Merge pull request #496 from dortania/Disable-LV

Disable Library Validation Enforcement

CHANGELOG.md

@@ -40,6 +40,8 @@
   - Applicable for BCM94328, BCM94322 and Atheros chipsets
 - Add Legacy Bluetooth support for Monterey
   - Applicable for BRCM2046 and BRCM2070 chipsets
+- Disable Library Validation allowing for AMFI usage
+  - Remove reliance on amfi_get_out_of_my_way=1
 
 ## 0.2.4
 

OCLP-CLI.command

@@ -48,7 +48,7 @@ class OpenCoreLegacyPatcher:
         parser.add_argument("--firewire", help="Enable FireWire Booting", action="store_true", required=False)
         parser.add_argument("--nvme", help="Enable NVMe Booting", action="store_true", required=False)
         parser.add_argument("--wlan", help="Enable Wake on WLAN support", action="store_true", required=False)
-        parser.add_argument("--disable_amfi", help="Disable AMFI", action="store_true", required=False)
+        # parser.add_argument("--disable_amfi", help="Disable AMFI", action="store_true", required=False)
         parser.add_argument("--moderate_smbios", help="Moderate SMBIOS Patching", action="store_true", required=False)
         parser.add_argument("--moj_cat_accel", help="Allow Root Patching on Mojave and Catalina", action="store_true", required=False)
         parser.add_argument("--disable_thunderbolt", help="Disable Thunderbolt on 2013-2014 MacBook Pros", action="store_true", required=False)
@@ -115,9 +115,9 @@ class OpenCoreLegacyPatcher:
         if args.nvme:
             print("- Set NVMe Boot configuration")
             self.constants.nvme_boot = True
-        if args.disable_amfi:
-            print("- Set Disable AMFI configuration")
-            self.constants.amfi_status = False
+        # if args.disable_amfi:
+        #     print("- Set Disable AMFI configuration")
+        #     self.constants.amfi_status = False
         if args.wlan:
             print("- Set Wake on WLAN configuration")
             self.constants.enable_wake_on_wlan = True
@@ -194,19 +194,13 @@ If you plan to create the USB for another machine, please select the "Change Mod
             self.unpatch_vol()
 
     def set_defaults(self, model, host_is_target):
+        if host_is_target:
+            if Utilities.check_metal_support(device_probe, self.computer) is False:
+                self.constants.disable_cs_lv = True
+        elif model in ModelArray.LegacyGPU:
+            self.constants.disable_cs_lv = True
         if model in ModelArray.LegacyGPU:
-            if (
-                host_is_target
-                and self.computer.dgpu
-                and self.computer.dgpu.arch
-                in [
-                    device_probe.AMD.Archs.Legacy_GCN,
-                    device_probe.AMD.Archs.Polaris,
-                    device_probe.AMD.Archs.Vega,
-                    device_probe.AMD.Archs.Navi,
-                    device_probe.NVIDIA.Archs.Kepler,
-                ]
-            ):
+            if Utilities.check_metal_support(device_probe, self.computer) is True:
                 print("- Detected Metal GPU, overriding default configuration")
                 # Building on device and we have a native, supported GPU
                 self.constants.sip_status = True
@@ -226,7 +220,7 @@ If you plan to create the USB for another machine, please select the "Change Mod
                 self.constants.secure_status = False  # Modified root volume
                 self.constants.allow_fv_root = True  #  Allow FileVault on broken seal
                 # self.constants.amfi_status = True  #  Signed bundles, Don't need to explicitly set currently
-        if model == "MacBook8,1" and host_is_target:
+        if model == "MacBook8,1":
             # MacBook8,1 has an odd bug where it cannot install Monterey with Minimal spoofing
             self.constants.serial_settings == "Moderate"
 

OpenCore-Patcher.command

@@ -26,19 +26,14 @@ class OpenCoreLegacyPatcher:
         self.constants.secure_status = False  # Default false for Monterey
         self.constants.amfi_status = True
 
+        if host_is_target:
+            if Utilities.check_metal_support(device_probe, self.computer) is False:
+                self.constants.disable_cs_lv = True
+        elif model in ModelArray.LegacyGPU:
+            self.constants.disable_cs_lv = True
+
         if model in ModelArray.LegacyGPU:
-            if (
-                host_is_target
-                and self.computer.dgpu
-                and self.computer.dgpu.arch
-                in [
-                    device_probe.AMD.Archs.Legacy_GCN,
-                    device_probe.AMD.Archs.Polaris,
-                    device_probe.AMD.Archs.Vega,
-                    device_probe.AMD.Archs.Navi,
-                    device_probe.NVIDIA.Archs.Kepler,
-                ]
-            ):
+            if Utilities.check_metal_support(device_probe, self.computer) is True:
                 # Building on device and we have a native, supported GPU
                 self.constants.sip_status = True
                 # self.constants.secure_status = True  # Monterey
@@ -78,7 +73,11 @@ class OpenCoreLegacyPatcher:
         if Utilities.get_nvram("gpu-power-prefs", "FA4CE28D-B62F-4C99-9CC3-6815686E30F9", decode=True):
             self.constants.allow_ts2_accel = False
 
-        self.constants.latebloom_delay, self.constants.latebloom_range, self.constants.latebloom_debug = Utilities.latebloom_detection(model)
+        if self.constants.latebloom_delay == 0:
+            self.constants.latebloom_delay, self.constants.latebloom_range, self.constants.latebloom_debug = Utilities.latebloom_detection(model)
+        
+        if Utilities.get_nvram("gpu-power-prefs", "FA4CE28D-B62F-4C99-9CC3-6815686E30F9", decode=True):
+            self.constants.allow_ts2_accel = False
 
         # Check if running in RecoveryOS
         self.constants.recovery_status = Utilities.check_recovery()
@@ -172,10 +171,10 @@ system_profiler SPHardwareDataType | grep 'Model Identifier'
             title = ["Adjust Security Settings"]
             menu = Utilities.TUIMenu(title, "Please select an option: ", auto_number=True, top_level=True)
             options = [
-                [
-                    f"Set Apple Mobile File Integrity (AMFI):\tCurrently {self.constants.amfi_status}",
-                    CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).set_amfi,
-                ],
+                # [
+                #     f"Set Apple Mobile File Integrity (AMFI):\tCurrently {self.constants.amfi_status}",
+                #     CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).set_amfi,
+                # ],
                 [
                     f"Set System Intrgity Protection (SIP):\tCurrently {self.constants.sip_status}",
                     CliMenu.MenuOptions(self.constants.custom_model or self.computer.real_model, self.constants).change_sip,

Resources/Build.py

@@ -670,9 +670,12 @@ class BuildOpenCore:
             print("- Disabling SIP")
             self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["csr-active-config"] = binascii.unhexlify("EF0F0000")
             self.config["NVRAM"]["Delete"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"] += ["csr-active-config"]
-        if self.constants.amfi_status is False:
-            print("- Disabling AMFI")
-            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
+        # if self.constants.amfi_status is False:
+        #     print("- Disabling AMFI")
+        #     self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " amfi_get_out_of_my_way=1"
+        if self.constants.disable_cs_lv is True:
+            print("- Disabling Library Validation")
+            self.get_item_by_kv(self.config["Kernel"]["Patch"], "Comment", "Disable Library Validation Enforcement")["Enabled"] = True
         if self.constants.secure_status is False:
             print("- Disabling SecureBootModel")
             self.config["Misc"]["Security"]["SecureBootModel"] = "Disabled"

Resources/Constants.py

@@ -115,6 +115,7 @@ class Constants:
         self.sip_status = True  #      System Integrity Protection
         self.secure_status = False  #  Secure Boot Model
         self.vault = False  #          EFI Vault
+        self.disable_cs_lv = False  #  Disable Library validation
 
         ## OS Settings
         self.os_support = 12.0

Resources/SysPatch.py

@@ -422,10 +422,11 @@ set million colour before rebooting"""
             )
             Utilities.process_status(self.elevated(["chmod", "755", f"{self.mount_lauchd}/IOHID-Fixup.plist"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT))
             Utilities.process_status(self.elevated(["chown", "root:wheel", f"{self.mount_lauchd}/IOHID-Fixup.plist"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT))
-        else:
+        elif Utilities.check_oclp_boot() is False:
+            # Assume non-OCLP Macs don't have _cs_require_lv
             print("- Disabling Library Validation")
             Utilities.process_status(
-                self.elevated(["defaults", "write", "/Library/Preferences/com.apple.security.libraryvalidation.plist", "-bool", "true"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+                self.elevated(["defaults", "write", "/Library/Preferences/com.apple.security.libraryvalidation.plist", "DisableLibraryValidation", "-bool", "true"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
             )
 
     def gpu_accel_legacy_extended_ts2(self):

Resources/Utilities.py

@@ -19,7 +19,7 @@ except ImportError:
     except ImportError:
         raise Exception("Missing requests library!\nPlease run the following before starting OCLP:\npip3 install requests")
 
-from Resources import Constants, ioreg
+from Resources import Constants, ioreg, device_probe
 
 
 def hexswap(input_hex: str):
@@ -144,8 +144,8 @@ def check_oclp_boot():
 
 
 def check_monterey_wifi():
-    IO80211ElCap = "com.apple.iokit.IO80211ElCap (1110.26)"
-    CoreCaptureElCap = "com.apple.driver.corecaptureElCap (1.0.4)"
+    IO80211ElCap = "com.apple.iokit.IO80211ElCap"
+    CoreCaptureElCap = "com.apple.driver.corecaptureElCap"
     loaded_kexts: str = subprocess.run("kextcache".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT).stdout.decode()
     if IO80211ElCap in loaded_kexts and CoreCaptureElCap in loaded_kexts:
         return True
@@ -153,6 +153,19 @@ def check_monterey_wifi():
         return False
 
 
+def check_metal_support(device_probe, computer):
+    dgpu = computer.dgpu
+    igpu = computer.igpu
+    if (
+        (dgpu and dgpu.arch in [device_probe.NVIDIA.Archs.Tesla, device_probe.NVIDIA.Archs.Fermi, device_probe.AMD.Archs.TeraScale_1, device_probe.AMD.Archs.TeraScale_2])
+        or (igpu and igpu.arch in [device_probe.Intel.Archs.Iron_Lake, device_probe.Intel.Archs.Sandy_Bridge])
+        or isinstance(igpu, device_probe.NVIDIA)
+    ):
+        return False
+    else:
+        return True
+
+
 def patching_status(os_sip, os):
     # Detection for Root Patching
     sip_enabled = True  #  System Integrity Protection
@@ -164,7 +177,8 @@ def patching_status(os_sip, os):
     gen6_kext = "/System/Library/Extension/AppleIntelHDGraphics.kext"
     gen7_kext = "/System/Library/Extension/AppleIntelHD3000Graphics.kext"
 
-    if os > Constants.Constants().catalina:
+    if os > Constants.Constants().catalina and not check_oclp_boot():
+        # Assume non-OCLP Macs don't patch _cs_require_lv
         amfi_enabled = amfi_status()
     else:
         # Catalina and older supports individually disabling Library Validation
@@ -261,6 +275,7 @@ def enable_apfs(fw_feature, fw_mask):
     fw_mask |= 2 ** 19
     return fw_feature, fw_mask
 
+
 # def menu(title, prompt, menu_options, add_quit=True, auto_number=False, in_between=[], top_level=False):
 #     return_option = ["Q", "Quit", None] if top_level else ["B", "Back", None]
 #     if add_quit: menu_options.append(return_option)

docs/ACCEL.md

@@ -65,6 +65,10 @@ Currently Zoom relies partially on Metal and so needs a small binary patch. Dosd
 
 ## Unable to grant special permissions to apps (ie. Camera Access to Zoom)
 
+With version 0.2.5, this issue should be full resolved
+
+::: details 0.2.4 and older Work-Around
+
 Due to the usage of `amfi_get_out_of_my_way=1`, macOS will fail to prompt users for special permissions upon application start as well as omit the entires in System Preferences. To work around this, we recommend users install [tccplus](https://github.com/jslegendre/tccplus) to manage permissions.
 
 Example usage with Discord and microphone permissions:
@@ -88,6 +92,8 @@ $ sudo sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT or RE
 $ sudo sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT or REPLACE INTO access VALUES('kTCCServiceCamera','us.zoom.xos',0,2,0,1,NULL,NULL,NULL,'UNUSED',NULL,0,1541440109);"
 ```
 
+:::
+
 ## Keyboard Backlight broken
 
 Due to forcing `hidd` into spinning up with the fallback mode enabled, this can break the OS's recognition of backlight keyboards. Thankfully the drivers themselves still do operate so applications such as [LabTick](https://www.macupdate.com/app/mac/22151/lab-tick) are able to set the brightness manually.

payloads/Config/config.plist

@@ -1062,6 +1062,36 @@
 				<key>Skip</key>
 				<integer>0</integer>
 			</dict>
+			<dict>
+				<key>Arch</key>
+				<string>x86_64</string>
+				<key>Base</key>
+				<string>_cs_require_lv</string>
+				<key>Comment</key>
+				<string>Disable Library Validation Enforcement</string>
+				<key>Count</key>
+				<integer>0</integer>
+				<key>Enabled</key>
+				<false/>
+				<key>Find</key>
+				<data></data>
+				<key>Identifier</key>
+				<string>kernel</string>
+				<key>Limit</key>
+				<integer>0</integer>
+				<key>Mask</key>
+				<data></data>
+				<key>MaxKernel</key>
+				<string></string>
+				<key>MinKernel</key>
+				<string>18.0.0</string>
+				<key>Replace</key>
+				<data>uAAAAADD</data>
+				<key>ReplaceMask</key>
+				<data></data>
+				<key>Skip</key>
+				<integer>0</integer>
+			</dict>
 		</array>
 		<key>Quirks</key>
 		<dict>