I wrote the following derivations for building libkrun-efi and krunkit for darwin systems:
{
cargo,
fetchFromGitHub,
lib,
libepoxy,
pkg-config,
rustc,
rustPlatform,
rutabaga_gfx,
stdenv,
virglrenderer,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "libkrun-efi";
version = "1.12.2";
src = fetchFromGitHub {
owner = "containers";
repo = "libkrun";
tag = "v${finalAttrs.version}";
hash = "sha256-0VDgCTTFgEeQYs1IK+3CBdW84eEnAhcYVTO2IxjyMF0=";
};
cargoDeps = rustPlatform.fetchCargoVendor {
inherit (finalAttrs) src;
hash = "sha256-dRGoaqfyXFCd5S3w88FL0Lva6uxRMPWccUN6iLcs+OE=";
};
outputs = [
"out"
"dev"
];
nativeBuildInputs = [
cargo
pkg-config
rustc
rustPlatform.bindgenHook
rustPlatform.cargoSetupHook
];
buildInputs = [
libepoxy
virglrenderer
rutabaga_gfx
];
makeFlags = [
"PREFIX=${placeholder "out"}"
"EFI=1"
"HYPERVISOR=hvf"
];
postInstall = ''
mkdir -p $dev/lib
mv $out/lib/pkgconfig $dev/lib/
mv $out/include $dev/
'';
meta = with lib; {
description = "Dynamic library providing Virtualization-based process isolation capabilities";
homepage = "https://github.com/containers/libkrun";
license = licenses.asl20;
maintainers = with maintainers; [ quinneden ];
platforms = platforms.darwin;
};
})
{
cargo,
darwin,
pkg-config,
rustc,
stdenv,
fetchFromGitHub,
libepoxy,
libkrun-efi,
rustPlatform,
lib,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "krunkit";
version = "0.2.1";
src = fetchFromGitHub {
owner = "containers";
repo = "krunkit";
rev = "v${finalAttrs.version}";
hash = "sha256-iOd4UjmSrVuJPvWwP8GV2DWYsTWAXAXguXK4VxiDOko=";
};
cargoDeps = rustPlatform.fetchCargoVendor {
inherit (finalAttrs) src;
hash = "sha256-9a76zZQqYoEVhh2rAysMLKA+dfjhtAFx5qXQkyCA8d0=";
};
nativeBuildInputs = [
cargo
darwin.sigtool
pkg-config
rustc
rustPlatform.bindgenHook
rustPlatform.cargoSetupHook
];
buildInputs = [
libepoxy
libkrun-efi
];
makeFlags = [
"LIBKRUN_EFI=${libkrun-efi}/lib/libkrun-efi.dylib"
"PREFIX=${placeholder "out"}"
];
postInstall = ''
# First fix the library references
install_name_tool -change \
libkrun-efi.dylib \
${libkrun-efi}/lib/libkrun-efi.dylib \
$out/bin/krunkit
codesign -f -s - --entitlements ${finalAttrs.src}/krunkit.entitlements $out/bin/krunkit
'';
meta = with lib; {
description = "CLI tool to start VMs with libkrun";
homepage = "https://github.com/containers/krunkit";
license = licenses.asl20;
maintainers = with maintainers; [ quinneden ];
platforms = lib.platforms.darwin;
};
})
I’m having trouble getting the code signing to work for krunkit. It’s not correctly applying the entitlements from krunkit.entitlements, which looks like:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.hypervisor</key>
<true/>
<key>com.apple.security.cs.disable-library-validationr</key>
<true/>
</dict>
</plist>
so when trying to run a vm using krunkit I get:
[2025-05-25T20:37:54Z ERROR krun] Building the microVM failed: Internal(Vm(VmSetup(VmCreate)))
Error: unable to begin running krun workload
I have noticed that even without the correct entitlements, the binary seems to work when copied out of the nix store and into a user directory. I’m very unfamiliar with code signing and I’m not sure how to fix this, or if its even possible to fix?