Docs: Discourage use of com.apple.vm.hypervisor on macOS >=10.15.7

Tests on multiple MacOS 10.15.7 and 11.3.1 machines showed when this entitlement is added gatekeeper prevents qemu to start (error "kill -9"). I'm not entirely sure but I believe there was a breaking change from 10.15.6 to 10.15.7 and Apple docs are incorrect.

Signed-off-by: Christian Korneck <[email protected]>

Author: christian-korneck

README.md

@@ -70,16 +70,13 @@ For the usage of containerd and nerdctl (contaiNERD ctl), visit https://github.c
 - QEMU (`brew install qemu`)
 
 - Run the following commands to enable `--accel=hvf`:
+
 ```bash
 cat >entitlements.xml <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <!-- for OS X 10.10 - macOS 10.15 -->
-    <key>com.apple.vm.hypervisor</key>
-    <true/>
-    <!-- for macOS 11 and later -->
     <key>com.apple.security.hypervisor</key>
     <true/>
 </dict>
@@ -89,6 +86,14 @@ EOF
 codesign -s - --entitlements entitlements.xml --force /usr/local/bin/qemu-system-x86_64
 ```
 
+Note: **Only** on macOS versions **before** 10.15.7 you might need to add this entitlement in addition:
+
+```
+    <key>com.apple.vm.hypervisor</key>
+    <true/>
+```
+
+
 ### Requirements (ARM Mac)
 
 - coreutils (for `realpath` command) (`brew install coreutils`)
@@ -236,6 +241,10 @@ Host * !127.0.0.1
         User root
 ```
 
+### error "killed -9"
+- make sure qemu is codesigned, see [Getting started](#getting-started).
+- if you are on macOS 10.15.7 or 11.0 or later make sure the entitlement `com.apple.vm.hypervisor` is **not** added. It only works on older macOS versions. You can clear the codesigning with `codesign --remove-signature /usr/local/bin/qemu-system-x86_64` and [start over](#getting-started).
+
 ### "Hints for debugging other problems?"
 - Inspect logs:
   - `limactl --debug start`