Drop reliance on amfi_get_out_of_my_way=0x1

resources/amfi_detect.py

@@ -0,0 +1,107 @@
+# Determine AppleMobileFileIntegrity's OS configuration
+
+from resources import utilities
+
+class amfi_configuration_detection:
+
+    def __init__(self):
+        self.AMFI_ALLOW_TASK_FOR_PID =      False
+        self.AMFI_ALLOW_INVALID_SIGNATURE = False
+        self.AMFI_LV_ENFORCE_THIRD_PARTY =  False
+        self.AMFI_ALLOW_EVERYTHING =        False
+        self.SKIP_LIBRARY_VALIDATION =      False
+
+        self.boot_args = []
+        self.oclp_args = []
+
+        self.init_nvram_dicts()
+
+        self.parse_amfi_bitmask()
+        self.parse_amfi_boot_args()
+        self.parse_oclp_configuration()
+
+
+    def init_nvram_dicts(self):
+        boot_args = utilities.get_nvram("boot-args", decode=True)
+        oclp_args = utilities.get_nvram("OCLP-Settings", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
+
+        if boot_args:
+            self.boot_args = boot_args.split(" ")
+
+        if oclp_args:
+            self.oclp_args = oclp_args.split(" ")
+
+
+    def parse_amfi_bitmask(self):
+        # See data/amfi_data.py for more information
+        amfi_value = 0
+        for arg in self.boot_args:
+            if arg.startswith("amfi="):
+                try:
+                    amfi_value = arg.split("=")
+                    if len(amfi_value) != 2:
+                        return
+                    amfi_value = amfi_value[1]
+                    if amfi_value.startswith("0x"):
+                        amfi_value = int(amfi_value, 16)
+                    else:
+                        amfi_value = int(amfi_value)
+                except:
+                    return
+                break
+
+        if amfi_value == 0:
+            return
+
+        if amfi_value & 0x1:
+            self.AMFI_ALLOW_TASK_FOR_PID = True
+        if amfi_value & 0x2:
+            self.AMFI_ALLOW_INVALID_SIGNATURE = True
+        if amfi_value & 0x4:
+            self.AMFI_LV_ENFORCE_THIRD_PARTY = True
+        if amfi_value & 0x80:
+            self.AMFI_ALLOW_EVERYTHING = True
+            self.SKIP_LIBRARY_VALIDATION = True
+            self.AMFI_ALLOW_INVALID_SIGNATURE = True
+
+
+    def parse_amfi_boot_args(self):
+        for arg in self.boot_args:
+            if arg.startswith("amfi_unrestrict_task_for_pid"):
+                value = arg.split("=")
+                if len(value) == 2:
+                    if value[1] in ["0x1", "1"]:
+                        self.AMFI_ALLOW_TASK_FOR_PID = True
+            elif arg.startswith("amfi_allow_any_signature"):
+                value = arg.split("=")
+                if len(value) == 2:
+                    if value[1] in ["0x1", "1"]:
+                        self.AMFI_ALLOW_INVALID_SIGNATURE = True
+            elif arg.startswith("amfi_get_out_of_my_way"):
+                value = arg.split("=")
+                if len(value) == 2:
+                    if value[1] in ["0x1", "1"]:
+                        self.AMFI_ALLOW_EVERYTHING = True
+                        self.SKIP_LIBRARY_VALIDATION = True
+                        self.AMFI_ALLOW_INVALID_SIGNATURE = True
+
+
+    def parse_oclp_configuration(self):
+        if "-allow_amfi" in self.oclp_args:
+            self.SKIP_LIBRARY_VALIDATION = True
+
+
+    def check_config(self, level):
+        # Levels:
+        # - 1. Library Validation (Monterey and Older)
+        # - 2. Library Validation and Signature Checks (Ventura and Newer)
+
+        if level > 2 or level < 1:
+            raise ValueError("Invalid AMFI Configuration Level")
+
+        if level == 1:
+            return self.SKIP_LIBRARY_VALIDATION
+        if level == 2:
+            return bool(self.SKIP_LIBRARY_VALIDATION and self.AMFI_ALLOW_INVALID_SIGNATURE)
+
+        return False

resources/build.py

@@ -995,7 +995,7 @@ class BuildOpenCore:
                 self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = utilities.string_to_hex(self.constants.custom_sip_value.lstrip("0x"))
             elif self.constants.sip_status is False:
                 print("- Set SIP to allow Root Volume patching")
-                self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("030A0000")
+                self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("03080000")
 
