Skip to content

fix(macos): enable voidbox on Apple Silicon via entitlement + kernel …#6

Merged
cspinetta merged 2 commits intomainfrom
fix/macos-voidbox-guest-image
Feb 25, 2026
Merged

fix(macos): enable voidbox on Apple Silicon via entitlement + kernel …#6
cspinetta merged 2 commits intomainfrom
fix/macos-voidbox-guest-image

Conversation

@cspinetta
Copy link
Copy Markdown
Collaborator

@cspinetta cspinetta commented Feb 25, 2026

Description

Fixes voidbox on macOS (Apple Silicon) when using guest_image OCI workflow.

Addresses two blockers:

  1. missing com.apple.security.virtualization entitlement.
  2. VZ requiring uncompressed ARM64 kernels while the OCI guest image ships a gzip-compressed kernel.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Code refactoring
  • Performance improvement
  • Test addition or update

Related Issues

Fixes #
Related to #

Changes Made

  • Cargo runner (scripts/run_voidbox_macos.sh): Codesigns the voidbox binary before execution when using cargo run on macOS. Configured in .cargo/config.toml for aarch64-apple-darwin and x86_64-apple-darwin.
  • Kernel decompression (voidbox-oci): On macOS ARM64, decompresses gzip-compressed kernels to vmlinux before passing to VZ. Apple's Virtualization.framework requires uncompressed ARM64 kernels; the OCI guest image provides vmlinuz (gzip).
  • README: Documented the macOS guest-image workflow, including that cargo run auto-codesigns and that gzip kernels are decompressed for VZ.

Testing

  • All existing tests pass (cargo test --workspace)
  • Added new tests for the changes
  • Tested manually with mock sandbox
  • Tested manually with KVM sandbox (if applicable)
  • Verified examples still work

Test Commands Run

cargo fmt --all
cargo test
cargo run --bin voidbox -- run --file examples/specs/oci/guest-image-workflow.yaml
# Expected: success: true, output: "HELLO FROM GUEST IMAGE"

Documentation

  • Updated inline code documentation
  • Updated README.md (if user-facing changes)
  • Updated CHANGELOG.md
  • Added/updated examples (if applicable)

Code Quality

  • Code follows project style guidelines (cargo fmt)
  • No clippy warnings (cargo clippy --workspace --all-targets)
  • Documentation builds without warnings (cargo doc --no-deps)
  • All files have appropriate licensing headers (if applicable)

Screenshots (if applicable)

N/A

Checklist

  • My code follows the project's coding standards
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Additional Notes

  • The runner script is a no-op on Linux (checks uname -s == Darwin before codesigning).
  • Kernel decompression only runs on target_os = "macos" and target_arch = "aarch64"; other platforms use the kernel as-is.

@cspinetta
fix(macos): enable voidbox on Apple Silicon via entitlement + kernel …
f233bbf 
…decompression

- Add Cargo runner to auto-codesign voidbox before run (required for VZ)
- Decompress gzip kernel in OCI guest images for VZ on macOS ARM64
- Update README with macOS guest-image workflow instructions
@cspinetta
fix clippy errors
a0ae822
@cspinetta cspinetta merged commit 0add974 into main Feb 25, 2026
14 checks passed
@cspinetta cspinetta deleted the fix/macos-voidbox-guest-image branch February 25, 2026 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cspinetta