timamsk/OpenCore-Legacy-Patcher
1
0
Fork 0
mirror of https://github.com/dortania/OpenCore-Legacy-Patcher.git synced 2026-04-19 13:46:05 +10:00
Code Issues Packages Projects Releases Wiki Activity

Clean up AMFI and SIP checks

Browse Source
This commit is contained in:
Mykola Grymalyuk
2021-06-13 09:48:21 -06:00
parent df8d95b815
commit 5d6587100e
7 changed files with 79 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
OpenCore-Patcher.command
View File

@@ -22,7 +22,18 @@ class OpenCoreLegacyPatcher():
if (dgpu_vendor == self.constants.pci_amd_ati and (dgpu_device in PCIIDArray.amd_ids().polaris_ids or dgpu_device in PCIIDArray.amd_ids().vega_ids or dgpu_device in PCIIDArray.amd_ids().navi_ids or dgpu_device in PCIIDArray.amd_ids().legacy_gcn_ids)) or (dgpu_vendor == self.constants.pci_nvidia and dgpu_device in PCIIDArray.nvidia_ids().kepler_ids): if (dgpu_vendor == self.constants.pci_amd_ati and (dgpu_device in PCIIDArray.amd_ids().polaris_ids or dgpu_device in PCIIDArray.amd_ids().vega_ids or dgpu_device in PCIIDArray.amd_ids().navi_ids or dgpu_device in PCIIDArray.amd_ids().legacy_gcn_ids)) or (dgpu_vendor == self.constants.pci_nvidia and dgpu_device in PCIIDArray.nvidia_ids().kepler_ids):
self.constants.sip_status = True self.constants.sip_status = True
self.constants.secure_status = True self.constants.secure_status = False
self.constants.disable_amfi = False
else:
self.constants.sip_status = False
self.constants.secure_status = False
self.constants.disable_amfi = True
if self.current_model in ModelArray.ModernGPU:
if self.model in ["iMac13,1", "iMac13,3"]:
dgpu_vendor,dgpu_device,dgpu_acpi = DeviceProbe.pci_probe().gpu_probe("GFX0")
if not dgpu_vendor:
self.constants.sip_status = False
self.constants.secure_status = False
else: else:
self.constants.sip_status = False self.constants.sip_status = False
self.constants.secure_status = False self.constants.secure_status = False
@@ -100,6 +111,7 @@ system_profiler SPHardwareDataType | grep 'Model Identifier'
[f"Set Vault Mode:\t\t\tCurrently {self.constants.vault}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_vault], [f"Set Vault Mode:\t\t\tCurrently {self.constants.vault}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_vault],
[f"Allow FireWire Boot:\t\tCurrently {self.constants.firewire_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_firewire], [f"Allow FireWire Boot:\t\tCurrently {self.constants.firewire_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_firewire],
[f"Allow NVMe Boot:\t\t\tCurrently {self.constants.nvme_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_nvme], [f"Allow NVMe Boot:\t\t\tCurrently {self.constants.nvme_boot}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_nvme],
[f"Disable AMFI:\t\t\tCurrently {self.constants.disable_amfi}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).set_amfi],
[f"Set SIP and SecureBootModel:\tSIP: {self.constants.sip_status} SBM: {self.constants.secure_status}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_sip], [f"Set SIP and SecureBootModel:\tSIP: {self.constants.sip_status} SBM: {self.constants.secure_status}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).change_sip],
[f"Allow OpenCore on native Models:\tCurrently {self.constants.allow_oc_everywhere}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_native_models], [f"Allow OpenCore on native Models:\tCurrently {self.constants.allow_oc_everywhere}", CliMenu.MenuOptions(self.constants.custom_model or self.current_model, self.constants).allow_native_models],
[f"Advanced Patch Settings, for developers only", self.advanced_patcher_settings], [f"Advanced Patch Settings, for developers only", self.advanced_patcher_settings],

