sys_patch: Add KDK-less support

Only Applicable for Kepler and Intel iGPUs at this time
2026-04-14 04:38:20 +10:00 · 2022-08-27 09:29:38 -06:00
parent ef0fe3d4be
commit b105a73a10
4 changed files with 89 additions and 23 deletions
--- a/data/sys_patch_dict.py
+++ b/data/sys_patch_dict.py
@@ -196,7 +196,7 @@ def SystemPatchDictionary(os_major, os_minor, non_metal_os_support):
                },
            },

-            "Metal 1 Common": {
+            "Metal 3802 Common": {
                "Display Name": "",
                "OS Support": {
                    "Minimum OS Support": {
--- a/resources/main.py
+++ b/resources/main.py
@@ -47,6 +47,10 @@ class OpenCoreLegacyPatcher:
        self.constants.unpack_thread.start()
        self.constants.commit_info = commit_info.commit_info(self.constants.launcher_binary).generate_commit_info()

+        # Now that we have commit info, update nightly link
+        if self.constants.commit_info[0] != "Running from source":
+            self.constants.installer_pkg_url_nightly = self.constants.installer_pkg_url_nightly.replace("main", self.constants.commit_info[0])
+
        defaults.generate_defaults.probe(self.computer.real_model, True, self.constants)

        if utilities.check_cli_args() is not None:
--- a/resources/sys_patch.py
+++ b/resources/sys_patch.py
@@ -32,6 +32,7 @@
 # This is because Apple removed on-disk binaries (ref: https://github.com/dortania/OpenCore-Legacy-Patcher/issues/998)
 #   'sudo ditto /Library/Developer/KDKs/<KDK Version>/System /System/Volumes/Update/mnt1/System'

+import plistlib
 import shutil
 import subprocess
 from pathlib import Path
@@ -60,6 +61,8 @@ class PatchSysVolume:
        self.hardware_details = hardware_details
        self.init_pathing(custom_root_mount_path=None, custom_data_mount_path=None)

+        self.skip_root_kmutil_requirement = self.hardware_details["Settings: Supports Auxiliary Cache"]
+
    def __del__(self):
        # Ensures that each time we're patching, we're using a clean repository
        if Path(self.constants.payload_local_binaries_root_path).exists():
@@ -106,6 +109,8 @@ class PatchSysVolume:
        return False

    def merge_kdk_with_root(self):
+        if self.skip_root_kmutil_requirement is True:
+            return
        if self.constants.detected_os < os_data.os_data.ventura:
            return
        if (Path(self.mount_location) / Path("System/Library/Extensions/System.kext/PlugIns/Libkern.kext/Libkern")).exists():
@@ -149,8 +154,23 @@ class PatchSysVolume:
                print("\nPlease reboot the machine for patches to take effect")

    def rebuild_snapshot(self):
-        print("- Rebuilding Kernel Cache (This may take some time)")
+        if self.rebuild_kernel_collection() is True:
+            self.update_preboot_kernel_cache()
+            self.rebuild_dyld_shared_cache()
+            if self.create_new_apfs_snapshot() is True:
+                print("- Patching complete")
+                print("\nPlease reboot the machine for patches to take effect")
+                if self.needs_kmutil_exemptions is True:
+                    print("Note: Apple will require you to open System Preferences -> Security to allow the new kernel extensions to be loaded")
+                self.constants.root_patcher_succeeded = True
+                if self.constants.gui_mode is False:
+                    input("\nPress [ENTER] to continue")

