sys_patch: Implement RSR handling for root patched Macs

Ref: https://github.com/dortania/OpenCore-Legacy-Patcher/issues/1019
2026-04-21 03:04:31 +10:00 · 2023-01-09 23:03:18 -07:00
parent 6504442d4f
commit bebbf646e1
9 changed files with 61 additions and 1 deletions
--- a/resources/build/security.py
+++ b/resources/build/security.py
@@ -41,6 +41,12 @@ class build_security:
            # Lets us check in sys_patch.py if config supports FileVault
            self.config["NVRAM"]["Add"]["4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102"]["OCLP-Settings"] += " -allow_fv"

+            # Patch KC UUID panics due to RSR installation
+            # - Ref: https://github.com/dortania/OpenCore-Legacy-Patcher/issues/1019
+            print("- Enabling KC UUID mismatch patch")
+            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " -nokcmismatchpanic"
+            support.build_support(self.model, self.constants, self.config).enable_kext("RSRHelper.kext", self.constants.rsrhelper_version, self.constants.rsrhelper_path)
+
        if self.constants.disable_cs_lv is True:
            print("- Disabling Library Validation")
            # In Ventura, LV patch broke. For now, add AMFI arg
--- a/resources/constants.py
+++ b/resources/constants.py
@@ -79,6 +79,7 @@ class Constants:
        self.mce_version = "1.0.0"  #                AppleMCEReporterDisabler
        self.btspoof_version = "1.0.0"  #            Bluetooth-Spoof
        self.aspp_override_version = "1.0.1"  #      ACPI_SMC_PlatformPlugin Override
+        self.rsrhelper_version = "1.0.0"  #          RSRHelper

        ## Syncretic
        ## https://forums.macrumors.com/members/syncretic.1173816/
@@ -448,6 +449,10 @@ class Constants:
    def cryptexfixup_path(self):
        return self.payload_kexts_path / Path(f"Acidanthera/CryptexFixup-v{self.cryptexfixup_version}-{self.kext_variant}.zip")

+    @property
+    def rsrhelper_path(self):
+        return self.payload_kexts_path / Path(f"Acidanthera/RSRHelper-v{self.rsrhelper_version}-{self.kext_variant}.zip")
+
    @property
    def innie_path(self):
        return self.payload_kexts_path / Path(f"Misc/Innie-v{self.innie_version}.zip")
@@ -590,6 +595,10 @@ class Constants:
    def oclp_helper_path(self):
        return self.payload_path / Path("Tools/OCLP-Helper")

+    @property
+    def rsrrepair_userspace_path(self):
+        return self.payload_path / Path("Tools/RSRRepair")
+
    # Icons
    @property
    def app_icon_path(self):
--- a/resources/sys_patch/sys_patch.py
+++ b/resources/sys_patch/sys_patch.py
@@ -295,6 +295,9 @@ class PatchSysVolume:

            for file in ["KextPolicy", "KextPolicy-shm", "KextPolicy-wal"]:
                self.remove_file("/private/var/db/SystemPolicyConfiguration/", file)
+        else:
+            # Install RSRHelper utility to handle desynced KCs
+            sys_patch_helpers.sys_patch_helpers(self.constants).install_rsr_repair_binary()

        print("- Successfully built new kernel cache")
        return True
--- a/resources/sys_patch/sys_patch_helpers.py
+++ b/resources/sys_patch/sys_patch_helpers.py
@@ -183,4 +183,24 @@ class sys_patch_helpers:
        if did_find:
            with open(file_path, "wb") as f:
                plistlib.dump(data, f, sort_keys=False)
-            subprocess.run(["killall", "NotificationCenter"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+            subprocess.run(["killall", "NotificationCenter"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+
+
+    def install_rsr_repair_binary(self):
+        # With macOS 13.2, Apple implemented the Rapid Security Response System
+        # However Apple added a half baked snapshot reversion system if seal was broken,
+        # which forgets to handle Preboot BootKC syncing
+
+        # Thus this application will try to re-sync the BootKC with SysKC in the event of a panic
+        # Reference: https://github.com/dortania/OpenCore-Legacy-Patcher/issues/1019
+
+        # This is a (hopefully) temporary work-around, however likely to stay.
+        # RSRRepair has the added bonus of fixing desynced KCs from 'bless', so useful in Big Sur+
+
+        if self.constants.detected_os < os_data.os_data.big_sur:
+            return
+
+        print("- Installing RSRRepair userspace utility")
+        result = utilities.elevated([self.constants.rsrrepair_userspace_path, "--install"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+        if result.returncode != 0:
+            print(f"  - Failed to install RSRRepair: {result.stdout.decode()}")