         # if self.constants.amfi_status is False:
         #     print("- Disabling AMFI")
@@ -1004,8 +1004,9 @@ class BuildOpenCore:
             print("- Disabling Library Validation")
             # In Ventura, LV patch broke. For now, add AMFI arg
             # Before merging into mainline, this needs to be resolved
-            # self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
-            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=0x1"
+            self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
+            self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable _csr_check() in _vnode_check_signature")["Enabled"] = True
+            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi=0x2"
             self.config["NVRAM"]["Add"]["4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102"]["OCLP-Settings"] += " -allow_amfi"
             # CSLVFixup simply patches out __RESTRICT and __restrict out of the Music.app Binary
             # Ref: https://pewpewthespells.com/blog/blocking_code_injection_on_ios_and_os_x.html

resources/cli_menu.py

@@ -173,7 +173,7 @@ Note: For security reasons, OpenShell will be disabled when Vault is set.
         print(
             f"""SIP is used to ensure proper security measures are set,
 however to patch the root volume this must be lowered partially.
-Only disable is absolutely necessary. SIP value = 0xA03
+Only disable is absolutely necessary. SIP value = 0x803
 
 Valid options:
 
@@ -819,7 +819,7 @@ Note: This option should only be flipped under the following circumstances:
         print(
             """
 By default OCLP will use the SIP value of 0x00 as the enabled and
-0xA03 for machines that require root patching. For users who wish
+0x803 for machines that require root patching. For users who wish
 to flip additional bits in SIP may use this option.
 
 To disable SIP outright, set it to 0xFEF

resources/defaults.py

@@ -125,8 +125,6 @@ class generate_defaults:
         if "-v" in (utilities.get_nvram("boot-args") or ""):
             settings.verbose_debug = True
 
-        if utilities.amfi_status() is False:
-            settings.amfi_status = False
 
         if model in ["MacBookPro8,2", "MacBookPro8,3"]:
             # Users disabling TS2 most likely have a faulty dGPU

resources/sys_patch_detect.py

@@ -225,12 +225,18 @@ class detect_root_patch:
 
     def check_sip(self):
         if self.constants.detected_os > os_data.os_data.catalina:
-            if self.nvidia_web is True or self.constants.detected_os >= os_data.os_data.ventura:
+            if self.nvidia_web is True:
                 sip = sip_data.system_integrity_protection.root_patch_sip_big_sur_3rd_part_kexts
                 sip_hex = "0xA03"
                 sip_value = (
                     f"For Hackintoshes, please set csr-active-config to '030A0000' ({sip_hex})\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
                 )
+            elif self.constants.detected_os >= os_data.os_data.ventura:
+                sip = sip_data.system_integrity_protection.root_patch_sip_ventura
+                sip_hex = "0x803"
+                sip_value = (
+                    f"For Hackintoshes, please set csr-active-config to '03080000' ({sip_hex})\nFor non-OpenCore Macs, please run 'csrutil disable' and \n'csrutil authenticated-root disable' in RecoveryOS"
+                )
             else:
                 sip = sip_data.system_integrity_protection.root_patch_sip_big_sur
                 sip_hex = "0x802"

resources/utilities.py

@@ -15,7 +15,7 @@ import atexit
 import requests
 import shutil
 
-from resources import constants, ioreg
+from resources import constants, ioreg, amfi_detect
 from data import sip_data, os_data
 
 
@@ -150,26 +150,6 @@ def enable_sleep_after_running():
         sleep_process.kill()
         sleep_process = None
 
-def amfi_status(fully_disabled=False):
-    amfi_args = [
-        "amfi_get_out_of_my_way=0x1",
-        "amfi_get_out_of_my_way=1",
-        "amfi=128",
-    ]
-
-    if fully_disabled is False:
-        # Library Validation based patch
-        oclp_guid = get_nvram("OCLP-Settings", "4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102", decode=True)
-        if oclp_guid:
-            if "-allow_amfi" in oclp_guid:
-                return False
-    boot_args = get_nvram("boot-args", decode=True)
-    if boot_args:
-        for arg in amfi_args:
-            if arg in boot_args:
-                return False
-    return True
-
 
 def check_kext_loaded(kext_name, os_version):
     if os_version > os_data.os_data.catalina:
@@ -278,10 +258,10 @@ def patching_status(os_sip, os):
     gen7_kext = "/System/Library/Extension/AppleIntelHD3000Graphics.kext"
 
     if os > os_data.os_data.catalina:
-        requires_full_amfi = False
+        amfi_level = 1
         if os >= os_data.os_data.ventura:
-            requires_full_amfi = True
-        amfi_enabled = amfi_status(fully_disabled=requires_full_amfi)
+            amfi_level = 2
+        amfi_enabled = not amfi_detect.amfi_configuration_detection().check_config(amfi_level)
     else:
         # Catalina and older supports individually disabling Library Validation
         amfi_enabled = False