utilities.py: Add ApSecurityMode check

2026-04-21 03:04:31 +10:00 · 2022-05-08 09:35:13 -06:00
parent 396590c2b2
commit 4538341966
2 changed files with 34 additions and 10 deletions
--- a/resources/device_probe.py
+++ b/resources/device_probe.py
@@ -485,6 +485,8 @@ class Computer:
    bluetooth_chipset: Optional[str] = None
    ambient_light_sensor: Optional[bool] = False
    third_party_sata_ssd: Optional[bool] = False
+    secure_boot_model: Optional[str] = None
+    secure_boot_status: Optiona[int] = None

    @staticmethod
    def probe():
@@ -705,6 +707,9 @@ class Computer:
        self.opencore_version = utilities.get_nvram("opencore-version", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
        self.opencore_path = utilities.get_nvram("boot-path", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)

+        # SecureBoot Variables
+        self.secure_boot_model = utilities.check_secure_boot_model()
+        self.secure_boot_status = utilities.check_ap_security_mode()
    def cpu_probe(self):
        self.cpu = CPU(
            subprocess.run("sysctl machdep.cpu.brand_string".split(), stdout=subprocess.PIPE).stdout.decode().partition(": ")[2].strip(),
--- a/resources/utilities.py
+++ b/resources/utilities.py
@@ -206,6 +206,34 @@ def check_filevault_skip():
        return False


+def check_secure_boot_model():
+    sbm_byte = get_nvram("HardwareModel", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False)
+    if sbm_byte:
+        sbm_byte = sbm_byte.replace(b"\x00", b"")
+        sbm_string = sbm_byte.decode("utf-8")
+        return sbm_string
+    return None
+
+def check_ap_security_mode():
+    ap_security_mode_byte = get_nvram("ApSecurityMode", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False)
+    if ap_security_mode_byte:
+        # Ref:
+        # https://github.com/acidanthera/OpenCorePkg/blob/f7c1a3d483fa2535b6a62c25a4f04017bfeee09a/Include/Apple/Protocol/AppleImg4Verification.h#L27-L31
+        #     AppleImg4SbModeDisabled = 0,
+        #     AppleImg4SbModeMedium   = 1,
+        #     AppleImg4SbModeFull     = 2
+        return int.from_bytes(ap_security_mode_byte, byteorder="little")
+    return 0
+
+def check_secure_boot_level():
+    if check_secure_boot_model() in constants.Constants().sbm_values:
+        if check_ap_security_mode() == 2:
+            return True
+        else:
+            return False
+    return False
+
+
 def patching_status(os_sip, os):
    # Detection for Root Patching
    sip_enabled = True  #  System Integrity Protection
@@ -223,16 +251,7 @@ def patching_status(os_sip, os):
        # Catalina and older supports individually disabling Library Validation
        amfi_enabled = False

-    sbm_byte = get_nvram("HardwareModel", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False)
-    if sbm_byte:
-        # SecureBootModel has a ton of null bytes, so strip them out
-        sbm_string = sbm_byte.decode("utf-8")
-        if sbm_string in constants.Constants().sbm_values:
-            sbm_enabled = True
-        else:
-            sbm_enabled = False
-    else:
-        sbm_enabled = False
+    sbm_enabled = check_secure_boot_level()

    if os > os_data.os_data.yosemite:
        sip_enabled = csr_decode(os_sip)