Merge pull request #1110 from dortania/vault_2

Security - Enable vaulting by default

CHANGELOG.md

@@ -11,6 +11,7 @@
 - Resolve PCIe FaceTime camera support on macOS 14.1
 - Resolve T1 Security Chip support on macOS 14
   - Applicable for MacBookPro13,2, MacBookPro13,3, MacBookPro14,2, MacBookPro14,3
+- Add support for stand alone OpenCore Vaulting without Xcode Command Line Tools (Jazzzny)
 - Increment Binaries:
   - PatcherSupportPkg 1.4.2 - release
   - AirportBrcmFixup 2.1.8 - release

README.md

@@ -100,6 +100,7 @@ To run the project from source, see here: [Build and run from source](./SOURCE.m
   * Pre-Ivy Bridge Aquantia Ethernet Patch
   * Non-Metal Photo Booth Patch for Monterey+
   * GUI and Backend Development
+  * Vaulting implementation
 * Amazing users who've graciously donate hardware:
   * [JohnD](https://forums.macrumors.com/members/johnd.53633/) - 2013 Mac Pro
   * [SpiGAndromeda](https://github.com/SpiGAndromeda) - AMD Vega 64

payloads/Tools/CreateVault/create_vault.sh

@@ -4,8 +4,10 @@
 #
 #
 #  Created by Rodion Shingarev on 13.04.19.
+#  Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23.
 #
 OCPath="$1"
+UtilsPath="$PWD"
 
 if [ "${OCPath}" = "" ]; then
   echo "Usage ./create_vault.sh path/to/EFI/OC"
@@ -17,54 +19,75 @@ if [ ! -d "${OCPath}" ]; then
   exit 1
 fi
 
-if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then
+if [ ! -x /usr/bin/env ] || [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/awk ] || [ ! -x /usr/bin/sort ] || [ ! -x /usr/bin/xxd ]; then
   echo "Unix environment is broken!"
   exit 1
 fi
 
-if [ ! -x /usr/libexec/PlistBuddy ]; then
-  echo "PlistBuddy is missing!"
-  exit 1
-fi
-
-if [ ! -x /usr/bin/shasum ]; then
-  echo "shasum is missing!"
-  exit 1
-fi
-
 abort() {
   /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
   echo "Fatal error: ${1}!"
   exit 1
 }
 
-echo "Chose ${OCPath} for hashing..."
+# plist output functions so we don't need PlistBuddy
+write_header() {
+  cat <<EOF > "$1"
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Files</key>
+	<dict>
+EOF
+}
+
+write_file_name_and_hash() {
+  {
+    echo -e "\t\t<key>${2}</key>"
+    echo -e "\t\t<data>"
+    echo -e -n "\t\t"
+    cat "$3"
+    echo -e "\t\t</data>"
+  } >> "$1"
+}
+
+write_footer() {
+  cat <<EOF >> "$1"
+	</dict>
+	<key>Version</key>
+	<integer>1</integer>
+</dict>
+</plist>
+EOF
+}
 
 cd "${OCPath}" || abort "Failed to reach ${OCPath}"
 /bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
-/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
 
-echo "Hashing files in ${OCPath}..."
+echo "Hashing OpenCore configuration..."
+
+write_header vault.plist
 
 /usr/bin/find . -not -path '*/\.*' -type f \
   \( ! -iname ".*" \) \
   \( ! -iname "vault.*" \) \
-  \( ! -iname "OpenCore.efi" \) | while read -r fname; do
+  \( ! -iname "MemTest86.log" \) \
+  \( ! -iname "MemTest86-Report-*.html" \) \
+  \( ! -iname "OpenCore.efi" \) | env LC_COLLATE=POSIX /usr/bin/sort | while read -r fname; do
   fname="${fname#"./"}"
   wname="${fname//\//\\\\}"
-  shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}"
-  sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
+  sha=$("${UtilsPath}"/openssl sha256 "${fname}" | /usr/bin/awk '{print $2}') || abort "Failed to hash ${fname}"
   if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then
     abort "Got invalid hash: ${sha}!"
   fi
 
-  echo "${wname}: ${sha}"
-
-  echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
-  /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
+  echo "${sha}" | /usr/bin/xxd -r -p | "${UtilsPath}"/openssl base64 > /tmp/vault_hash || abort "Hashing failure"
+  write_file_name_and_hash vault.plist "${wname}" /tmp/vault_hash
 done
 
 /bin/rm -rf /tmp/vault_hash
 
-echo "All done!"
+write_footer vault.plist
+
 exit 0

payloads/Tools/CreateVault/sign.command

@@ -1,16 +1,18 @@
 #!/bin/sh
 
+# Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23.
+
 abort() {
   echo "Fatal error: ${1}!"
   exit 1
 }
 
+# shellcheck disable=SC2317
 cleanup() {
-  echo "Cleaning up keys"
   rm -rf "${KeyPath}"
 }
 
-if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
+if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/awk ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
   abort "Unix environment is broken!"
 fi
 
@@ -22,10 +24,8 @@ if [ "$OCPath" = "" ]; then
   OCPath=../../EFI/OC
 fi
 
-KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)"
+KeyPath="/tmp/$(/usr/bin/uuidgen)"
 OCBin="${OCPath}/OpenCore.efi"
-RootCA="${KeyPath}/ca.pem"
-PrivKey="${KeyPath}/privatekey.cer"
 PubKey="${KeyPath}/vault.pub"
 
 if [ ! -d "${OCPath}" ]; then
@@ -58,31 +58,14 @@ fi
 
 ./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
 
-if [ ! -f "${RootCA}" ]; then
-  /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
-  if [ -f "${PrivKey}" ]; then
-    echo "WARNING: Private key exists without CA"
-  fi
-fi
-
-/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
-echo "Issuing a new private key..."
-/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
-
-/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
-echo "Getting public key based off private key..."
-./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
-
-echo "Signing ${OCBin}..."
+echo "Signing OpenCore..."
 ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
-
-echo "Bin-patching ${OCBin}..."
-off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
+off=$(($(./strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
 if [ "${off}" -le 16 ]; then
   abort "${OCBin} is borked"
 fi
 
 /bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
 
-echo "All done!"
+echo "Signing complete"
 exit 0

resources/build/misc.py

@@ -342,11 +342,9 @@ class BuildMiscellaneous:
             logging.info(f"- Setting custom OpenCore picker timeout to {self.constants.oc_timeout} seconds")
             self.config["Misc"]["Boot"]["Timeout"] = self.constants.oc_timeout
 
-        if self.constants.vault is True and utilities.check_command_line_tools() is True:
+        if self.constants.vault is True:
             logging.info("- Setting Vault configuration")
             self.config["Misc"]["Security"]["Vault"] = "Secure"
-            support.BuildSupport(self.model, self.constants, self.config).get_efi_binary_by_path("OpenShell.efi", "Misc", "Tools")["Enabled"] = False
-
 
     def _t1_handling(self) -> None:
         """

resources/build/support.py

@@ -108,17 +108,11 @@ class BuildSupport:
         if self.constants.vault is False:
             return
 
-        if utilities.check_command_line_tools() is False:
-            # sign.command checks for the existence of '/usr/bin/strings' however does not verify whether it's executable
-            # sign.command will continue to run and create an unbootable OpenCore.efi due to the missing strings binary
-            # macOS has dummy binaries that just reroute to the actual binaries after you install Xcode's Command Line Tools
-            logging.info("- Missing Command Line tools, skipping Vault for saftey reasons")
-            logging.info("- Install via 'xcode-select --install' and rerun OCLP if you wish to vault this config")
-            return
-
-        logging.info("- Vaulting EFI")
-        subprocess.run([str(self.constants.vault_path), f"{self.constants.oc_folder}/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
-
+        logging.info("- Vaulting EFI\n=========================================")
+        popen = subprocess.Popen([str(self.constants.vault_path), f"{self.constants.oc_folder}/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
+        for stdout_line in iter(popen.stdout.readline, ""):
+            logging.info(stdout_line.strip())
+        logging.info("=========================================")
 
     def validate_pathing(self) -> None:
         """

resources/wx_gui/gui_settings.py

@@ -277,16 +277,16 @@ class SettingsFrame(wx.Frame):
                 "wrap_around 2": {
                     "type": "wrap_around",
                 },
-                "APFS Trim": {
+                "OpenCore Vaulting": {
                     "type": "checkbox",
-                    "value": self.constants.apfs_trim_timeout,
-                    "variable": "apfs_trim_timeout",
+                    "value": self.constants.vault,
+                    "variable": "vault",
                     "description": [
-                        "Recommended for all users, however faulty",
-                        "SSDs may benefit from disabling this.",
+                        "Digitally sign OpenCore to prevent",
+                        "tampering or corruption."
                     ],
-
                 },
+                
                 "Show OpenCore Boot Picker": {
                     "type": "checkbox",
                     "value": self.constants.showpicker,
@@ -443,6 +443,16 @@ class SettingsFrame(wx.Frame):
                     ],
                     "condition": not bool(self.constants.computer.third_party_sata_ssd is False and not self.constants.custom_model)
                 },
+                "APFS Trim": {
+                    "type": "checkbox",
+                    "value": self.constants.apfs_trim_timeout,
+                    "variable": "apfs_trim_timeout",
+                    "description": [
+                        "Recommended for all users, however faulty",
+                        "SSDs may benefit from disabling this.",
+                    ],
+
+                },
             },
             "Advanced": {
                 "Miscellaneous": {
@@ -836,6 +846,7 @@ class SettingsFrame(wx.Frame):
                         "Export constants.py values to a txt file.",
                     ],
                 },
+                
                 "Developer Root Volume Patching": {
                     "type": "title",
                 },