8
Resources/Build.py
View File

@@ -388,8 +388,10 @@ class BuildOpenCore:
self.config["DeviceProperties"]["Add"][self.gfx0_path] = {"agdpmod": "vit9696"} self.config["DeviceProperties"]["Add"][self.gfx0_path] = {"agdpmod": "vit9696"}
if self.model in ["iMac13,1", "iMac13,2", "iMac13,3"]: if self.model in ["iMac13,1", "iMac13,2", "iMac13,3"]:
print("- Fixing sleep support in macOS 12") dgpu_vendor,dgpu_device,dgpu_acpi = DeviceProbe.pci_probe().gpu_probe("GFX0")
self.config["DeviceProperties"]["Add"]["PciRoot(0x0)/Pci(0x2,0x0)"] = {"name": binascii.unhexlify("23646973706C6179"), "IOName": "#display", "class-code": binascii.unhexlify("FFFFFFFF")} if dgpu_vendor:
print("- Fixing sleep support in macOS 12")
self.config["DeviceProperties"]["Add"]["PciRoot(0x0)/Pci(0x2,0x0)"] = {"name": binascii.unhexlify("23646973706C6179"), "IOName": "#display", "class-code": binascii.unhexlify("FFFFFFFF")}
# Audio Patch # Audio Patch
if self.model in ModelArray.LegacyAudio: if self.model in ModelArray.LegacyAudio:
@@ -603,6 +605,8 @@ class BuildOpenCore:
print("- Disabling SIP") print("- Disabling SIP")
self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000") self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000")
self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"] self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"]
if self.constants.disable_amfi is True:
print("- Disabling AMFI")
self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1" self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
if self.constants.secure_status is False: if self.constants.secure_status is False:
print("- Disabling SecureBootModel") print("- Disabling SecureBootModel")

19
Resources/CliMenu.py
View File

@@ -172,10 +172,6 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
however to patch the root volume both of these must be disabled. however to patch the root volume both of these must be disabled.
Only disable is absolutely necessary. SIP value = 0xFEF Only disable is absolutely necessary. SIP value = 0xFEF
Note: for minor changes, SIP can be adjusted in recovery like normal.
Additionally, when disabling SIP via the patcher amfi_get_out_of_my_way=1
will be added to boot-args.
Valid options: Valid options:
1. Enable Both 1. Enable Both
@@ -200,6 +196,21 @@ Valid options:
else: else:
print("Invalid option") print("Invalid option")
def set_amfi(self):
Utilities.cls()
Utilities.header(["Disable AMFI"])
print("""Required for Root Patching non-Metal GPUs
in macOS Big Sur. Without this, will receive kernel panic once
Patcher finishes installing legacy acceleration patches.
""")
change_menu = input("Disable AMFI(y/n): ")
if change_menu in {"y", "Y", "yes", "Yes"}:
self.constants.disable_amfi = True
elif change_menu in {"n", "N", "no", "No"}:
self.constants.disable_amfi = False
else:
print("Invalid option")
def change_imac_nvidia(self): def change_imac_nvidia(self):
Utilities.cls() Utilities.cls()
Utilities.header(["Assume Metal GPU Always"]) Utilities.header(["Assume Metal GPU Always"])

