Remove AMFI requirement for root patching

2026-04-13 20:28:21 +10:00 · 2021-09-19 14:22:16 -06:00
parent bf19adef35
commit 8234738403
6 changed files with 83 additions and 41 deletions
--- a/OCLP-CLI.command
+++ b/OCLP-CLI.command
@@ -48,7 +48,7 @@ class OpenCoreLegacyPatcher:
        parser.add_argument("--firewire", help="Enable FireWire Booting", action="store_true", required=False)
        parser.add_argument("--nvme", help="Enable NVMe Booting", action="store_true", required=False)
        parser.add_argument("--wlan", help="Enable Wake on WLAN support", action="store_true", required=False)
-        parser.add_argument("--disable_amfi", help="Disable AMFI", action="store_true", required=False)
+        # parser.add_argument("--disable_amfi", help="Disable AMFI", action="store_true", required=False)
        parser.add_argument("--moderate_smbios", help="Moderate SMBIOS Patching", action="store_true", required=False)
        parser.add_argument("--moj_cat_accel", help="Allow Root Patching on Mojave and Catalina", action="store_true", required=False)
        parser.add_argument("--disable_thunderbolt", help="Disable Thunderbolt on 2013-2014 MacBook Pros", action="store_true", required=False)
@@ -115,9 +115,9 @@ class OpenCoreLegacyPatcher:
        if args.nvme:
            print("- Set NVMe Boot configuration")
            self.constants.nvme_boot = True
-        if args.disable_amfi:
-            print("- Set Disable AMFI configuration")
-            self.constants.amfi_status = False
+        # if args.disable_amfi:
+        #     print("- Set Disable AMFI configuration")
+        #     self.constants.amfi_status = False
        if args.wlan:
            print("- Set Wake on WLAN configuration")
            self.constants.enable_wake_on_wlan = True
@@ -194,19 +194,13 @@ If you plan to create the USB for another machine, please select the "Change Mod
            self.unpatch_vol()

    def set_defaults(self, model, host_is_target):
+        if host_is_target:
+            if Utilities.check_metal_support(device_probe, self.computer) is False:
+                self.constants.disable_cs_lv = True
+        elif model in ModelArray.LegacyGPU:
+            self.constants.disable_cs_lv = True
        if model in ModelArray.LegacyGPU:
-            if (
-                host_is_target
-                and self.computer.dgpu
-                and self.computer.dgpu.arch
-                in [
-                    device_probe.AMD.Archs.Legacy_GCN,
-                    device_probe.AMD.Archs.Polaris,
-                    device_probe.AMD.Archs.Vega,
-                    device_probe.AMD.Archs.Navi,
-                    device_probe.NVIDIA.Archs.Kepler,
-                ]
-            ):
+            if Utilities.check_metal_support(device_probe, self.computer) is True:
                print("- Detected Metal GPU, overriding default configuration")
                # Building on device and we have a native, supported GPU
                self.constants.sip_status = True
@@ -226,7 +220,7 @@ If you plan to create the USB for another machine, please select the "Change Mod
                self.constants.secure_status = False  # Modified root volume
                self.constants.allow_fv_root = True  #  Allow FileVault on broken seal
                # self.constants.amfi_status = True  #  Signed bundles, Don't need to explicitly set currently
-        if model == "MacBook8,1" and host_is_target:
+        if model == "MacBook8,1":
            # MacBook8,1 has an odd bug where it cannot install Monterey with Minimal spoofing
            self.constants.serial_settings == "Moderate"

--- a/OpenCore-Patcher.command
+++ b/OpenCore-Patcher.command
@@ -26,19 +26,14 @@ class OpenCoreLegacyPatcher:
        self.constants.secure_status = False  # Default false for Monterey
        self.constants.amfi_status = True

+        if host_is_target:
+            if Utilities.check_metal_support(device_probe, self.computer) is False:
+                self.constants.disable_cs_lv = True
+        elif model in ModelArray.LegacyGPU:
+            self.constants.disable_cs_lv = True
+
        if model in ModelArray.LegacyGPU:
-            if (
-                host_is_target
-                and self.computer.dgpu
-                and self.computer.dgpu.arch
-                in [
-                    device_probe.AMD.Archs.Legacy_GCN,
-                    device_probe.AMD.Archs.Polaris,
-                    device_probe.AMD.Archs.Vega,
-                    device_probe.AMD.Archs.Navi,
-                    device_probe.NVIDIA.Archs.Kepler,
-                ]
-            ):
+            if Utilities.check_metal_support(device_probe, self.computer) is True:
                # Building on device and we have a native, supported GPU
                self.constants.sip_status = True
                # self.constants.secure_status = True  # Monterey
@@ -78,7 +73,11 @@ class OpenCoreLegacyPatcher:
        if Utilities.get_nvram("gpu-power-prefs", "FA4CE28D-B62F-4C99-9CC3-6815686E30F9", decode=True):
            self.constants.allow_ts2_accel = False

-        self.constants.latebloom_delay, self.constants.latebloom_range, self.constants.latebloom_debug = Utilities.latebloom_detection(model)
+        if self.constants.latebloom_delay == 0:
+            self.constants.latebloom_delay, self.constants.latebloom_range, self.constants.latebloom_debug = Utilities.latebloom_detection(model)
+        
+        if Utilities.get_nvram("gpu-power-prefs", "FA4CE28D-B62F-4C99-9CC3-6815686E30F9", decode=True):
+            self.constants.allow_ts2_accel = False

