hm is this that much more convenient than invoking codesign after LLD finishes running in whatever build we're testing?

I think codesign -s also doesn't set the magic "codesigned by linker" bit that makes strip etc work better (and if doesn't work in cross builds from non-mac hosts). I kind of agree that putting this in as is isn't super useful.

(Don't know if you've seen it, but golang has a from scratch impl of this for 1.16 -- and there's ld64 too of course.)

In D96164#2546549, @int3 wrote:

hm is this that much more convenient than invoking codesign after LLD finishes running in whatever build we're testing?

ld64 signs automatically. Config & build systems of all kinds assume that linked programs are runnable. On arm64 macOS, if lld doesn't sign, then programs don't run without explicit codesign -s - ..., and every config & build system needs to be taught that. No thank you.

In D96164#2546586, @thakis wrote:

I think codesign -s also doesn't set the magic "codesigned by linker" bit that makes strip etc work better (and if doesn't work in cross builds from non-mac hosts). I kind of agree that putting this in as is isn't super useful.

FYI, it is super useful for testing self-hosted native arm64 macOS builds of LLVM and other packages (e.g., GNU coreutils). If you don't want it committed to LLVM, that's fine with me. I have been using it productively as a local change and others who want to work on native arm64 macOS can place it at the base of their local diff stacks too.

(Don't know if you've seen it, but golang has a from scratch impl of this for 1.16 -- and there's ld64 too of course.)

I briefly looked at ld64-530 (the most recent Apple code drop), and could not find any code that generates LC_CODE_SIGNATURE. I will look harder this weekend.

https://go-review.googlesource.com/c/scratch/+/271866/5/cherry/codesign.go

https://go-review.googlesource.com/c/go/+/272256/

In order to perform ad-hoc codesign, I will need to compute sha256 of the program's pages. I see no other part of LLVM that uses a sha256 library. What library should I use?

Some cmake magic to look for OpenSSL? If you can't find it, give a warning and disable code-signing?

"strip and install_name_tool are aware that what they do will invalidate a code signature, so if they’re operating on a linker-signed Mach-O file, they’ll generate a new linker-signed signature."
https://github.com/golang/go/issues/42684#issuecomment-731594886

The code-signing functionality has to end up being in LLVM eventually for llvm-install-name-tool?

In D96164#2547158, @gkm wrote:

In order to perform ad-hoc codesign, I will need to compute sha256 of the program's pages. I see no other part of LLVM that uses a sha256 library. What library should I use?

LLVM tries to not depend on external libraries if possible. Given that sha256 isn't that much code (https://golang.org/src/crypto/sha256/), just adding a fresh implementation of it (to lld/MachO for now) is probably the way to go.

In D96164#2547390, @thakis wrote:

In D96164#2547158, @gkm wrote:

In order to perform ad-hoc codesign, I will need to compute sha256 of the program's pages. I see no other part of LLVM that uses a sha256 library. What library should I use?

LLVM tries to not depend on external libraries if possible. Given that sha256 isn't that much code (https://golang.org/src/crypto/sha256/), just adding a fresh implementation of it (to lld/MachO for now) is probably the way to go.

Agreed. There's some prior art here too ... LLVM has a SHA1 implementation in llvm/include/llvm/Support/SHA1.h and llvm/lib/Support/SHA1.cpp. That was adapted from an existing public-domain implementation, and we could do the same here (find a SHA256 implementation with a license that allows it to copied into LLVM).

df>>! In D96164#2547480, @smeenai wrote:

In D96164#2547390, @thakis wrote:

LLVM tries to not depend on external libraries if possible. Given that sha256 isn't that much code (https://golang.org/src/crypto/sha256/), just adding a fresh implementation of it (to lld/MachO for now) is probably the way to go.

Agreed. There's some prior art here too ... LLVM has a SHA1 implementation in llvm/include/llvm/Support/SHA1.h and llvm/lib/Support/SHA1.cpp. That was adapted from an existing public-domain implementation, and we could do the same here (find a SHA256 implementation with a license that allows it to copied into LLVM).

Openssl has a C implementation of sha256 with Apache 2.0 license. Unless someone knows of a better candidate, I'll go with that.

Perhaps this might help: SHA256 impl for LLVM. This is based on botan's sha256 implementation and mimics the current SHA1 api design. It should be compatible with LLVM's license since it's based on botan's implementation, which is BSD-2 licensed.

In D96164#2546586, @thakis wrote:

I think codesign -s also doesn't set the magic "codesigned by linker" bit that makes strip etc work better (and if doesn't work in cross builds from non-mac hosts). I kind of agree that putting this in as is isn't super useful.

