From 8234738403b15ec30aeb6089660d11426c4c007e Mon Sep 17 00:00:00 2001
From: Mykola Grymalyuk <48863253+khronokernel@users.noreply.github.com>
Date: Sun, 19 Sep 2021 14:22:16 -0600
Subject: [PATCH] Remove AMFI requirement for root patching
---
OCLP-CLI.command | 28 +++++++++++-----------------
OpenCore-Patcher.command | 33 ++++++++++++++++-----------------
Resources/Build.py | 9 ++++++---
Resources/Constants.py | 1 +
Resources/Utilities.py | 23 +++++++++++++++++++----
payloads/Config/config.plist | 30 ++++++++++++++++++++++++++++++
6 files changed, 83 insertions(+), 41 deletions(-)
diff --git a/OCLP-CLI.command b/OCLP-CLI.command
index 53fc18059..bb033900c 100755
--- a/OCLP-CLI.command
+++ b/OCLP-CLI.command
@@ -48,7 +48,7 @@ class OpenCoreLegacyPatcher:
parser.add_argument("--firewire", help="Enable FireWire Booting", action="store_true", required=False)
parser.add_argument("--nvme", help="Enable NVMe Booting", action="store_true", required=False)
parser.add_argument("--wlan", help="Enable Wake on WLAN support", action="store_true", required=False)
- parser.add_argument("--disable_amfi", help="Disable AMFI", action="store_true", required=False)
+ # parser.add_argument("--disable_amfi", help="Disable AMFI", action="store_true", required=False)
parser.add_argument("--moderate_smbios", help="Moderate SMBIOS Patching", action="store_true", required=False)
parser.add_argument("--moj_cat_accel", help="Allow Root Patching on Mojave and Catalina", action="store_true", required=False)
parser.add_argument("--disable_thunderbolt", help="Disable Thunderbolt on 2013-2014 MacBook Pros", action="store_true", required=False)
@@ -115,9 +115,9 @@ class OpenCoreLegacyPatcher:
if args.nvme:
print("- Set NVMe Boot configuration")
self.constants.nvme_boot = True
- if args.disable_amfi:
- print("- Set Disable AMFI configuration")
- self.constants.amfi_status = False
+ # if args.disable_amfi:
+ # print("- Set Disable AMFI configuration")
+ # self.constants.amfi_status = False
if args.wlan:
print("- Set Wake on WLAN configuration")
self.constants.enable_wake_on_wlan = True
@@ -194,19 +194,13 @@ If you plan to create the USB for another machine, please select the "Change Mod
self.unpatch_vol()
def set_defaults(self, model, host_is_target):
+ if host_is_target:
+ if Utilities.check_metal_support(device_probe, self.computer) is False:
+ self.constants.disable_cs_lv = True
+ elif model in ModelArray.LegacyGPU:
+ self.constants.disable_cs_lv = True
if model in ModelArray.LegacyGPU:
- if (
- host_is_target
- and self.computer.dgpu
- and self.computer.dgpu.arch
- in [
- device_probe.AMD.Archs.Legacy_GCN,
- device_probe.AMD.Archs.Polaris,
- device_probe.AMD.Archs.Vega,
- device_probe.AMD.Archs.Navi,
- device_probe.NVIDIA.Archs.Kepler,
- ]
- ):
+ if Utilities.check_metal_support(device_probe, self.computer) is True:
print("- Detected Metal GPU, overriding default configuration")
# Building on device and we have a native, supported GPU
self.constants.sip_status = True
@@ -226,7 +220,7 @@ If you plan to create the USB for another machine, please select the "Change Mod
self.constants.secure_status = False # Modified root volume
self.constants.allow_fv_root = True # Allow FileVault on broken seal
# self.constants.amfi_status = True # Signed bundles, Don't need to explicitly set currently
- if model == "MacBook8,1" and host_is_target:
+ if model == "MacBook8,1":
# MacBook8,1 has an odd bug where it cannot install Monterey with Minimal spoofing
self.constants.serial_settings == "Moderate"
diff --git a/OpenCore-Patcher.command b/OpenCore-Patcher.command
index b776c7a9c..a1184dafd 100755
--- a/OpenCore-Patcher.command
+++ b/OpenCore-Patcher.command
@@ -26,19 +26,14 @@ class OpenCoreLegacyPatcher:
self.constants.secure_status = False # Default false for Monterey
self.constants.amfi_status = True
+ if host_is_target:
+ if Utilities.check_metal_support(device_probe, self.computer) is False:
+ self.constants.disable_cs_lv = True
+ elif model in ModelArray.LegacyGPU:
+ self.constants.disable_cs_lv = True
+
if model in ModelArray.LegacyGPU:
- if (
- host_is_target
- and self.computer.dgpu
- and self.computer.dgpu.arch
- in [
- device_probe.AMD.Archs.Legacy_GCN,
- device_probe.AMD.Archs.Polaris,
- device_probe.AMD.Archs.Vega,
- device_probe.AMD.Archs.Navi,
- device_probe.NVIDIA.Archs.Kepler,
- ]
- ):
+ if Utilities.check_metal_support(device_probe, self.computer) is True:
# Building on device and we have a native, supported GPU
self.constants.sip_status = True
# self.constants.secure_status = True # Monterey
@@ -78,7 +73,11 @@ class OpenCoreLegacyPatcher:
if Utilities.get_nvram("gpu-power-prefs", "FA4CE28D-B62F-4C99-9CC3-6815686E30F9", decode=True):
self.constants.allow_ts2_accel = False
- self.constants.latebloom_delay, self.constants.latebloom_range, self.constants.latebloom_debug = Utilities.latebloom_detection(model)
+ if self.constants.latebloom_delay == 0:
+ self.constants.latebloom_delay, self.constants.latebloom_range, self.constants.latebloom_debug = Utilities.latebloom_detection(model)
+
+ if Utilities.get_nvram("gpu-power-prefs", "FA4CE28D-B62F-4C99-9CC3-6815686E30F9", decode=True):
+ self.constants.allow_ts2_accel = False
# Check if running in RecoveryOS
self.constants.recovery_status = Utilities.check_recovery()
@@ -172,10 +171,10 @@ system_profiler SPHardwareDataType | grep 'Model Identifier'
title = ["Adjust Security Settings"]
menu = Utilities.TUIMenu(title, "Please select an option: ", auto_number=True, top_level=True)
options = [
- [
- f"Set Apple Mobile File Integrity (AMFI):\tCurrently {self.constants.amfi_status}",
- CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).set_amfi,
- ],
+ # [
+ # f"Set Apple Mobile File Integrity (AMFI):\tCurrently {self.constants.amfi_status}",
+ # CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).set_amfi,
+ # ],
[
f"Set System Intrgity Protection (SIP):\tCurrently {self.constants.sip_status}",
CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).change_sip,
diff --git a/Resources/Build.py b/Resources/Build.py
index 55aceed4e..2c14fe203 100644
--- a/Resources/Build.py
+++ b/Resources/Build.py
@@ -670,9 +670,12 @@ class BuildOpenCore:
print("- Disabling SIP")
self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000")
self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"]
- if self.constants.amfi_status is False:
- print("- Disabling AMFI")
- self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
+ # if self.constants.amfi_status is False:
+ # print("- Disabling AMFI")
+ # self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
+ if self.constants.disable_cs_lv is True:
+ print("- Disabling Library Validation")
+ self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
if self.constants.secure_status is False:
print("- Disabling SecureBootModel")
self.config["Misc"]["Security"]["SecureBootModel"] = "Disabled"
diff --git a/Resources/Constants.py b/Resources/Constants.py
index 837d0ed30..f6f038939 100644
--- a/Resources/Constants.py
+++ b/Resources/Constants.py
@@ -115,6 +115,7 @@ class Constants:
self.sip_status = True # System Integrity Protection
self.secure_status = False # Secure Boot Model
self.vault = False # EFI Vault
+ self.disable_cs_lv = False # Disable Library validation
## OS Settings
self.os_support = 12.0
diff --git a/Resources/Utilities.py b/Resources/Utilities.py
index f4e359616..03317207b 100644
--- a/Resources/Utilities.py
+++ b/Resources/Utilities.py
@@ -19,7 +19,7 @@ except ImportError:
except ImportError:
raise Exception("Missing requests library!\nPlease run the following before starting OCLP:\npip3 install requests")
-from Resources import Constants, ioreg
+from Resources import Constants, ioreg, device_probe
def hexswap(input_hex: str):
@@ -144,8 +144,8 @@ def check_oclp_boot():
def check_monterey_wifi():
- IO80211ElCap = "com.apple.iokit.IO80211ElCap (1110.26)"
- CoreCaptureElCap = "com.apple.driver.corecaptureElCap (1.0.4)"
+ IO80211ElCap = "com.apple.iokit.IO80211ElCap"
+ CoreCaptureElCap = "com.apple.driver.corecaptureElCap"
loaded_kexts: str = subprocess.run("kextcache".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.decode()
if IO80211ElCap in loaded_kexts and CoreCaptureElCap in loaded_kexts:
return True
@@ -153,6 +153,19 @@ def check_monterey_wifi():
return False
+def check_metal_support(device_probe, computer):
+ dgpu = computer.dgpu
+ igpu = computer.igpu
+ if (
+ (dgpu and dgpu.arch in [device_probe.NVIDIA.Archs.Tesla, device_probe.NVIDIA.Archs.Fermi, device_probe.AMD.Archs.TeraScale_1, device_probe.AMD.Archs.TeraScale_2])
+ or (igpu and igpu.arch in [device_probe.Intel.Archs.Iron_Lake, device_probe.Intel.Archs.Sandy_Bridge])
+ or isinstance(igpu, device_probe.NVIDIA)
+ ):
+ return False
+ else:
+ return True
+
+
def patching_status(os_sip, os):
# Detection for Root Patching
sip_enabled = True # System Integrity Protection
@@ -164,7 +177,8 @@ def patching_status(os_sip, os):
gen6_kext = "/System/Library/Extension/AppleIntelHDGraphics.kext"
gen7_kext = "/System/Library/Extension/AppleIntelHD3000Graphics.kext"
- if os > Constants.Constants().catalina:
+ if os > Constants.Constants().catalina and not check_oclp_boot():
+ # Assume non-OCLP Macs don't patch _cs_require_lv
amfi_enabled = amfi_status()
else:
# Catalina and older supports individually disabling Library Validation
@@ -261,6 +275,7 @@ def enable_apfs(fw_feature, fw_mask):
fw_mask |= 2 ** 19
return fw_feature, fw_mask
+
# def menu(title, prompt, menu_options, add_quit=True, auto_number=False, in_between=[], top_level=False):
# return_option = ["Q", "Quit", None] if top_level else ["B", "Back", None]
# if add_quit: menu_options.append(return_option)
diff --git a/payloads/Config/config.plist b/payloads/Config/config.plist
index 8f9758574..03130a5cf 100644
--- a/payloads/Config/config.plist
+++ b/payloads/Config/config.plist
@@ -1062,6 +1062,36 @@
Skip
0
+
+ Arch
+ x86_64
+ Base
+ _cs_require_lv
+ Comment
+ Disable Library Validation Enforcement
+ Count
+ 0
+ Enabled
+
+ Find
+
+ Identifier
+ kernel
+ Limit
+ 0
+ Mask
+
+ MaxKernel
+
+ MinKernel
+ 18.0.0
+ Replace
+ uAAAAADD
+ ReplaceMask
+
+ Skip
+ 0
+
Quirks