+    def rebuild_kernel_collection(self):
+        if self.skip_root_kmutil_requirement is True:
+            return True
+
+        print("- Rebuilding Kernel Cache (This may take some time)")
        if self.constants.detected_os > os_data.os_data.catalina:
            args = [
                "kmutil",
@@ -206,18 +226,10 @@ class PatchSysVolume:
            print("\nPlease reboot the machine to avoid potential issues rerunning the patcher")
            if self.constants.gui_mode is False:
                input("Press [ENTER] to continue")
-        else:
-            print("- Successfully built new kernel cache")
-            self.update_preboot_kernel_cache()
-            self.rebuild_dyld_shared_cache()
-            if self.create_new_apfs_snapshot() is True:
-                print("- Patching complete")
-                print("\nPlease reboot the machine for patches to take effect")
-                if self.needs_kmutil_exemptions is True:
-                    print("Note: Apple will require you to open System Preferences -> Security to allow the new kernel extensions to be loaded")
-                self.constants.root_patcher_succeeded = True
-                if self.constants.gui_mode is False:
-                    input("\nPress [ENTER] to continue")
+            return False
+
+        print("- Successfully built new kernel cache")
+        return True

    def create_new_apfs_snapshot(self):
        if self.root_supports_snapshot is True:
@@ -279,6 +291,46 @@ class PatchSysVolume:
                utilities.process_status(utilities.elevated(["rm", destination_path_file], stdout=subprocess.PIPE, stderr=subprocess.STDOUT))
            utilities.process_status(utilities.elevated(["cp", f"{self.constants.payload_path}/{file_name}", destination_path], stdout=subprocess.PIPE, stderr=subprocess.STDOUT))

+    def add_auxkc_support(self, install_file, source_folder_path, install_patch_directory, destination_folder_path):
+        # In macOS Ventura, KDKs are required to build new Boot and System KCs
+        # However for some patch sets, we're able to use the Auxiliary KCs with '/Library/Extensions'
+
+        # kernelmanagerd determines which kext is installed by their 'OSBundleRequired' entry
+        # If a kext is labeled as 'OSBundleRequired: Root' or 'OSBundleRequired: Safe Boot',
+        # kernelmanagerd will require the kext to be installed in the Boot/SysKC
+
+        # Additionally, kexts starting with 'com.apple.' are not natively allowed to be installed
+        # in the AuxKC. So we need to explicitly set our 'OSBundleRequired' to 'Auxiliary'
+
+        if self.skip_root_kmutil_requirement is False:
+            return destination_folder_path
+        if not install_file.endswith(".kext"):
+            return destination_folder_path
+        if install_patch_directory != "/System/Library/Extensions":
+            return destination_folder_path
+        if self.constants.detected_os < os_data.os_data.ventura:
+            return destination_folder_path
+
+        updated_install_location = str(self.mount_location_data) + "/Library/Extensions"
+
+        print(f"- Adding AuxKC support to {install_file}")
+        plist_path = Path(Path(source_folder_path) / Path(install_file) / Path("Contents/Info.plist"))
+        plist_data = plistlib.load((plist_path).open("rb"))
+
+        # Check if we need to update the 'OSBundleRequired' entry
+        if not plist_data["CFBundleIdentifier"].startswith("com.apple."):
+            return updated_install_location
+        if "OSBundleRequired" in plist_data:
+            if plist_data["OSBundleRequired"] == "Auxiliary":
+                return updated_install_location
+
+        plist_data["OSBundleRequired"] = "Auxiliary"
+        plistlib.dump(plist_data, plist_path.open("wb"))
+
+        self.constants.needs_to_open_preferences = True
+
+        return updated_install_location
+
    def patch_root_vol(self):
        print(f"- Running patches for {self.model}")
        if self.patch_set_dictionary != {}:
@@ -316,6 +368,7 @@ class PatchSysVolume:
                                if install_patch_directory == "/Library/Extensions":
                                    self.needs_kmutil_exemptions = True
                                destination_folder_path = str(self.mount_location_data) + install_patch_directory
+                            destination_folder_path = self.add_auxkc_support(install_file, source_folder_path, install_patch_directory, destination_folder_path)
                            self.install_new_file(source_folder_path, destination_folder_path, install_file)

            if "Processes" in required_patches[patch]:
--- a/resources/sys_patch_detect.py
+++ b/resources/sys_patch_detect.py
@@ -38,6 +38,7 @@ class detect_root_patch:
        self.amfi_must_disable   = False
        self.supports_metal      = False
        self.needs_nv_web_checks = False
+        self.requires_root_kc    = False