Where can I learn about thsi magic "codesigned by linker" bit? My searches are coming-up dry.

In D96164#2547858, @gkm wrote:

df>>! In D96164#2547480, @smeenai wrote:

In D96164#2547390, @thakis wrote:

LLVM tries to not depend on external libraries if possible. Given that sha256 isn't that much code (https://golang.org/src/crypto/sha256/), just adding a fresh implementation of it (to lld/MachO for now) is probably the way to go.

Agreed. There's some prior art here too ... LLVM has a SHA1 implementation in llvm/include/llvm/Support/SHA1.h and llvm/lib/Support/SHA1.cpp. That was adapted from an existing public-domain implementation, and we could do the same here (find a SHA256 implementation with a license that allows it to copied into LLVM).

Openssl has a C implementation of sha256 with Apache 2.0 license. Unless someone knows of a better candidate, I'll go with that.

I'm afraid that just copying an Apache-2.0 licensed implementation is not an option.

As described at https://llvm.org/docs/DeveloperPolicy.html#relicensing, "....In the interim, all contributions to the project will be made under the terms of both the new license and the legacy license scheme...", so code contributions must be covered by both the new and legacy license scheme.
The SPDX identifier for the new license is "Apache-2.0 WITH LLVM-exception"; for the legacy license it is "NCSA".

Therefore, just copying code that is covered by an Apache-2.0 license into the LLVM code base is not an option I'm afraid.
Apache-2.0 is a different license to "Apache-2.0 with LLVM exception" and to "NCSA".
I guess the most obvious options to get a sha256 implementation into the code base are:

1. get the copyright holder of an existing implementation to contribute it to LLVM, under both the "Apache-2.0 WITH LLVM-exception" and "NCSA" license.
2. write an implementation from scratch and contribute that.

In D96164#2555222, @cynecx wrote:

Perhaps this might help: SHA256 impl for LLVM. This is based on botan's sha256 implementation and mimics the current SHA1 api design. It should be compatible with LLVM's license since it's based on botan's implementation, which is BSD-2 licensed.

This is super helpful! Is it ready to import into LLVM as-is alongside SHA1 ?

@gkm Is it okay for you if I post a patch which adds a SHA-256 implementation to LLVM? I actually have a patchset ready here. But to answer your question, yes it should be possible to simply drop the files into the right locations.

@gkm Re: the linker flag. I think they were talking about this (linkerSigned):

	cdir := CodeDirectory{
		magic:        CSMAGIC_CODEDIRECTORY,
		length:       uint32(sz) - uint32(unsafe.Sizeof(SuperBlob{})+unsafe.Sizeof(Blob{})),
		version:      0x20400,
		flags:        0x20002, // adhoc | linkerSigned (0b10)
		hashOffset:   uint32(hashOff),
		identOffset:  uint32(idOff),
		nCodeSlots:   uint32(nhashes),
		codeLimit:    uint32(sigOff),
		hashSize:     sha256.Size,
		hashType:     kSecCodeSignatureHashSHA256,
		pageSize:     uint8(pageSizeBits),
		execSegBase:  textSeg.Offset,
		execSegLimit: textSeg.Filesz,
	}

https://go-review.googlesource.com/c/scratch/+/271866/5/cherry/codesign.go#293

flags:        0x20002, // adhoc | linkerSigned (0b10)

from cs_blobs.h

#define CS_ADHOC                    0x00000002  /* ad hoc signed */
#define CS_LINKER_SIGNED            0x00020000  /* Automatically signed by the linker */

SHA256 patch is up here: https://reviews.llvm.org/D96540.

• drop the fork+exec of /usr/bin/codesign and rewrite in C++

Does codesign.go make any differences?

Hmm, this is indeed very weird. I have seen "similar" behavior with codesign. codesign can actually fail. The only way to "get it working" again is to copy the file and codesign the copy, then replacing the original file (a different inode fixes codesigning).

Does the segfault happen with each linking step?

In D96164#2562426, @cynecx wrote:

Hmm, this is indeed very weird. I have seen "similar" behavior with codesign. codesign can actually fail. The only way to "get it working" again is to copy the file and codesign the copy, then replacing the original file (a different inode fixes codesigning).

Does the segfault happen with each linking step?

Not a segfault. SIGKILL, presumably dyld doing kill(0, SIGKILL) though I haven't yet run it under lldb to confirm.

In D96164#2562311, @tschuett wrote:

Does codesign.go make any differences?

I haven't tried, but I expect it would work. Resigning with /usr/bin/codesign works. Heck, just copying the binary causes it to work!

Re the copy stuff: See the CL desc and openradar link in https://reviews.llvm.org/rGba3bc2fd41b8428904fc779e353d3769074d8982

In D96164#2562655, @thakis wrote:

Re the copy stuff: See the CL desc and openradar link in https://reviews.llvm.org/rGba3bc2fd41b8428904fc779e353d3769074d8982

That is good to know. This case differs: LLD is not overwriting an existing file, so is not reusing an vnode.

There is something funky in FileOutputBuffer, which creates the LLD output file via mmap(2). When I force it to avoid mmap, all is well. For now, I will work-around by passing the flag F_no_mmap when signing.

In D96164#2562701, @gkm wrote:

In D96164#2562655, @thakis wrote:

Re the copy stuff: See the CL desc and openradar link in https://reviews.llvm.org/rGba3bc2fd41b8428904fc779e353d3769074d8982

That is good to know. This case differs: LLD is not overwriting an existing file, so is not reusing an vnode. There is something funky in FileOutputBuffer, which creates the LLD output file via mmap(2).

Travis Hill <travis@xojo.com> fed me the answer. The Go peeps had the same problem: https://go-review.googlesource.com/c/go/+/272258
The Darwin kernel caches signature verification results by vnode. mmap(2) creates the cache entry, before we have written anything to the output. The fix is to invalidate the cache after writing via msync(..., MS_INVALIDATE);

In D96164#2562720, @gkm wrote:

In D96164#2562701, @gkm wrote:

In D96164#2562655, @thakis wrote:

Re the copy stuff: See the CL desc and openradar link in https://reviews.llvm.org/rGba3bc2fd41b8428904fc779e353d3769074d8982

That is good to know. This case differs: LLD is not overwriting an existing file, so is not reusing an vnode. There is something funky in FileOutputBuffer, which creates the LLD output file via mmap(2).

Travis Hill <travis@xojo.com> fed me the answer. The Go peeps had the same problem: https://go-review.googlesource.com/c/go/+/272258
The Darwin kernel caches signature verification results by vnode. mmap(2) creates the cache entry, before we have written anything to the output. The fix is to invalidate the cache after writing via msync(..., MS_INVALIDATE);

Ah, the mmap one is https://openradar.appspot.com/FB8914231 :)

I could use some advice regarding import of the the Apple C (not C++) header cs_blobs.h:

• Some struct decls contain zero-length array members as offset markers. These are invalid C++, and LLD doesn't need them.
• Some struct decls contain flexible array members. These are invalid C++, and LLD doesn't need them.
• Some flag bit sets are specified via sequences of #define. LLVM prefers enum.
• All struct decls have __attribute__((aligned(1))). LLD does not need or want these.
• Struct definition pattern is typedef struct __TAG { ... } NAME; C++ prefers struct NAME { ... };
• The linter complains about case style for struct names.

Questions:

• Should we make minimal edits to get proper compilation & semantics and leave all the other warts as-is?
• Or, should we be boldly invasive and make it conform to C++ and LLVM style, silencing the linter?
• What is best practice regarding header imports that require surgery? It seems wise to import the unaltered Apple header first via a preparatory commit (without a diff? unreviewed?), and then commit this diff with the changes to make it conform to C++ & LLVM style.

Feel free to ignore me, but:
https://github.com/llvm/llvm-project/blob/main/llvm/include/llvm/BinaryFormat/MachO.h
seems to be inspired by the Apple headers. It is not a one-to-one copy.

In D96164#2563794, @tschuett wrote:

https://github.com/llvm/llvm-project/blob/main/llvm/include/llvm/BinaryFormat/MachO.h
seems to be inspired by the Apple headers. It is not a one-to-one copy.

This seems like a good option to me: don't import cs_blobs.h at all, but rather adapt & append the necessary codesigning definitions to existing llvm/include/llvm/BinaryFormat/MachO.h.

• What is best practice regarding header imports that require surgery? It seems wise to import the unaltered Apple header first via a preparatory commit (without a diff? unreviewed?), and then commit this diff with the changes to make it conform to C++ & LLVM style.

There are currently 0 hits for APPLE_LICENSE_HEADER in llvm's codebase. I'm guessing that's not a coincidence :)

lgtm, will like @cynecx sign off

I won't complain if someone accepts the diff! ;)

Did this land without any tests?

In D96164#2605092, @thakis wrote:

Did this land without any tests?

Yes, this was an oversight. Thanks for adding a test in D97994.