- Timestamp:
- Nov 21, 2022 3:30:47 PM (23 months ago)
- File:
-
- 1 edited
-
trunk/Config.kmk (modified) (10 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Config.kmk
r97372 r97631 1145 1145 # Continue to support Vista w/o any service pack, at least for now. 1146 1146 VBOX_WITH_VISTA_NO_SP = 1 1147 # Enable image verification on darwin @bugref{9232}. 1148 VBOX_WITH_DARWIN_R0_DARWIN_IMAGE_VERIFICATION = 1 1147 ifdef VBOX_WITH_VBOXDRV 1148 # Enable image verification on darwin @bugref{9232}. 1149 VBOX_WITH_DARWIN_R0_DARWIN_IMAGE_VERIFICATION = 1 1150 endif 1149 1151 ## @} 1150 1152 … … 1667 1669 VBOX_USE_KSUBMIT := 1668 1670 endif 1671 endif 1672 1673 # 1674 # Requested permissions to the host OS (only the entitlements 1675 # crap on darwin for now). 1676 # 1677 ifeq ($(KBUILD_TARGET),darwin) 1678 # 1679 # The first two entitlements are required to get everything working 1680 # on Catalina which we want to keep supported for now. 1681 # 1682 VBOX_DARWIN_ENTITLEMENTS_LIST := \ 1683 com.apple.security.cs.allow-unsigned-executable-memory \ 1684 com.apple.security.cs.disable-executable-page-protection \ 1685 com.apple.security.device.audio-input \ 1686 com.apple.security.device.camera \ 1687 com.apple.security.device.usb 1688 1689 # 1690 # The hypervisor entitlement is required in adhoc signing mode 1691 # to get access to the Hypervisor framework. For release signing 1692 # the entitlement is included in our developer certificate. 1693 # 1694 # The device-access and networking entitlemnents are reserved for 1695 # only specific vendors and are only available in release mode signing 1696 # (binaries signed with these entitlements in adhoc mode will just crash 1697 # with a code signing error). 1698 # 1699 ifeq ($(VBOX_SIGNING_MODE),adhoc) 1700 VBOX_DARWIN_ENTITLEMENTS_LIST += \ 1701 com.apple.security.hypervisor 1702 else 1703 VBOX_DARWIN_ENTITLEMENTS_LIST += \ 1704 com.apple.vm.device-access \ 1705 com.apple.vm.networking 1706 endif 1707 1708 # Where the dynamic generated entitlements can be found. 1709 VBOX_DARWIN_ENTITLEMENTS_FILE := $(PATH_OUT)/Entitlements.plist 1669 1710 endif 1670 1711 … … 3969 4010 # people, like the ones the build servers create. As much as possible is 3970 4011 # signed and timestamped. 4012 # - The 'adhoc' mode is specific to building on macOS and is similar to 'test' 4013 # mode but doesn't require any certificates but a host set up for development work. 4014 # Binaries are signed in adhoc mode and include required entitlements as appropriate 4015 # (something we would only do in the 'packing' target). This seem to be the only working 4016 # way with newer versions of macOS (tested with Ventura) with 'test' not working anymore. 3971 4017 # 3972 4018 ifdef VBOX_SIGNING_MODE 3973 4019 VBOX_SIGNING_MODE := $(strip $(VBOX_SIGNING_MODE)) 3974 ifn1of ($(VBOX_SIGNING_MODE), test release) 3975 $(error VBOX_SIGNING_MODE must be either 'test' or 'release'. The value '$(VBOX_SIGNING_MODE)' is not recognized.) 4020 ifn1of ($(VBOX_SIGNING_MODE), test release adhoc) 4021 $(error VBOX_SIGNING_MODE must be either 'test', 'release' or 'adhoc'. The value '$(VBOX_SIGNING_MODE)' is not recognized.) 4022 endif 4023 if "$(VBOX_SIGNING_MODE)" == "adhoc" && "$(KBUILD_TARGET)" != "darwin" 4024 $(error 'adhoc' signing mode is only available on macOS) 3976 4025 endif 3977 4026 VBOX_RETRY ?= $(ASH) $(KBUILD_DEVTOOLS)/bin/retry.sh … … 4296 4345 4297 4346 else ifeq ($(KBUILD_HOST),darwin) 4347 4348 ## Sign a VM process binary with the given entitlements 4349 # @param 1 The file to sign. 4350 # @param 2 Identifier, optional. 4351 ifeq ($(VBOX_SIGNING_MODE),adhoc) 4352 if $(intersects darwin all 1,$(VBOX_WITH_CORP_CODE_SIGNING)) 4353 ## @todo cannot handle $(2), the identifier. 4354 VBOX_SIGN_IMAGE_FN = $(call MSG_TOOL,SIGNTOOL,,$(1),$(2))$(NLTAB) \ 4355 $(call VBOX_CCS_SIGN_CMD,binary,$(1),,$(subst --entitlements=,-entitlement_file_path ,$(3)) \ 4356 $(if $(VBOX_WITH_MACOS_HARDENED_RUNTIME),-hardened_runtime)) 4357 else 4358 VBOX_SIGN_IMAGE_FN = $(call MSG_TOOL,SIGNTOOL,,$(1),$(2))$(NLTAB)$(VBOX_CODESIGN) \ 4359 --verbose=9 \ 4360 --force \ 4361 $(if-expr $(KBUILD_HOST_VERSION_MAJOR) <= 14,--digest-algorithm sha256,) \ 4362 $(if $(VBOX_WITH_MACOS_HARDENED_RUNTIME),$(if-expr $(KBUILD_HOST_VERSION_MAJOR) <= 16,--options 0x10000,--options runtime)) \ 4363 --file-list - \ 4364 $(if-expr defined(VBOX_TSA_URL),--timestamp="$(VBOX_TSA_URL)") \ 4365 $(VBOX_CERTIFICATE_SUBJECT_NAME_ARGS) \ 4366 --entitlements="$(VBOX_DARWIN_ENTITLEMENTS_FILE)" \ 4367 "$(1)" \ 4368 $(if $(2),--identifier "$(2)",) 4369 endif 4370 else 4371 VBOX_SIGN_IMAGE_FN = 4372 endif 4373 4298 4374 # 4299 4375 # Darwin code signing. … … 4309 4385 VBOX_CERTIFICATE_SUBJECT_NAME_ARGS ?= --sign "$(VBOX_CERTIFICATE_SUBJECT_NAME)" 4310 4386 VBOX_TSA_URL ?= none 4387 else ifeq ($(VBOX_SIGNING_MODE), adhoc) 4388 ifdef VBOX_CERTIFICATE_SUBJECT_NAME 4389 $(error VBOX_CERTIFICATE_SUBJECT_NAME must not be set in 'adhoc' signing mode) 4390 endif 4391 VBOX_CERTIFICATE_SUBJECT_NAME = - 4392 VBOX_CERTIFICATE_SUBJECT_NAME_ARGS ?= --sign "$(VBOX_CERTIFICATE_SUBJECT_NAME)" 4393 VBOX_TSA_URL ?= none 4394 VBOX_SIGN_IMAGE_CMDS ?= $(if $(eq $(tool_do),LINK_LIBRARY),,$(call VBOX_SIGN_IMAGE_FN,$(out),,2)) 4311 4395 else 4312 4396 VBOX_CERTIFICATE_SUBJECT_NAME ?= Developer ID Application: Oracle America, Inc. … … 6190 6274 TEMPLATE_VBOXR3EXE_LDFLAGS.darwin = $(VBOX_DARWIN_DEF_SDK_LDFLAGS) -Wl,-headerpad_max_install_names 6191 6275 TEMPLATE_VBOXR3EXE_LDFLAGS.darwin.x86 = -read_only_relocs suppress 6276 TEMPLATE_VBOXR3EXE_POST_CMDS.darwin = $(VBOX_SIGN_IMAGE_CMDS) 6192 6277 ifdef VBOX_WITH_DTRACE_R3 6193 6278 TEMPLATE_VBOXR3EXE_CXXFLAGS := $(filter-out -pedantic,$(TEMPLATE_VBOXR3EXE_CXXFLAGS)) -fdollars-in-identifiers # annoying gcc option precedence. … … 7332 7417 TEMPLATE_VBOXMAINEXE_LDFLAGS += $(VBOX_DARWIN_DEF_SDK_LDFLAGS) -framework Carbon -Wl,-headerpad_max_install_names 7333 7418 TEMPLATE_VBOXMAINEXE_LIBS = $(LIB_RUNTIME) 7419 TEMPLATE_VBOXMAINEXE_POST_CMDS.darwin = $(VBOX_SIGN_IMAGE_CMDS) 7334 7420 else ifeq ($(KBUILD_TARGET),haiku) 7335 7421 TEMPLATE_VBOXMAINEXE_TOOL = GXX3 … … 7998 8084 TEMPLATE_VBOXQTGUIEXE_LIBS += 7999 8085 TEMPLATE_VBOXQTGUIEXE_LIBPATH += 8086 TEMPLATE_VBOXQTGUIEXE_POST_CMDS.darwin = $(VBOX_SIGN_IMAGE_CMDS) 8000 8087 else 8001 8088 TEMPLATE_VBOXQTGUIEXE_INCS += \ … … 9111 9198 9112 9199 9200 ifeq ($(KBUILD_TARGET),darwin) 9201 $(VBOX_DARWIN_ENTITLEMENTS_FILE): 9202 $(call MSG_GENERATE,,$@) 9203 $(QUIET)$(MKDIR) -p $(@D) 9204 $(QUIET)$(RM) -f $@ $@.tmp 9205 $(QUIET)$(APPEND) $@.tmp '<?xml version="1.0" encoding="UTF-8"?>' 9206 $(QUIET)$(APPEND) $@.tmp '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' 9207 $(QUIET)$(APPEND) $@.tmp '<plist version="1.0">' 9208 $(QUIET)$(APPEND) $@.tmp '<dict>' 9209 $(QUIET)$(APPEND) -n $@.tmp $(foreach entitlement,$(VBOX_DARWIN_ENTITLEMENTS_LIST), ' <key>$(entitlement)</key><true/>') 9210 $(QUIET)$(APPEND) $@.tmp '</dict>' 9211 $(QUIET)$(APPEND) $@.tmp '</plist>' 9212 $(QUIET)$(MV) -f $@.tmp $@ 9213 endif 9214 9113 9215 ifndef VBOX_NOINC_MISC 9114 9216 # Force building of the version header file as the first thing anywhere in … … 9116 9218 ## @todo there gotta be a better way of doing this. 9117 9219 Makefile.kmk: | $(VBOX_VERSION_HEADER) $(VBOX_VERSION_MK) $(VBOX_PRODUCT_HEADER) $(VBOX_PACKAGE_HEADER) 9220 ifeq ($(KBUILD_TARGET),darwin) 9221 Makefile.kmk: | $(VBOX_DARWIN_ENTITLEMENTS_FILE) 9222 endif 9118 9223 endif 9119 9224
Note:
See TracChangeset
for help on using the changeset viewer.