        # Validation Checks
        self.sip_enabled     = False
@@ -63,6 +64,7 @@ class detect_root_patch:
                        self.nvidia_tesla = True
                        self.amfi_must_disable = True
                        self.legacy_keyboard_backlight = self.check_legacy_keyboard_backlight()
+                        self.requires_root_kc = True
                elif gpu.arch == device_probe.NVIDIA.Archs.Kepler and self.constants.force_nv_web is False:
                    if self.constants.detected_os > os_data.os_data.big_sur:
                        # Kepler drivers were dropped with Beta 7
@@ -86,14 +88,17 @@ class detect_root_patch:
                        self.nvidia_web = True
                        self.amfi_must_disable = True
                        self.needs_nv_web_checks = True
+                        self.requires_root_kc = True
                elif gpu.arch == device_probe.AMD.Archs.TeraScale_1:
                    if self.constants.detected_os > non_metal_os:
                        self.amd_ts1 = True
                        self.amfi_must_disable = True
+                        self.requires_root_kc = True
                elif gpu.arch == device_probe.AMD.Archs.TeraScale_2:
                    if self.constants.detected_os > non_metal_os:
                        self.amd_ts2 = True
                        self.amfi_must_disable = True
+                        self.requires_root_kc = True
                elif gpu.arch in [
                    device_probe.AMD.Archs.Legacy_GCN_7000,
                    device_probe.AMD.Archs.Legacy_GCN_8000,
@@ -105,16 +110,19 @@ class detect_root_patch:
                            continue
                        self.legacy_gcn = True
                        self.supports_metal = True
+                        self.requires_root_kc = True
                elif gpu.arch == device_probe.Intel.Archs.Iron_Lake:
                    if self.constants.detected_os > non_metal_os:
                        self.iron_gpu = True
                        self.amfi_must_disable = True
                        self.legacy_keyboard_backlight = self.check_legacy_keyboard_backlight()
+                        self.requires_root_kc = True
                elif gpu.arch == device_probe.Intel.Archs.Sandy_Bridge:
                    if self.constants.detected_os > non_metal_os:
                        self.sandy_gpu = True
                        self.amfi_must_disable = True
                        self.legacy_keyboard_backlight = self.check_legacy_keyboard_backlight()
+                        self.requires_root_kc = True
                elif gpu.arch == device_probe.Intel.Archs.Ivy_Bridge:
                    if self.constants.detected_os > os_data.os_data.big_sur:
                        self.ivy_gpu = True
@@ -287,6 +295,7 @@ class detect_root_patch:
            "Miscellaneous: Legacy GMUX":                  self.legacy_gmux,
            "Miscellaneous: Legacy Keyboard Backlight":    self.legacy_keyboard_backlight,
            "Settings: Requires AMFI exemption":           self.amfi_must_disable,
+            "Settings: Supports Auxiliary Cache":          not self.requires_root_kc,
            "Validation: Patching Possible":               self.verify_patch_allowed(),
            f"Validation: SIP is enabled (Required: {self.check_sip()[2]} or higher)":  self.sip_enabled,
            f"Validation: Currently Booted SIP: ({hex(utilities.csr_dump())})":         self.sip_enabled,
@@ -309,7 +318,8 @@ class detect_root_patch:
        sip_value = sip_dict[1]

        self.sip_enabled, self.sbm_enabled, self.amfi_enabled, self.fv_enabled, self.dosdude_patched = utilities.patching_status(sip, self.constants.detected_os)
-        self.missing_kdk = not self.check_kdk()
+        if self.requires_root_kc is True:
+            self.missing_kdk = not self.check_kdk()

        if self.nvidia_web is True:
            self.missing_nv_web_nvram   = not self.check_nv_web_nvram()
@@ -360,10 +370,9 @@ class detect_root_patch:
                    print("\nCannot patch! WhateverGreen.kext missing")
                    print("Please ensure WhateverGreen.kext is installed")