36
Resources/Constants.py
View File

@@ -84,6 +84,7 @@ class Constants:
self.apecid_support = False self.apecid_support = False
self.firewire_boot = False self.firewire_boot = False
self.nvme_boot = False self.nvme_boot = False
self.disable_amfi = False
# OS Versions # OS Versions
self.tiger = 8 self.tiger = 8
@@ -362,27 +363,32 @@ class Constants:
def skylight_path(self): return self.payload_apple_private_frameworks_path_accel / Path("SkyLight.framework") def skylight_path(self): return self.payload_apple_private_frameworks_path_accel / Path("SkyLight.framework")
csr_values = { csr_values = {
"CSR_ALLOW_UNTRUSTED_KEXTS": False, # 0x1 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_UNTRUSTED_KEXTS": False, # 0x1 - Allows Unsigned Kexts - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_FS": False, # 0x2 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_UNRESTRICTED_FS": False, # 0x2 - File System Access - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_TASK_FOR_PID": False, # 0x4 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_TASK_FOR_PID": False, # 0x4 - Unrestricted Debugging - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_KERNEL_DEBUGGER": False, # 0x8 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_KERNEL_DEBUGGER": False, # 0x8 - Allow Kernel Debugger - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_APPLE_INTERNAL": False, # 0x10 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_APPLE_INTERNAL": False, # 0x10 - Set AppleInternal Features - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_DTRACE": False, # 0x20 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_UNRESTRICTED_DTRACE": False, # 0x20 - Unrestricted DTrace usage - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_UNRESTRICTED_NVRAM": False, # 0x40 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_UNRESTRICTED_NVRAM": False, # 0x40 - Unrestricted NVRAM write - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_DEVICE_CONFIGURATION": False, # 0x80 - Introduced in El Capitan # noqa: E241 "CSR_ALLOW_DEVICE_CONFIGURATION": False, # 0x80 - Allow Device Configuration(?) - Introduced in El Capitan # noqa: E241
"CSR_ALLOW_ANY_RECOVERY_OS": False, # 0x100 - Introduced in Sierra # noqa: E241 "CSR_ALLOW_ANY_RECOVERY_OS": False, # 0x100 - Disable BaseSystem Verification - Introduced in Sierra # noqa: E241
"CSR_ALLOW_UNAPPROVED_KEXTS": False, # 0x200 - Introduced in High Sierra # noqa: E241 "CSR_ALLOW_UNAPPROVED_KEXTS": False, # 0x200 - Allow Unapproved Kexts - Introduced in High Sierra # noqa: E241
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE": False, # 0x400 - Introduced in Mojave # noqa: E241 "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE": False, # 0x400 - Override Executable Policy - Introduced in Mojave # noqa: E241
"CSR_ALLOW_UNAUTHENTICATED_ROOT": False, # 0x800 - Introduced in Big Sur # noqa: E241 "CSR_ALLOW_UNAUTHENTICATED_ROOT": False, # 0x800 - Allow Root Volume Mounting - Introduced in Big Sur # noqa: E241
} }
root_patch_sip_mojave = [
# Variables required to root patch in Mojave and Catalina
"CSR_ALLOW_UNTRUSTED_KEXTS",
"CSR_ALLOW_UNRESTRICTED_FS",
"CSR_ALLOW_UNAPPROVED_KEXTS",
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",
]
root_patch_sip_big_sur = [ root_patch_sip_big_sur = [
# Variables required to root patch in Big Sur and Monterey # Variables required to root patch in Big Sur and Monterey
"CSR_ALLOW_UNTRUSTED_KEXTS", "CSR_ALLOW_UNTRUSTED_KEXTS",
"CSR_ALLOW_UNRESTRICTED_FS", "CSR_ALLOW_UNRESTRICTED_FS",
"CSR_ALLOW_UNRESTRICTED_DTRACE",
"CSR_ALLOW_UNRESTRICTED_NVRAM",
"CSR_ALLOW_DEVICE_CONFIGURATION",
"CSR_ALLOW_UNAPPROVED_KEXTS", "CSR_ALLOW_UNAPPROVED_KEXTS",
"CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE", "CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE",
"CSR_ALLOW_UNAUTHENTICATED_ROOT", "CSR_ALLOW_UNAUTHENTICATED_ROOT",

23
Resources/ModelArray.py
View File

@@ -375,6 +375,19 @@ nvidiaHDEF = [
# GPU # GPU
ModernGPU = [
"MacBookAir5,1", # Intel 4000
"MacBookAir5,2", # Intel 4000
"MacBookPro9,1", # Intel 4000 + Nvidia 650M
"MacBookPro9,2", # Intel 4000
"MacBookPro10,1", # Intel 4000 + Nvidia 650M
"MacBookPro10,2", # Intel 4000
"Macmini6,1", # Intel 4000
"Macmini6,2", # Intel 4000
"iMac13,1", # Intel 4000
"iMac13,3", # Intel 4000
]
LegacyGPU = [ LegacyGPU = [
"MacBook4,1", # GMA X3100 "MacBook4,1", # GMA X3100
"MacBook5,1", # Nvidia 9000 "MacBook5,1", # Nvidia 9000
@@ -386,8 +399,6 @@ LegacyGPU = [
"MacBookAir3,2", # Nvidia 300 "MacBookAir3,2", # Nvidia 300
"MacBookAir4,1", # Intel 3000 "MacBookAir4,1", # Intel 3000
"MacBookAir4,2", # Intel 3000 "MacBookAir4,2", # Intel 3000
"MacBookAir5,1", # Intel 4000
"MacBookAir5,2", # Intel 4000
"MacBookPro4,1", # Nvidia 8000 "MacBookPro4,1", # Nvidia 8000
"MacBookPro5,1", # Nvidia 9000 "MacBookPro5,1", # Nvidia 9000
"MacBookPro5,2", # Nvidia 9000 "MacBookPro5,2", # Nvidia 9000
@@ -400,17 +411,11 @@ LegacyGPU = [
"MacBookPro8,1", # Intel 3000 "MacBookPro8,1", # Intel 3000
"MacBookPro8,2", # Intel 3000 + AMD 6000 "MacBookPro8,2", # Intel 3000 + AMD 6000
"MacBookPro8,3", # Intel 3000 + AMD 6000 "MacBookPro8,3", # Intel 3000 + AMD 6000
"MacBookPro9,1", # Intel 4000 + Nvidia 650M
"MacBookPro9,2", # Intel 4000
"MacBookPro10,1", # Intel 4000 + Nvidia 650M
"MacBookPro10,2", # Intel 4000
"Macmini3,1", # Nvidia 9000 "Macmini3,1", # Nvidia 9000
"Macmini4,1", # Nvidia 300 "Macmini4,1", # Nvidia 300
"Macmini5,1", # Intel 3000 "Macmini5,1", # Intel 3000
"Macmini5,2", # AMD 6000 "Macmini5,2", # AMD 6000
"Macmini5,3", # Intel 3000 "Macmini5,3", # Intel 3000
"Macmini6,1", # Intel 4000
"Macmini6,2", # Intel 4000
"iMac7,1", # AMD 2000 "iMac7,1", # AMD 2000
"iMac8,1", # Nvidia and AMD 2400 "iMac8,1", # Nvidia and AMD 2400
"iMac9,1", # Nvidia 9000 "iMac9,1", # Nvidia 9000
@@ -420,8 +425,6 @@ LegacyGPU = [
"iMac11,3", # AMD 5000 "iMac11,3", # AMD 5000
"iMac12,1", # AMD 6000 "iMac12,1", # AMD 6000
"iMac12,2", # AMD 6000 "iMac12,2", # AMD 6000
"iMac13,1", # Intel 4000
"iMac13,3", # Intel 4000
"Dortania1,1" # RTX 3080 "Dortania1,1" # RTX 3080
] ]

