    42994375  # Darwin code signing.
     
    43094385   VBOX_CERTIFICATE_SUBJECT_NAME_ARGS ?= --sign "$(VBOX_CERTIFICATE_SUBJECT_NAME)"
    43104386   VBOX_TSA_URL ?= none
     4387  else ifeq ($(VBOX_SIGNING_MODE), adhoc)
     4388   ifdef VBOX_CERTIFICATE_SUBJECT_NAME
     4389    $(error VBOX_CERTIFICATE_SUBJECT_NAME must not be set in 'adhoc' signing mode)
     4390   endif
     4391   VBOX_CERTIFICATE_SUBJECT_NAME = -
     4392   VBOX_CERTIFICATE_SUBJECT_NAME_ARGS ?= --sign "$(VBOX_CERTIFICATE_SUBJECT_NAME)"
     4393   VBOX_TSA_URL ?= none
     4394   VBOX_SIGN_IMAGE_CMDS           ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_FN,$(out),,2))
    43114395  else
    43124396   VBOX_CERTIFICATE_SUBJECT_NAME ?= Developer ID Application: Oracle America, Inc.
     
    61906274TEMPLATE_VBOXR3EXE_LDFLAGS.darwin      = $(VBOX_DARWIN_DEF_SDK_LDFLAGS) -Wl,-headerpad_max_install_names
    61916275TEMPLATE_VBOXR3EXE_LDFLAGS.darwin.x86  = -read_only_relocs suppress
     6276TEMPLATE_VBOXR3EXE_POST_CMDS.darwin    = $(VBOX_SIGN_IMAGE_CMDS)
    61926277  ifdef VBOX_WITH_DTRACE_R3
    61936278   TEMPLATE_VBOXR3EXE_CXXFLAGS := $(filter-out -pedantic,$(TEMPLATE_VBOXR3EXE_CXXFLAGS)) -fdollars-in-identifiers # annoying gcc option precedence.
     
    73327417TEMPLATE_VBOXMAINEXE_LDFLAGS            += $(VBOX_DARWIN_DEF_SDK_LDFLAGS) -framework Carbon -Wl,-headerpad_max_install_names
    73337418TEMPLATE_VBOXMAINEXE_LIBS                = $(LIB_RUNTIME)
     7419TEMPLATE_VBOXMAINEXE_POST_CMDS.darwin    = $(VBOX_SIGN_IMAGE_CMDS)
    73347420 else ifeq ($(KBUILD_TARGET),haiku)
    73357421TEMPLATE_VBOXMAINEXE_TOOL                = GXX3
     
    79988084   TEMPLATE_VBOXQTGUIEXE_LIBS +=
    79998085   TEMPLATE_VBOXQTGUIEXE_LIBPATH +=
     8086   TEMPLATE_VBOXQTGUIEXE_POST_CMDS.darwin    = $(VBOX_SIGN_IMAGE_CMDS)
    80008087  else
    80018088   TEMPLATE_VBOXQTGUIEXE_INCS += \
     
    91119198
    91129199
     9200ifeq ($(KBUILD_TARGET),darwin)
     9201$(VBOX_DARWIN_ENTITLEMENTS_FILE):
     9202        $(call MSG_GENERATE,,$@)
     9203        $(QUIET)$(MKDIR) -p $(@D)
     9204        $(QUIET)$(RM) -f $@ $@.tmp
     9205        $(QUIET)$(APPEND) $@.tmp '<?xml version="1.0" encoding="UTF-8"?>'
     9206        $(QUIET)$(APPEND) $@.tmp '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'
     9207        $(QUIET)$(APPEND) $@.tmp '<plist version="1.0">'
     9208        $(QUIET)$(APPEND) $@.tmp '<dict>'
     9209        $(QUIET)$(APPEND) -n $@.tmp $(foreach entitlement,$(VBOX_DARWIN_ENTITLEMENTS_LIST), '   <key>$(entitlement)</key><true/>')
     9210        $(QUIET)$(APPEND) $@.tmp '</dict>'
     9211        $(QUIET)$(APPEND) $@.tmp '</plist>'
     9212        $(QUIET)$(MV) -f $@.tmp $@
     9213endif
     9214
    91139215ifndef VBOX_NOINC_MISC
    91149216# Force building of the version header file as the first thing anywhere in
     
    91169218## @todo there gotta be a better way of doing this.
    91179219Makefile.kmk: | $(VBOX_VERSION_HEADER) $(VBOX_VERSION_MK) $(VBOX_PRODUCT_HEADER) $(VBOX_PACKAGE_HEADER)
     9220 ifeq ($(KBUILD_TARGET),darwin)
     9221Makefile.kmk: | $(VBOX_DARWIN_ENTITLEMENTS_FILE)
     9222 endif
    91189223endif
    91199224
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette