From 5d6587100ea98933547f18a4fd92450fab5c4040 Mon Sep 17 00:00:00 2001 From: Mykola Grymalyuk <48863253+khronokernel@users.noreply.github.com> Date: Sun, 13 Jun 2021 09:48:21 -0600 Subject: [PATCH] Clean up AMFI and SIP checks --- OpenCore-Patcher.command | 14 +++++++++++++- Resources/Build.py | 8 ++++++-- Resources/CliMenu.py | 19 +++++++++++++++---- Resources/Constants.py | 36 +++++++++++++++++++++--------------- Resources/ModelArray.py | 23 +++++++++++++---------- Resources/SysPatch.py | 9 +++++++-- Resources/Utilities.py | 5 ++++- 7 files changed, 79 insertions(+), 35 deletions(-) diff --git a/OpenCore-Patcher.command b/OpenCore-Patcher.command index efb5493da..6a543c23e 100755 --- a/OpenCore-Patcher.command +++ b/OpenCore-Patcher.command @@ -22,7 +22,18 @@ class OpenCoreLegacyPatcher(): if (dgpu_vendor == self.constants.pci_amd_ati and (dgpu_device in PCIIDArray.amd_ids().polaris_ids or dgpu_device in PCIIDArray.amd_ids().vega_ids or dgpu_device in PCIIDArray.amd_ids().navi_ids or dgpu_device in PCIIDArray.amd_ids().legacy_gcn_ids)) or (dgpu_vendor == self.constants.pci_nvidia and dgpu_device in PCIIDArray.nvidia_ids().kepler_ids): self.constants.sip_status = True - self.constants.secure_status = True + self.constants.secure_status = False + self.constants.disable_amfi = False + else: + self.constants.sip_status = False + self.constants.secure_status = False + self.constants.disable_amfi = True + if self.current_model in ModelArray.ModernGPU: + if self.model in ["iMac13,1", "iMac13,3"]: + dgpu_vendor,dgpu_device,dgpu_acpi = DeviceProbe.pci_probe().gpu_probe("GFX0") + if not dgpu_vendor: + self.constants.sip_status = False + self.constants.secure_status = False else: self.constants.sip_status = False self.constants.secure_status = False @@ -100,6 +111,7 @@ system_profiler SPHardwareDataType | grep 'Model Identifier' [f"Set Vault Mode:\t\t\tCurrently {self.constants.vault}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_vault], [f"Allow FireWire Boot:\t\tCurrently {self.constants.firewire_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_firewire], [f"Allow NVMe Boot:\t\t\tCurrently {self.constants.nvme_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_nvme], + [f"Disable AMFI:\t\t\tCurrently {self.constants.disable_amfi}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).set_amfi], [f"Set SIP and SecureBootModel:\tSIP: {self.constants.sip_status} SBM: {self.constants.secure_status}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_sip], [f"Allow OpenCore on native Models:\tCurrently {self.constants.allow_oc_everywhere}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_native_models], [f"Advanced Patch Settings, for developers only", self.advanced_patcher_settings], diff --git a/Resources/Build.py b/Resources/Build.py index 729d05f41..ee2f15243 100644 --- a/Resources/Build.py +++ b/Resources/Build.py @@ -388,8 +388,10 @@ class BuildOpenCore: self.config["DeviceProperties"]["Add"][self.gfx0_path] = {"agdpmod": "vit9696"} if self.model in ["iMac13,1", "iMac13,2", "iMac13,3"]: - print("- Fixing sleep support in macOS 12") - self.config["DeviceProperties"]["Add"]["PciRoot(0x0)/Pci(0x2,0x0)"] = {"name": binascii.unhexlify("23646973706C6179"), "IOName": "#display", "class-code": binascii.unhexlify("FFFFFFFF")} + dgpu_vendor,dgpu_device,dgpu_acpi = DeviceProbe.pci_probe().gpu_probe("GFX0") + if dgpu_vendor: + print("- Fixing sleep support in macOS 12") + self.config["DeviceProperties"]["Add"]["PciRoot(0x0)/Pci(0x2,0x0)"] = {"name": binascii.unhexlify("23646973706C6179"), "IOName": "#display", "class-code": binascii.unhexlify("FFFFFFFF")} # Audio Patch if self.model in ModelArray.LegacyAudio: @@ -603,6 +605,8 @@ class BuildOpenCore: print("- Disabling SIP") self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000") self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"] + if self.constants.disable_amfi is True: + print("- Disabling AMFI") self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1" if self.constants.secure_status is False: print("- Disabling SecureBootModel") diff --git a/Resources/CliMenu.py b/Resources/CliMenu.py index 0d6fbdf21..8c0c805e0 100644 --- a/Resources/CliMenu.py +++ b/Resources/CliMenu.py @@ -172,10 +172,6 @@ Note: For security reasons, OpenShell will be disabled when Vault is set. however to patch the root volume both of these must be disabled. Only disable is absolutely necessary. SIP value = 0xFEF -Note: for minor changes, SIP can be adjusted in recovery like normal. -Additionally, when disabling SIP via the patcher amfi_get_out_of_my_way=1 -will be added to boot-args. - Valid options: 1. Enable Both @@ -200,6 +196,21 @@ Valid options: else: print("Invalid option") + def set_amfi(self): + Utilities.cls() + Utilities.header(["Disable AMFI"]) + print("""Required for Root Patching non-Metal GPUs +in macOS Big Sur. Without this, will receive kernel panic once +Patcher finishes installing legacy acceleration patches. + """) + change_menu = input("Disable AMFI(y/n): ") + if change_menu in {"y", "Y", "yes", "Yes"}: + self.constants.disable_amfi = True + elif change_menu in {"n", "N", "no", "No"}: + self.constants.disable_amfi = False + else: + print("Invalid option") + def change_imac_nvidia(self): Utilities.cls() Utilities.header(["Assume Metal GPU Always"]) diff --git a/Resources/Constants.py b/Resources/Constants.py index 9fc062a53..b35ef0d6e 100644 --- a/Resources/Constants.py +++ b/Resources/Constants.py @@ -84,6 +84,7 @@ class Constants: self.apecid_support = False self.firewire_boot = False self.nvme_boot = False + self.disable_amfi = False # OS Versions self.tiger = 8 @@ -362,27 +363,32 @@ class Constants: def skylight_path(self): return self.payload_apple_private_frameworks_path_accel / Path("SkyLight.framework") csr_values = { - "CSR_ALLOW_UNTRUSTED_KEXTS": False, # 0x1 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_UNRESTRICTED_FS": False, # 0x2 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_TASK_FOR_PID": False, # 0x4 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_KERNEL_DEBUGGER": False, # 0x8 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_APPLE_INTERNAL": False, # 0x10 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_UNRESTRICTED_DTRACE": False, # 0x20 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_UNRESTRICTED_NVRAM": False, # 0x40 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_DEVICE_CONFIGURATION": False, # 0x80 - Introduced in El Capitan # noqa: E241 - "CSR_ALLOW_ANY_RECOVERY_OS": False, # 0x100 - Introduced in Sierra # noqa: E241 - "CSR_ALLOW_UNAPPROVED_KEXTS": False, # 0x200 - Introduced in High Sierra # noqa: E241 - "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE": False, # 0x400 - Introduced in Mojave # noqa: E241 - "CSR_ALLOW_UNAUTHENTICATED_ROOT": False, # 0x800 - Introduced in Big Sur # noqa: E241 + "CSR_ALLOW_UNTRUSTED_KEXTS": False, # 0x1 - Allows Unsigned Kexts - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_UNRESTRICTED_FS": False, # 0x2 - File System Access - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_TASK_FOR_PID": False, # 0x4 - Unrestricted Debugging - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_KERNEL_DEBUGGER": False, # 0x8 - Allow Kernel Debugger - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_APPLE_INTERNAL": False, # 0x10 - Set AppleInternal Features - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_UNRESTRICTED_DTRACE": False, # 0x20 - Unrestricted DTrace usage - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_UNRESTRICTED_NVRAM": False, # 0x40 - Unrestricted NVRAM write - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_DEVICE_CONFIGURATION": False, # 0x80 - Allow Device Configuration(?) - Introduced in El Capitan # noqa: E241 + "CSR_ALLOW_ANY_RECOVERY_OS": False, # 0x100 - Disable BaseSystem Verification - Introduced in Sierra # noqa: E241 + "CSR_ALLOW_UNAPPROVED_KEXTS": False, # 0x200 - Allow Unapproved Kexts - Introduced in High Sierra # noqa: E241 + "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE": False, # 0x400 - Override Executable Policy - Introduced in Mojave # noqa: E241 + "CSR_ALLOW_UNAUTHENTICATED_ROOT": False, # 0x800 - Allow Root Volume Mounting - Introduced in Big Sur # noqa: E241 } + root_patch_sip_mojave = [ + # Variables required to root patch in Mojave and Catalina + "CSR_ALLOW_UNTRUSTED_KEXTS", + "CSR_ALLOW_UNRESTRICTED_FS", + "CSR_ALLOW_UNAPPROVED_KEXTS", + "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE", + ] + root_patch_sip_big_sur = [ # Variables required to root patch in Big Sur and Monterey "CSR_ALLOW_UNTRUSTED_KEXTS", "CSR_ALLOW_UNRESTRICTED_FS", - "CSR_ALLOW_UNRESTRICTED_DTRACE", - "CSR_ALLOW_UNRESTRICTED_NVRAM", - "CSR_ALLOW_DEVICE_CONFIGURATION", "CSR_ALLOW_UNAPPROVED_KEXTS", "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE", "CSR_ALLOW_UNAUTHENTICATED_ROOT", diff --git a/Resources/ModelArray.py b/Resources/ModelArray.py index fbe7c2156..772d2c43c 100644 --- a/Resources/ModelArray.py +++ b/Resources/ModelArray.py @@ -375,6 +375,19 @@ nvidiaHDEF = [ # GPU +ModernGPU = [ + "MacBookAir5,1", # Intel 4000 + "MacBookAir5,2", # Intel 4000 + "MacBookPro9,1", # Intel 4000 + Nvidia 650M + "MacBookPro9,2", # Intel 4000 + "MacBookPro10,1", # Intel 4000 + Nvidia 650M + "MacBookPro10,2", # Intel 4000 + "Macmini6,1", # Intel 4000 + "Macmini6,2", # Intel 4000 + "iMac13,1", # Intel 4000 + "iMac13,3", # Intel 4000 +] + LegacyGPU = [ "MacBook4,1", # GMA X3100 "MacBook5,1", # Nvidia 9000 @@ -386,8 +399,6 @@ LegacyGPU = [ "MacBookAir3,2", # Nvidia 300 "MacBookAir4,1", # Intel 3000 "MacBookAir4,2", # Intel 3000 - "MacBookAir5,1", # Intel 4000 - "MacBookAir5,2", # Intel 4000 "MacBookPro4,1", # Nvidia 8000 "MacBookPro5,1", # Nvidia 9000 "MacBookPro5,2", # Nvidia 9000 @@ -400,17 +411,11 @@ LegacyGPU = [ "MacBookPro8,1", # Intel 3000 "MacBookPro8,2", # Intel 3000 + AMD 6000 "MacBookPro8,3", # Intel 3000 + AMD 6000 - "MacBookPro9,1", # Intel 4000 + Nvidia 650M - "MacBookPro9,2", # Intel 4000 - "MacBookPro10,1", # Intel 4000 + Nvidia 650M - "MacBookPro10,2", # Intel 4000 "Macmini3,1", # Nvidia 9000 "Macmini4,1", # Nvidia 300 "Macmini5,1", # Intel 3000 "Macmini5,2", # AMD 6000 "Macmini5,3", # Intel 3000 - "Macmini6,1", # Intel 4000 - "Macmini6,2", # Intel 4000 "iMac7,1", # AMD 2000 "iMac8,1", # Nvidia and AMD 2400 "iMac9,1", # Nvidia 9000 @@ -420,8 +425,6 @@ LegacyGPU = [ "iMac11,3", # AMD 5000 "iMac12,1", # AMD 6000 "iMac12,2", # AMD 6000 - "iMac13,1", # Intel 4000 - "iMac13,3", # Intel 4000 "Dortania1,1" # RTX 3080 ] diff --git a/Resources/SysPatch.py b/Resources/SysPatch.py index c0dc3e7a1..b32f1ea6d 100644 --- a/Resources/SysPatch.py +++ b/Resources/SysPatch.py @@ -430,7 +430,12 @@ class PatchSysVolume: if self.sip_enabled is True: print("\nCannot patch!!! Please disable SIP!!!") print("Disable SIP in Patcher Settings and Rebuild OpenCore") - print("For Hackintoshes, set SIP to EF0F0000") + print("Ensure the following bits are set for csr-active-config:\n") + if self.constants.detected_os > self.constants.catalina: + sip = self.constants.root_patch_sip_big_sur + else: + sip = self.constants.root_patch_sip_mojave + print("\n".join(sip)) if self.sbm_enabled is True: print("\nCannot patch!!! Please disable SecureBootModel!!!") print("Disable SecureBootModel in Patcher Settings and Rebuild OpenCore") @@ -441,7 +446,7 @@ class PatchSysVolume: if self.amfi_enabled is True and self.amfi_must_disable is True: print("\nCannot patch!!! Please disable AMFI!!!") - print("For Hackintoshes, please add amfi_getOut_of_my_way=0x1 to boot-args") + print("For Hackintoshes, please add amfi_get_out_of_my_way=1 to boot-args") if self.amfi_must_disable is True: if self.sip_enabled is True or \ diff --git a/Resources/Utilities.py b/Resources/Utilities.py index 7fb3cab41..d26b574fd 100644 --- a/Resources/Utilities.py +++ b/Resources/Utilities.py @@ -65,7 +65,10 @@ def patching_status(): amfi_enabled = True # Apple Mobile File Integrity fv_enabled = True # FileVault - if get_nvram("boot-args", decode=False) and "amfi_get_out_of_my_way=" in get_nvram("boot-args", decode=False): + amfi_1 = "amfi_get_out_of_my_way=0x1" + amfi_2 = "amfi_get_out_of_my_way=1" + + if get_nvram("boot-args", decode=False) and (amfi_1 in get_nvram("boot-args", decode=False) or amfi_2 in get_nvram("boot-args", decode=False)): amfi_enabled = False if get_nvram("HardwareModel", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False) not in Constants.Constants().sbm_values: sbm_enabled = False