[vm] Add LC_ENCRYPTION_INFO(_64) load command to iOS snapshots.

sstrickl · Commit Queue · commit 8cbf86428937 · 2026-01-26T06:34:51.000-08:00
When uploading to the App Store, the program must contain an LC_ENCRYPTION_INFO segment in the Mach-O header so the App Store can appropriately modify it for its purposes without changing the header size and/or offsets/addresses in the rest of the shared object. By default, the load command is only added to iOS snapshots, but it can be added to any Mach-O snapshot using the --macho-encryptable command line option. TEST=vm/dart/use_macho_options_test Cq-Include-Trybots: luci.dart.try:vm-aot-mac-debug-x64-try,vm-aot-mac-debug-arm64-try,vm-aot-linux-debug-x64-try Change-Id: I4e79fd9cfb9ba9d49707ec209eca3fee1cefc28c Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/475040 Reviewed-by: Alexander Markov <alexmarkov@google.com> Commit-Queue: Tess Strickland <sstrickl@google.com>
diff --git a/pkg/native_stack_traces/lib/src/macho.dart b/pkg/native_stack_traces/lib/src/macho.dart
@@ -130,6 +130,8 @@ class LoadCommand {
   static const LC_UUID = 0x1b;
   static const LC_RPATH = 0x1c | LC_REQ_DYLD;
   static const LC_CODE_SIGNATURE = 0x1d; // Only used in vm/dart tests.
+  static const LC_ENCRYPTION_INFO = 0x21;
+  static const LC_ENCRYPTION_INFO_64 = 0x2c;
   static const LC_BUILD_VERSION = 0x32;
 
   static LoadCommand fromReader(Reader reader) {
@@ -156,6 +158,9 @@ class LoadCommand {
         command = DylibCommand.fromReader(reader, cmd, cmdsize);
       case LC_RPATH:
         command = RunPathCommand.fromReader(reader, cmd, cmdsize);
+      case LC_ENCRYPTION_INFO:
+      case LC_ENCRYPTION_INFO_64:
+        command = EncryptionInfoCommand.fromReader(reader, cmd, cmdsize);
       default:
         break;
     }
@@ -602,6 +607,38 @@ class BuildVersionCommand extends LoadCommand {
   }
 }
 
+class EncryptionInfoCommand extends LoadCommand {
+  final int fileOffset;
+  final int fileSize;
+  final int cryptId;
+
+  EncryptionInfoCommand._(
+      super.cmd, super.cmdsize, this.fileOffset, this.fileSize, this.cryptId)
+      : super._();
+
+  static EncryptionInfoCommand fromReader(Reader reader, int cmd, int cmdsize) {
+    final fileOffset = _readMachOUint32(reader);
+    final fileSize = _readMachOUint32(reader);
+    final cryptId = _readMachOUint32(reader);
+    if (cmd == LoadCommand.LC_ENCRYPTION_INFO_64) {
+      _readMachOUint32(reader); // padding
+    }
+    return EncryptionInfoCommand._(cmd, cmdsize, fileOffset, fileSize, cryptId);
+  }
+
+  @override
+  void writeToStringBuffer(StringBuffer buffer) {
+    buffer
+      ..writeln('Encryption info: ')
+      ..write('  File offset: ')
+      ..writeln(paddedHex(fileOffset, 4))
+      ..write('  File size: ')
+      ..writeln(fileSize)
+      ..write('  Crypt id: ')
+      ..writeln(cryptId);
+  }
+}
+
 class MachOHeader {
   final int magic;
   final int cputype;
diff --git a/runtime/platform/mach_o.h b/runtime/platform/mach_o.h
@@ -140,6 +140,14 @@ static constexpr uint32_t LC_RPATH = (0x1c | LC_REQ_DYLD);
 // The code signature which protects the preceding portion of the object file.
 // Must be the last contents in the object file. (linkedit_data_command)
 static constexpr uint32_t LC_CODE_SIGNATURE = 0x1d;
+// Information about encrypted segments for 32-bit targets. Must also be present
+// for programs with no encrypted segments that are uploaded to the App Store
+// so it can be updated appropriately.
+static constexpr uint32_t LC_ENCRYPTION_INFO = 0x21;
+// Information about encrypted segments for 64-bit targets. Must also be present
+// for programs with no encrypted segments that are uploaded to the App Store
+// so it can be updated appropriately.
+static constexpr uint32_t LC_ENCRYPTION_INFO_64 = 0x2c;
 // An arbitrary piece of data not specified by the Mach-O format. (note_command)
 static constexpr uint32_t LC_NOTE = 0x31;
 // The target platform and minimum and target OS versions for this object file.
@@ -743,6 +751,23 @@ static constexpr uint32_t RELOC_TYPE_ARM64_UNSIGNED = 0 << 28;
 // _before_ the target (UNSIGNED) entry that it is subtracted from.
 static constexpr uint32_t RELOC_TYPE_ARM64_SUBTRACTOR = 1 << 28;
 
+struct encryption_info_command {
+  uint32_t cmd;  // LC_ENCRYPTION_INFO
+  uint32_t cmdsize;
+  uint32_t cryptoff;   // file offset of the encrypted segment(s)
+  uint32_t cryptsize;  // file size of the encrypted segment(s)
+  uint32_t cryptid;    // encryption cypher used (0 == not encrypted)
+};
+
+struct encryption_info_command_64 {
+  uint32_t cmd;  // LC_ENCRYPTION_INFO_64
+  uint32_t cmdsize;
+  uint32_t cryptoff;   // file offset of the encrypted segment(s)
+  uint32_t cryptsize;  // file size of the encrypted segment(s)
+  uint32_t cryptid;    // encryption cypher used (0 == not encrypted)
+  uint32_t pad;        // padding to a multiple of 64 bits
+};
+
 #pragma pack(pop)
 
 }  // namespace mach_o
diff --git a/runtime/tests/vm/dart/use_macho_options_test.dart b/runtime/tests/vm/dart/use_macho_options_test.dart
@@ -129,6 +129,7 @@ enum TestType {
   MinOSVersion,
   NoLinkerSignature,
   ReplaceInstallName,
+  Encryptable,
 }
 
 @pragma('vm:platform-const')
@@ -156,6 +157,7 @@ Future<void> checkCases(List<TestCase> testCases) async {
     checkRunPaths(c);
     checkBuildVersion(c);
     checkCodeSignature(c);
+    checkEncryptionInfo(c);
   }
   // Unsigned snapshots are not runnable.
   final runnableCases = testCases
@@ -329,6 +331,21 @@ void checkCodeSignature(TestCase testCase) {
   }
 }
 
+void checkEncryptionInfo(TestCase testCase) {
+  final encryptionInfoCommands = testCase.snapshot.commands
+      .whereType<macho.EncryptionInfoCommand>();
+  if (testCase.type == TestType.Encryptable) {
+    Expect.equals(1, encryptionInfoCommands.length);
+    final cmd = encryptionInfoCommands.singleOrNull;
+    if (cmd != null) {
+      // gen_snapshot doesn't encrypt any segments.
+      Expect.equals(0, cmd.cryptId);
+    }
+  } else {
+    Expect.isEmpty(encryptionInfoCommands);
+  }
+}
+
 void checkBuildVersion(TestCase testCase) {
   final buildVersion = testCase.snapshot
       .commandsWhereType<macho.BuildVersionCommand>()
diff --git a/runtime/vm/mach_o.cc b/runtime/vm/mach_o.cc