9
Resources/SysPatch.py
View File

@@ -430,7 +430,12 @@ class PatchSysVolume:
if self.sip_enabled is True: if self.sip_enabled is True:
print("\nCannot patch!!! Please disable SIP!!!") print("\nCannot patch!!! Please disable SIP!!!")
print("Disable SIP in Patcher Settings and Rebuild OpenCore") print("Disable SIP in Patcher Settings and Rebuild OpenCore")
print("For Hackintoshes, set SIP to EF0F0000") print("Ensure the following bits are set for csr-active-config:\n")
if self.constants.detected_os > self.constants.catalina:
sip = self.constants.root_patch_sip_big_sur
else:
sip = self.constants.root_patch_sip_mojave
print("\n".join(sip))
if self.sbm_enabled is True: if self.sbm_enabled is True:
print("\nCannot patch!!! Please disable SecureBootModel!!!") print("\nCannot patch!!! Please disable SecureBootModel!!!")
print("Disable SecureBootModel in Patcher Settings and Rebuild OpenCore") print("Disable SecureBootModel in Patcher Settings and Rebuild OpenCore")
@@ -441,7 +446,7 @@ class PatchSysVolume:
if self.amfi_enabled is True and self.amfi_must_disable is True: if self.amfi_enabled is True and self.amfi_must_disable is True:
print("\nCannot patch!!! Please disable AMFI!!!") print("\nCannot patch!!! Please disable AMFI!!!")
print("For Hackintoshes, please add amfi_getOut_of_my_way=0x1 to boot-args") print("For Hackintoshes, please add amfi_get_out_of_my_way=1 to boot-args")
if self.amfi_must_disable is True: if self.amfi_must_disable is True:
if self.sip_enabled is True or \ if self.sip_enabled is True or \

5
Resources/Utilities.py
View File

@@ -65,7 +65,10 @@ def patching_status():
amfi_enabled = True # Apple Mobile File Integrity amfi_enabled = True # Apple Mobile File Integrity
fv_enabled = True # FileVault fv_enabled = True # FileVault
if get_nvram("boot-args", decode=False) and "amfi_get_out_of_my_way=" in get_nvram("boot-args", decode=False): amfi_1 = "amfi_get_out_of_my_way=0x1"
amfi_2 = "amfi_get_out_of_my_way=1"
if get_nvram("boot-args", decode=False) and (amfi_1 in get_nvram("boot-args", decode=False) or amfi_2 in get_nvram("boot-args", decode=False)):
amfi_enabled = False amfi_enabled = False
if get_nvram("HardwareModel", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False) not in Constants.Constants().sbm_values: if get_nvram("HardwareModel", "94B73556-2197-4702-82A8-3E1337DAFBFB", decode=False) not in Constants.Constants().sbm_values:
sbm_enabled = False sbm_enabled = False