This is an archive of the discontinued LLVM Phabricator instance.

Differential D55012

[CMake] Streamline code signing for debugserver #2
AbandonedPublic

Authored by sgraenitz on Nov 28 2018, 10:36 AM.

Details

Reviewers
None
Summary

The first patch had to be reverted as I missed a few details. This review continues from https://reviews.llvm.org/D54476 and I will add the required fixes.

Change log:

  • Use llvm_codesign to sign debugserver with entitlements.
  • Set global LLVM_CODESIGNING_IDENTITY from LLDB_CODESIGN_IDENTITY (if given).
  • Pass through ENTITLEMENTS from add_lldb_executable to add_llvm_executable.
  • Handle reconfigurations correctly.

We have a lot of cases, make them explicit:

(1) build and sign debugserver, if all conditions apply:

  • LLDB_NO_DEBUGSERVER=OFF (default)
  • On Darwin: LLDB_USE_SYSTEM_DEBUGSERVER=OFF (default)
  • On Darwin: LLVM_CODESIGNING_IDENTITY == lldb_codesign

(2) use system debugserver, if on Darwin and any of:

  • LLDB_USE_SYSTEM_DEBUGSERVER=ON and found on system (explicit case)
  • LLVM_CODESIGNING_IDENTITY != lldb_codesign and found on system (fallback case)

(3) debugserver will not be available, in case of:

  • LLDB_NO_DEBUGSERVER=ON
  • On Darwin: LLVM_CODESIGNING_IDENTITY != lldb_codesign and not found on system

(4) error state, in case of:

  • LLDB_USE_SYSTEM_DEBUGSERVER=ON and not found on system
  • LLDB_USE_SYSTEM_DEBUGSERVER=ON and LLDB_NO_DEBUGSERVER=ON

Diff Detail

Event Timeline

sgraenitz created this revision.Nov 28 2018, 10:36 AM
Herald added subscribers: llvm-commits, mgorny. · View Herald TranscriptNov 28 2018, 10:36 AM
Harbormaster completed remote builds in B25448: Diff 175724.Nov 28 2018, 10:37 AM
sgraenitz updated this revision to Diff 175725.Nov 28 2018, 10:44 AM

Fix target directory for debugserver: it must not be LLVM_TOOLS_BINARY_DIR but LLVM_RUNTIME_OUTPUT_INTDIR. It's a difference in standalone builds of LLDB. LLVM_TOOLS_BINARY_DIR was wrong here as it points to the binary directory in the detached LLVM build tree. It should make no difference for in-tree builds.

Harbormaster completed remote builds in B25449: Diff 175725.Nov 28 2018, 10:44 AM
sgraenitz updated this revision to Diff 175729.Nov 28 2018, 11:14 AM

The default identity for code signing must be lldb_codesign. Also remove the comment to deprecate LLDB_CODESIGN_IDENTITY in favor of LLVM_CODESIGNING_IDENTITY.

Harbormaster completed remote builds in B25450: Diff 175729.Nov 28 2018, 11:14 AM
sgraenitz updated this revision to Diff 175730.Nov 28 2018, 11:19 AM

Move code sign settings to LLDBConfig.cmake + polishing

Harbormaster completed remote builds in B25451: Diff 175730.Nov 28 2018, 11:21 AM
sgraenitz abandoned this revision.Nov 28 2018, 11:27 AM

Revision Contents

PathSize
8 lines
cmake/
modules/
8 lines
tools/
debugserver/
2 lines
source/
2 lines

Diff 175730

CMakeLists.txt

cmake_minimum_required(VERSION 3.4.3) cmake_minimum_required(VERSION 3.4.3)
# Add path for custom modules # Add path for custom modules
set(CMAKE_MODULE_PATH set(CMAKE_MODULE_PATH
${CMAKE_MODULE_PATH} ${CMAKE_MODULE_PATH}
"${CMAKE_CURRENT_SOURCE_DIR}/cmake" "${CMAKE_CURRENT_SOURCE_DIR}/cmake"
"${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules" "${CMAKE_CURRENT_SOURCE_DIR}/cmake/modules"
) )
include(LLDBStandalone) include(LLDBStandalone)
include(LLDBConfig) include(LLDBConfig)
include(AddLLDB) include(AddLLDB)
option(LLDB_USE_ENTITLEMENTS "When codesigning, use entitlements if available" ON)
set(LLDB_CODESIGN_IDENTITY lldb_codesign CACHE STRING
"Identity for code signing debugserver (Darwin only)")
if(LLDB_CODESIGN_IDENTITY)
set(LLVM_CODESIGNING_IDENTITY ${LLDB_CODESIGN_IDENTITY} CACHE STRING "" FORCE)
endif()
# Define the LLDB_CONFIGURATION_xxx matching the build type # Define the LLDB_CONFIGURATION_xxx matching the build type
if( uppercase_CMAKE_BUILD_TYPE STREQUAL "DEBUG" ) if( uppercase_CMAKE_BUILD_TYPE STREQUAL "DEBUG" )
add_definitions( -DLLDB_CONFIGURATION_DEBUG ) add_definitions( -DLLDB_CONFIGURATION_DEBUG )
else() else()
add_definitions( -DLLDB_CONFIGURATION_RELEASE ) add_definitions( -DLLDB_CONFIGURATION_RELEASE )
endif() endif()
if (CMAKE_SYSTEM_NAME MATCHES "Windows|Android") if (CMAKE_SYSTEM_NAME MATCHES "Windows|Android")
▲ Show 20 LinesShow All 201 LinesShow Last 20 Lines

cmake/modules/LLDBConfig.cmake

Show First 20 LinesShow All 44 Lines▼ Show 20 Lines
if ((NOT MSVC) OR MSVC12) if ((NOT MSVC) OR MSVC12)
add_definitions( -DHAVE_ROUND ) add_definitions( -DHAVE_ROUND )
endif() endif()
if (LLDB_DISABLE_CURSES) if (LLDB_DISABLE_CURSES)
add_definitions( -DLLDB_DISABLE_CURSES ) add_definitions( -DLLDB_DISABLE_CURSES )
endif() endif()
option(LLDB_USE_ENTITLEMENTS "When code signing, use entitlements if available" ON)
set(LLDB_CODESIGN_IDENTITY lldb_codesign CACHE STRING
"Identity for code signing debugserver (Darwin only)")
if(LLDB_CODESIGN_IDENTITY)
set(LLVM_CODESIGNING_IDENTITY ${LLDB_CODESIGN_IDENTITY} CACHE STRING "" FORCE)
endif()
# On Windows, we can't use the normal FindPythonLibs module that comes with CMake, # On Windows, we can't use the normal FindPythonLibs module that comes with CMake,
# for a number of reasons. # for a number of reasons.
# 1) Prior to MSVC 2015, it is only possible to embed Python if python itself was # 1) Prior to MSVC 2015, it is only possible to embed Python if python itself was
# compiled with an identical version (and build configuration) of MSVC as LLDB. # compiled with an identical version (and build configuration) of MSVC as LLDB.
# The standard algorithm does not take into account the differences between # The standard algorithm does not take into account the differences between
# a binary release distribution of python and a custom built distribution. # a binary release distribution of python and a custom built distribution.
# 2) From MSVC 2015 and onwards, it is only possible to use Python 3.5 or later. # 2) From MSVC 2015 and onwards, it is only possible to use Python 3.5 or later.
# 3) FindPythonLibs queries the registry to locate Python, and when looking for a # 3) FindPythonLibs queries the registry to locate Python, and when looking for a
▲ Show 20 LinesShow All 372 LinesShow Last 20 Lines

tools/debugserver/CMakeLists.txt

Show All 9 Lines set(CMAKE_MODULE_PATH
) )
include(LLDBStandalone) include(LLDBStandalone)
include(AddLLDB) include(AddLLDB)
set(LLDB_SOURCE_DIR "${CMAKE_SOURCE_DIR}/../../") set(LLDB_SOURCE_DIR "${CMAKE_SOURCE_DIR}/../../")
include_directories(${LLDB_SOURCE_DIR}/include) include_directories(${LLDB_SOURCE_DIR}/include)
option(LLDB_USE_ENTITLEMENTS "When codesigning, use entitlements if available" ON) option(LLDB_USE_ENTITLEMENTS "When code signing, use entitlements if available" ON)
set(LLDB_CODESIGN_IDENTITY lldb_codesign CACHE STRING set(LLDB_CODESIGN_IDENTITY lldb_codesign CACHE STRING
"Identity for code signing debugserver (Darwin only)") "Identity for code signing debugserver (Darwin only)")
if(LLDB_CODESIGN_IDENTITY) if(LLDB_CODESIGN_IDENTITY)
set(LLVM_CODESIGNING_IDENTITY ${LLDB_CODESIGN_IDENTITY} CACHE STRING "" FORCE) set(LLVM_CODESIGNING_IDENTITY ${LLDB_CODESIGN_IDENTITY} CACHE STRING "" FORCE)
endif() endif()
endif() endif()
add_subdirectory(source) add_subdirectory(source)

tools/debugserver/source/CMakeLists.txt

Show First 20 LinesShow All 136 Lines▼ Show 20 Lines else()
set(LLDB_USE_SYSTEM_DEBUGSERVER OFF CACHE BOOL "" FORCE) set(LLDB_USE_SYSTEM_DEBUGSERVER OFF CACHE BOOL "" FORCE)
endif() endif()
elseif(NOT LLDB_NO_DEBUGSERVER) elseif(NOT LLDB_NO_DEBUGSERVER)
# Default case: on Darwin we need the right code signing ID. # Default case: on Darwin we need the right code signing ID.
# See lldb/docs/code-signing.txt for details. # See lldb/docs/code-signing.txt for details.
if(CMAKE_HOST_APPLE AND NOT LLVM_CODESIGNING_IDENTITY STREQUAL "lldb_codesign") if(CMAKE_HOST_APPLE AND NOT LLVM_CODESIGNING_IDENTITY STREQUAL "lldb_codesign")
set(msg "Cannot code sign debugserver with identity '${LLVM_CODESIGNING_IDENTITY}'.") set(msg "Cannot code sign debugserver with identity '${LLVM_CODESIGNING_IDENTITY}'.")
if(system_debugserver) if(system_debugserver)
message(WARNING "${msg} Will fall back to system's debugserver.") message(WARNING "${msg} Will fall back to copy system's debugserver.")
set(use_system_debugserver ON) set(use_system_debugserver ON)
else() else()
message(WARNING "${msg} debugserver will not be available.") message(WARNING "${msg} debugserver will not be available.")
endif() endif()
else() else()
set(build_and_sign_debugserver ON) set(build_and_sign_debugserver ON)
endif() endif()
endif() endif()
▲ Show 20 LinesShow All 139 LinesShow Last 20 Lines