timamsk/OpenCore-Legacy-Patcher
1
0
Fork 0
mirror of https://github.com/dortania/OpenCore-Legacy-Patcher.git synced 2026-04-13 20:28:21 +10:00
Code Issues Packages Projects Releases Wiki Activity

Clean up AMFI and SIP checks

Browse Source
This commit is contained in:
Mykola Grymalyuk
2021-06-13 09:48:21 -06:00
parent df8d95b815
commit 5d6587100e
7 changed files with 79 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
OpenCore-Patcher.command
View File

@@ -22,7 +22,18 @@ class OpenCoreLegacyPatcher():
if (dgpu_vendor == self.constants.pci_amd_ati and (dgpu_device in PCIIDArray.amd_ids().polaris_ids or dgpu_device in PCIIDArray.amd_ids().vega_ids or dgpu_device in PCIIDArray.amd_ids().navi_ids or dgpu_device in PCIIDArray.amd_ids().legacy_gcn_ids)) or (dgpu_vendor == self.constants.pci_nvidia and dgpu_device in PCIIDArray.nvidia_ids().kepler_ids):
self.constants.sip_status = True
self.constants.secure_status = True
self.constants.secure_status = False
self.constants.disable_amfi = False
else:
self.constants.sip_status = False
self.constants.secure_status = False
self.constants.disable_amfi = True
if self.current_model in ModelArray.ModernGPU:
if self.model in ["iMac13,1", "iMac13,3"]:
dgpu_vendor,dgpu_device,dgpu_acpi = DeviceProbe.pci_probe().gpu_probe("GFX0")
if not dgpu_vendor:
self.constants.sip_status = False
self.constants.secure_status = False
else:
self.constants.sip_status = False
self.constants.secure_status = False
@@ -100,6 +111,7 @@ system_profiler SPHardwareDataType | grep 'Model Identifier'
[f"Set Vault Mode:\t\t\tCurrently {self.constants.vault}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_vault],
[f"Allow FireWire Boot:\t\tCurrently {self.constants.firewire_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_firewire],
[f"Allow NVMe Boot:\t\t\tCurrently {self.constants.nvme_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_nvme],
[f"Disable AMFI:\t\t\tCurrently {self.constants.disable_amfi}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).set_amfi],
[f"Set SIP and SecureBootModel:\tSIP: {self.constants.sip_status} SBM: {self.constants.secure_status}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_sip],
[f"Allow OpenCore on native Models:\tCurrently {self.constants.allow_oc_everywhere}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_native_models],
[f"Advanced Patch Settings, for developers only", self.advanced_patcher_settings],

8
Resources/Build.py
View File

@@ -388,8 +388,10 @@ class BuildOpenCore:
self.config["DeviceProperties"]["Add"][self.gfx0_path] = {"agdpmod": "vit9696"}
if self.model in ["iMac13,1", "iMac13,2", "iMac13,3"]:
print("- Fixing sleep support in macOS 12")
self.config["DeviceProperties"]["Add"]["PciRoot(0x0)/Pci(0x2,0x0)"] = {"name": binascii.unhexlify("23646973706C6179"), "IOName": "#display", "class-code": binascii.unhexlify("FFFFFFFF")}
dgpu_vendor,dgpu_device,dgpu_acpi = DeviceProbe.pci_probe().gpu_probe("GFX0")
if dgpu_vendor:
print("- Fixing sleep support in macOS 12")
self.config["DeviceProperties"]["Add"]["PciRoot(0x0)/Pci(0x2,0x0)"] = {"name": binascii.unhexlify("23646973706C6179"), "IOName": "#display", "class-code": binascii.unhexlify("FFFFFFFF")}
# Audio Patch
if self.model in ModelArray.LegacyAudio:
@@ -603,6 +605,8 @@ class BuildOpenCore:
print("- Disabling SIP")
self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000")
self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"]
if self.constants.disable_amfi is True:
print("- Disabling AMFI")
self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
if self.constants.secure_status is False:
print("- Disabling SecureBootModel")

19
Resources/CliMenu.py
View File

@@ -172,10 +172,6 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
however to patch the root volume both of these must be disabled.
Only disable is absolutely necessary. SIP value = 0xFEF
Note: for minor changes, SIP can be adjusted in recovery like normal.
Additionally, when disabling SIP via the patcher amfi_get_out_of_my_way=1
will be added to boot-args.
Valid options:
1. Enable Both
@@ -200,6 +196,21 @@ Valid options:
else:
print("Invalid option")
def set_amfi(self):
Utilities.cls()
Utilities.header(["Disable AMFI"])
print("""Required for Root Patching non-Metal GPUs
in macOS Big Sur. Without this, will receive kernel panic once
Patcher finishes installing legacy acceleration patches.
""")
change_menu = input("Disable AMFI(y/n): ")
if change_menu in {"y", "Y", "yes", "Yes"}:
self.constants.disable_amfi = True
elif change_menu in {"n", "N", "no", "No"}:
self.constants.disable_amfi = False
else:
print("Invalid option")
def change_imac_nvidia(self):
Utilities.cls()
Utilities.header(["Assume Metal GPU Always"])

36
Resources/Constants.py
View File

@@ -84,6 +84,7 @@ class Constants:
self.apecid_support = False
self.firewire_boot = False
self.nvme_boot = False
self.disable_amfi = False
# OS Versions
self.tiger = 8
@@ -362,27 +363,32 @@ class Constants:
def skylight_path(self): return self.payload_apple_private_frameworks_path_accel / Path("SkyLight.framework")
csr_values = {
"CSR_ALLOW_UNTRUSTED_KEXTS": False, # 0x1 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_FS": False, # 0x2 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_TASK_FOR_PID": False, # 0x4 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_KERNEL_DEBUGGER": False, # 0x8 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_APPLE_INTERNAL": False, # 0x10 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_DTRACE": False, # 0x20 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_NVRAM": False, # 0x40 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_DEVICE_CONFIGURATION": False, # 0x80 - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_ANY_RECOVERY_OS": False, # 0x100 - Introduced in Sierra # noqa: E241
"CSR_ALLOW_UNAPPROVED_KEXTS": False, # 0x200 - Introduced in High Sierra # noqa: E241
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE": False, # 0x400 - Introduced in Mojave # noqa: E241
"CSR_ALLOW_UNAUTHENTICATED_ROOT": False, # 0x800 - Introduced in Big Sur # noqa: E241
"CSR_ALLOW_UNTRUSTED_KEXTS": False, # 0x1 - Allows Unsigned Kexts - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_FS": False, # 0x2 - File System Access - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_TASK_FOR_PID": False, # 0x4 - Unrestricted Debugging - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_KERNEL_DEBUGGER": False, # 0x8 - Allow Kernel Debugger - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_APPLE_INTERNAL": False, # 0x10 - Set AppleInternal Features - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_DTRACE": False, # 0x20 - Unrestricted DTrace usage - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_NVRAM": False, # 0x40 - Unrestricted NVRAM write - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_DEVICE_CONFIGURATION": False, # 0x80 - Allow Device Configuration(?) - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_ANY_RECOVERY_OS": False, # 0x100 - Disable BaseSystem Verification - Introduced in Sierra # noqa: E241
"CSR_ALLOW_UNAPPROVED_KEXTS": False, # 0x200 - Allow Unapproved Kexts - Introduced in High Sierra # noqa: E241
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE": False, # 0x400 - Override Executable Policy - Introduced in Mojave # noqa: E241
"CSR_ALLOW_UNAUTHENTICATED_ROOT": False, # 0x800 - Allow Root Volume Mounting - Introduced in Big Sur # noqa: E241
}
root_patch_sip_mojave = [
# Variables required to root patch in Mojave and Catalina
"CSR_ALLOW_UNTRUSTED_KEXTS",
"CSR_ALLOW_UNRESTRICTED_FS",
"CSR_ALLOW_UNAPPROVED_KEXTS",
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",
]
root_patch_sip_big_sur = [
# Variables required to root patch in Big Sur and Monterey
"CSR_ALLOW_UNTRUSTED_KEXTS",
"CSR_ALLOW_UNRESTRICTED_FS",
"CSR_ALLOW_UNRESTRICTED_DTRACE",
"CSR_ALLOW_UNRESTRICTED_NVRAM",
"CSR_ALLOW_DEVICE_CONFIGURATION",
"CSR_ALLOW_UNAPPROVED_KEXTS",
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",
"CSR_ALLOW_UNAUTHENTICATED_ROOT",

23
Resources/ModelArray.py
View File

@@ -375,6 +375,19 @@ nvidiaHDEF = [
# GPU
ModernGPU = [
"MacBookAir5,1", # Intel 4000
"MacBookAir5,2", # Intel 4000
"MacBookPro9,1", # Intel 4000 + Nvidia 650M
"MacBookPro9,2", # Intel 4000
"MacBookPro10,1", # Intel 4000 + Nvidia 650M
"MacBookPro10,2", # Intel 4000
"Macmini6,1", # Intel 4000
"Macmini6,2", # Intel 4000
"iMac13,1", # Intel 4000
"iMac13,3", # Intel 4000
]
LegacyGPU = [
"MacBook4,1", # GMA X3100
"MacBook5,1", # Nvidia 9000
@@ -386,8 +399,6 @@ LegacyGPU = [
"MacBookAir3,2", # Nvidia 300
"MacBookAir4,1", # Intel 3000
"MacBookAir4,2", # Intel 3000
"MacBookAir5,1", # Intel 4000
"MacBookAir5,2", # Intel 4000
"MacBookPro4,1", # Nvidia 8000
"MacBookPro5,1", # Nvidia 9000
"MacBookPro5,2", # Nvidia 9000
@@ -400,17 +411,11 @@ LegacyGPU = [
"MacBookPro8,1", # Intel 3000
"MacBookPro8,2", # Intel 3000 + AMD 6000
"MacBookPro8,3", # Intel 3000 + AMD 6000
"MacBookPro9,1", # Intel 4000 + Nvidia 650M
"MacBookPro9,2", # Intel 4000
"MacBookPro10,1", # Intel 4000 + Nvidia 650M
"MacBookPro10,2", # Intel 4000
"Macmini3,1", # Nvidia 9000
"Macmini4,1", # Nvidia 300
"Macmini5,1", # Intel 3000
"Macmini5,2", # AMD 6000
"Macmini5,3", # Intel 3000
"Macmini6,1", # Intel 4000
"Macmini6,2", # Intel 4000
"iMac7,1", # AMD 2000
"iMac8,1", # Nvidia and AMD 2400
"iMac9,1", # Nvidia 9000
@@ -420,8 +425,6 @@ LegacyGPU = [
"iMac11,3", # AMD 5000
"iMac12,1", # AMD 6000
"iMac12,2", # AMD 6000
"iMac13,1", # Intel 4000
"iMac13,3", # Intel 4000
"Dortania1,1" # RTX 3080
]

9
Resources/SysPatch.py
View File

@@ -430,7 +430,12 @@ class PatchSysVolume:
if self.sip_enabled is True:
print("\nCannot patch!!! Please disable SIP!!!")
print("Disable SIP in Patcher Settings and Rebuild OpenCore")
print("For Hackintoshes, set SIP to EF0F0000")
print("Ensure the following bits are set for csr-active-config:\n")
if self.constants.detected_os > self.constants.catalina:
sip = self.constants.root_patch_sip_big_sur
else:
sip = self.constants.root_patch_sip_mojave
print("\n".join(sip))
if self.sbm_enabled is True:
print("\nCannot patch!!! Please disable SecureBootModel!!!")
print("Disable SecureBootModel in Patcher Settings and Rebuild OpenCore")
@@ -441,7 +446,7 @@ class PatchSysVolume:
if self.amfi_enabled is True and self.amfi_must_disable is True:
print("\nCannot patch!!! Please disable AMFI!!!")
print("For Hackintoshes, please add amfi_getOut_of_my_way=0x1 to boot-args")
print("For Hackintoshes, please add amfi_get_out_of_my_way=1 to boot-args")
if self.amfi_must_disable is True:
if self.sip_enabled is True or \

5
Resources/Utilities.py
View File

@@ -65,7 +65,10 @@ def patching_status():
amfi_enabled = True # Apple Mobile File Integrity
fv_enabled = True # FileVault
if get_nvram("boot-args", decode=False) and "amfi_get_out_of_my_way=" in get_nvram("boot-args", decode=False):
amfi_1 = "amfi_get_out_of_my_way=0x1"
amfi_2 = "amfi_get_out_of_my_way=1"
if get_nvram("boot-args", decode=False) and (amfi_1 in get_nvram("boot-args", decode=False) or amfi_2 in get_nvram("boot-args", decode=False)):
amfi_enabled = False
if get_nvram("HardwareModel", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False) not in Constants.Constants().sbm_values:
sbm_enabled = False