        # Check if running in RecoveryOS
        self.constants.recovery_status = Utilities.check_recovery()
@@ -172,10 +171,10 @@ system_profiler SPHardwareDataType | grep 'Model Identifier'
            title = ["Adjust Security Settings"]
            menu = Utilities.TUIMenu(title, "Please select an option: ", auto_number=True, top_level=True)
            options = [
-                [
-                    f"Set Apple Mobile File Integrity (AMFI):\tCurrently {self.constants.amfi_status}",
-                    CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).set_amfi,
-                ],
+                # [
+                #     f"Set Apple Mobile File Integrity (AMFI):\tCurrently {self.constants.amfi_status}",
+                #     CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).set_amfi,
+                # ],
                [
                    f"Set System Intrgity Protection (SIP):\tCurrently {self.constants.sip_status}",
                    CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).change_sip,
--- a/Resources/Build.py
+++ b/Resources/Build.py
@@ -670,9 +670,12 @@ class BuildOpenCore:
            print("- Disabling SIP")
            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000")
            self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"]
-        if self.constants.amfi_status is False:
-            print("- Disabling AMFI")
-            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
+        # if self.constants.amfi_status is False:
+        #     print("- Disabling AMFI")
+        #     self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
+        if self.constants.disable_cs_lv is True:
+            print("- Disabling Library Validation")
+            self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
        if self.constants.secure_status is False:
            print("- Disabling SecureBootModel")
            self.config["Misc"]["Security"]["SecureBootModel"] = "Disabled"
--- a/Resources/Constants.py
+++ b/Resources/Constants.py
@@ -115,6 +115,7 @@ class Constants:
        self.sip_status = True  #      System Integrity Protection
        self.secure_status = False  #  Secure Boot Model
        self.vault = False  #          EFI Vault
+        self.disable_cs_lv = False  #  Disable Library validation

        ## OS Settings
        self.os_support = 12.0
--- a/Resources/Utilities.py
+++ b/Resources/Utilities.py
@@ -19,7 +19,7 @@ except ImportError:
    except ImportError:
        raise Exception("Missing requests library!\nPlease run the following before starting OCLP:\npip3 install requests")

-from Resources import Constants, ioreg
+from Resources import Constants, ioreg, device_probe


 def hexswap(input_hex: str):
@@ -144,8 +144,8 @@ def check_oclp_boot():


 def check_monterey_wifi():
-    IO80211ElCap = "com.apple.iokit.IO80211ElCap (1110.26)"
-    CoreCaptureElCap = "com.apple.driver.corecaptureElCap (1.0.4)"
+    IO80211ElCap = "com.apple.iokit.IO80211ElCap"
+    CoreCaptureElCap = "com.apple.driver.corecaptureElCap"
    loaded_kexts: str = subprocess.run("kextcache".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.decode()
    if IO80211ElCap in loaded_kexts and CoreCaptureElCap in loaded_kexts:
        return True
@@ -153,6 +153,19 @@ def check_monterey_wifi():
        return False


+def check_metal_support(device_probe, computer):
+    dgpu = computer.dgpu
+    igpu = computer.igpu
+    if (
+        (dgpu and dgpu.arch in [device_probe.NVIDIA.Archs.Tesla, device_probe.NVIDIA.Archs.Fermi, device_probe.AMD.Archs.TeraScale_1, device_probe.AMD.Archs.TeraScale_2])
+        or (igpu and igpu.arch in [device_probe.Intel.Archs.Iron_Lake, device_probe.Intel.Archs.Sandy_Bridge])
+        or isinstance(igpu, device_probe.NVIDIA)
+    ):
+        return False
+    else:
+        return True
+
+
 def patching_status(os_sip, os):
    # Detection for Root Patching
    sip_enabled = True  #  System Integrity Protection
@@ -164,7 +177,8 @@ def patching_status(os_sip, os):
    gen6_kext = "/System/Library/Extension/AppleIntelHDGraphics.kext"
    gen7_kext = "/System/Library/Extension/AppleIntelHD3000Graphics.kext"

-    if os > Constants.Constants().catalina:
+    if os > Constants.Constants().catalina and not check_oclp_boot():
+        # Assume non-OCLP Macs don't patch _cs_require_lv
        amfi_enabled = amfi_status()
    else:
        # Catalina and older supports individually disabling Library Validation
@@ -261,6 +275,7 @@ def enable_apfs(fw_feature, fw_mask):
    fw_mask |= 2 ** 19
    return fw_feature, fw_mask

+
 # def menu(title, prompt, menu_options, add_quit=True, auto_number=False, in_between=[], top_level=False):
 #     return_option = ["Q", "Quit", None] if top_level else ["B", "Back", None]
 #     if add_quit: menu_options.append(return_option)
--- a/payloads/Config/config.plist
+++ b/payloads/Config/config.plist
@@ -1062,6 +1062,36 @@
 				<key>Skip</key>
 				<integer>0</integer>
 			</dict>
+			<dict>
+				<key>Arch</key>
+				<string>x86_64</string>
+				<key>Base</key>
+				<string>_cs_require_lv</string>
+				<key>Comment</key>
+				<string>Disable Library Validation Enforcement</string>
+				<key>Count</key>
+				<integer>0</integer>
+				<key>Enabled</key>
+				<false/>
+				<key>Find</key>
+				<data></data>
+				<key>Identifier</key>
+				<string>kernel</string>
+				<key>Limit</key>
+				<integer>0</integer>
+				<key>Mask</key>
+				<data></data>
+				<key>MaxKernel</key>
+				<string></string>
+				<key>MinKernel</key>
+				<string>18.0.0</string>
+				<key>Replace</key>
+				<data>uAAAAADD</data>
+				<key>ReplaceMask</key>
+				<data></data>
+				<key>Skip</key>
+				<integer>0</integer>
+			</dict>
 		</array>
 		<key>Quirks</key>
 		<dict>