-            if self.amfi_must_disable is True:
-                if self.missing_kdk is True:
-                    print("\nCannot patch! Kernel Debug Kit missing")
-                    print(f"Please ensure the correct KDK is installed (required: {self.constants.detected_os_build})")
+            if self.missing_kdk is True:
+                print("\nCannot patch! Kernel Debug Kit missing")
+                print(f"Please ensure the correct KDK is installed (required: {self.constants.detected_os_build})")

        if any(
            [
@@ -399,17 +408,17 @@ class detect_root_patch:
            required_patches.update({"Intel Sandy Bridge": all_hardware_patchset["Graphics"]["Intel Sandy Bridge"]})
        if hardware_details["Graphics: Intel Ivy Bridge"] is True:
            required_patches.update({"Metal Common": all_hardware_patchset["Graphics"]["Metal Common"]})
-            required_patches.update({"Metal 1 Common": all_hardware_patchset["Graphics"]["Metal 1 Common"]})
+            required_patches.update({"Metal 3802 Common": all_hardware_patchset["Graphics"]["Metal 3802 Common"]})
            required_patches.update({"Catalina GVA": all_hardware_patchset["Graphics"]["Catalina GVA"]})
            required_patches.update({"Intel Ivy Bridge": all_hardware_patchset["Graphics"]["Intel Ivy Bridge"]})
        if hardware_details["Graphics: Intel Haswell"] is True:
            required_patches.update({"Metal Common": all_hardware_patchset["Graphics"]["Metal Common"]})
-            required_patches.update({"Metal 1 Common": all_hardware_patchset["Graphics"]["Metal 1 Common"]})
+            required_patches.update({"Metal 3802 Common": all_hardware_patchset["Graphics"]["Metal 3802 Common"]})
            required_patches.update({"Monterey GVA": all_hardware_patchset["Graphics"]["Monterey GVA"]})
            required_patches.update({"Intel Haswell": all_hardware_patchset["Graphics"]["Intel Haswell"]})
        if hardware_details["Graphics: Intel Broadwell"] is True:
            required_patches.update({"Metal Common": all_hardware_patchset["Graphics"]["Metal Common"]})
-            required_patches.update({"Metal 1 Common": all_hardware_patchset["Graphics"]["Metal 1 Common"]})
+            required_patches.update({"Metal 3802 Common": all_hardware_patchset["Graphics"]["Metal 3802 Common"]})
            required_patches.update({"Monterey GVA": all_hardware_patchset["Graphics"]["Monterey GVA"]})
            required_patches.update({"Intel Broadwell": all_hardware_patchset["Graphics"]["Intel Broadwell"]})
        if hardware_details["Graphics: Intel Skylake"] is True:
@@ -427,7 +436,7 @@ class detect_root_patch:
            required_patches.update({"Non-Metal Enforcement": all_hardware_patchset["Graphics"]["Non-Metal Enforcement"]})
        if hardware_details["Graphics: Nvidia Kepler"] is True:
            required_patches.update({"Metal Common": all_hardware_patchset["Graphics"]["Metal Common"]})
-            required_patches.update({"Metal 1 Common": all_hardware_patchset["Graphics"]["Metal 1 Common"]})
+            required_patches.update({"Metal 3802 Common": all_hardware_patchset["Graphics"]["Metal 3802 Common"]})
            required_patches.update({"Catalina GVA": all_hardware_patchset["Graphics"]["Catalina GVA"]})
            required_patches.update({"Nvidia Kepler": all_hardware_patchset["Graphics"]["Nvidia Kepler"]})
            for gpu in self.constants.computer.gpus: