diff --git a/CHANGELOG.md b/CHANGELOG.md index ff75e362e..65958e956 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ - Resolve PCIe FaceTime camera support on macOS 14.1 - Resolve T1 Security Chip support on macOS 14 - Applicable for MacBookPro13,2, MacBookPro13,3, MacBookPro14,2, MacBookPro14,3 +- Add support for stand alone OpenCore Vaulting without Xcode Command Line Tools (Jazzzny) - Increment Binaries: - PatcherSupportPkg 1.4.2 - release - AirportBrcmFixup 2.1.8 - release diff --git a/README.md b/README.md index 12a328288..3baf52960 100644 --- a/README.md +++ b/README.md @@ -100,6 +100,7 @@ To run the project from source, see here: [Build and run from source](./SOURCE.m * Pre-Ivy Bridge Aquantia Ethernet Patch * Non-Metal Photo Booth Patch for Monterey+ * GUI and Backend Development + * Vaulting implementation * Amazing users who've graciously donate hardware: * [JohnD](https://forums.macrumors.com/members/johnd.53633/) - 2013 Mac Pro * [SpiGAndromeda](https://github.com/SpiGAndromeda) - AMD Vega 64 diff --git a/payloads/Tools/CreateVault/RsaTool b/payloads/Tools/CreateVault/RsaTool index a20585f26..f2a66d963 100755 Binary files a/payloads/Tools/CreateVault/RsaTool and b/payloads/Tools/CreateVault/RsaTool differ diff --git a/payloads/Tools/CreateVault/create_vault.sh b/payloads/Tools/CreateVault/create_vault.sh index 7c1d6dfb0..5e56136c0 100755 --- a/payloads/Tools/CreateVault/create_vault.sh +++ b/payloads/Tools/CreateVault/create_vault.sh @@ -4,8 +4,10 @@ # # # Created by Rodion Shingarev on 13.04.19. +# Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23. # OCPath="$1" +UtilsPath="$PWD" if [ "${OCPath}" = "" ]; then echo "Usage ./create_vault.sh path/to/EFI/OC" @@ -17,54 +19,75 @@ if [ ! -d "${OCPath}" ]; then exit 1 fi -if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then +if [ ! -x /usr/bin/env ] || [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/awk ] || [ ! -x /usr/bin/sort ] || [ ! -x /usr/bin/xxd ]; then echo "Unix environment is broken!" exit 1 fi -if [ ! -x /usr/libexec/PlistBuddy ]; then - echo "PlistBuddy is missing!" - exit 1 -fi - -if [ ! -x /usr/bin/shasum ]; then - echo "shasum is missing!" - exit 1 -fi - abort() { /bin/rm -rf vault.plist vault.sig /tmp/vault_hash echo "Fatal error: ${1}!" exit 1 } -echo "Chose ${OCPath} for hashing..." +# plist output functions so we don't need PlistBuddy +write_header() { + cat < "$1" + + + + + Files + +EOF +} + +write_file_name_and_hash() { + { + echo -e "\t\t${2}" + echo -e "\t\t" + echo -e -n "\t\t" + cat "$3" + echo -e "\t\t" + } >> "$1" +} + +write_footer() { + cat <> "$1" + + Version + 1 + + +EOF +} cd "${OCPath}" || abort "Failed to reach ${OCPath}" /bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup" -/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version" -echo "Hashing files in ${OCPath}..." +echo "Hashing OpenCore configuration..." + +write_header vault.plist /usr/bin/find . -not -path '*/\.*' -type f \ \( ! -iname ".*" \) \ \( ! -iname "vault.*" \) \ - \( ! -iname "OpenCore.efi" \) | while read -r fname; do + \( ! -iname "MemTest86.log" \) \ + \( ! -iname "MemTest86-Report-*.html" \) \ + \( ! -iname "OpenCore.efi" \) | env LC_COLLATE=POSIX /usr/bin/sort | while read -r fname; do fname="${fname#"./"}" wname="${fname//\//\\\\}" - shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}" - sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum" + sha=$("${UtilsPath}"/openssl sha256 "${fname}" | /usr/bin/awk '{print $2}') || abort "Failed to hash ${fname}" if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then abort "Got invalid hash: ${sha}!" fi - echo "${wname}: ${sha}" - - echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure" - /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!" + echo "${sha}" | /usr/bin/xxd -r -p | "${UtilsPath}"/openssl base64 > /tmp/vault_hash || abort "Hashing failure" + write_file_name_and_hash vault.plist "${wname}" /tmp/vault_hash done /bin/rm -rf /tmp/vault_hash -echo "All done!" +write_footer vault.plist + exit 0 diff --git a/payloads/Tools/CreateVault/openssl b/payloads/Tools/CreateVault/openssl new file mode 100755 index 000000000..bdce6eff1 Binary files /dev/null and b/payloads/Tools/CreateVault/openssl differ diff --git a/payloads/Tools/CreateVault/sign.command b/payloads/Tools/CreateVault/sign.command index 6d4292c02..281768a79 100755 --- a/payloads/Tools/CreateVault/sign.command +++ b/payloads/Tools/CreateVault/sign.command @@ -1,16 +1,18 @@ #!/bin/sh +# Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23. + abort() { echo "Fatal error: ${1}!" exit 1 } +# shellcheck disable=SC2317 cleanup() { - echo "Cleaning up keys" rm -rf "${KeyPath}" } -if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then +if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/awk ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then abort "Unix environment is broken!" fi @@ -22,10 +24,8 @@ if [ "$OCPath" = "" ]; then OCPath=../../EFI/OC fi -KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)" +KeyPath="/tmp/$(/usr/bin/uuidgen)" OCBin="${OCPath}/OpenCore.efi" -RootCA="${KeyPath}/ca.pem" -PrivKey="${KeyPath}/privatekey.cer" PubKey="${KeyPath}/vault.pub" if [ ! -d "${OCPath}" ]; then @@ -58,31 +58,14 @@ fi ./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!" -if [ ! -f "${RootCA}" ]; then - /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA" - if [ -f "${PrivKey}" ]; then - echo "WARNING: Private key exists without CA" - fi -fi - -/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}" -echo "Issuing a new private key..." -/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!" - -/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}" -echo "Getting public key based off private key..." -./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key" - -echo "Signing ${OCBin}..." +echo "Signing OpenCore..." ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}" - -echo "Bin-patching ${OCBin}..." -off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16)) +off=$(($(./strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16)) if [ "${off}" -le 16 ]; then abort "${OCBin} is borked" fi /bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}" -echo "All done!" +echo "Signing complete" exit 0 diff --git a/payloads/Tools/CreateVault/strings b/payloads/Tools/CreateVault/strings new file mode 100755 index 000000000..770e1183e Binary files /dev/null and b/payloads/Tools/CreateVault/strings differ diff --git a/resources/build/misc.py b/resources/build/misc.py index 7969329c6..eddfbb53a 100644 --- a/resources/build/misc.py +++ b/resources/build/misc.py @@ -342,11 +342,9 @@ class BuildMiscellaneous: logging.info(f"- Setting custom OpenCore picker timeout to {self.constants.oc_timeout} seconds") self.config["Misc"]["Boot"]["Timeout"] = self.constants.oc_timeout - if self.constants.vault is True and utilities.check_command_line_tools() is True: + if self.constants.vault is True: logging.info("- Setting Vault configuration") self.config["Misc"]["Security"]["Vault"] = "Secure" - support.BuildSupport(self.model, self.constants, self.config).get_efi_binary_by_path("OpenShell.efi", "Misc", "Tools")["Enabled"] = False - def _t1_handling(self) -> None: """ diff --git a/resources/build/support.py b/resources/build/support.py index 5f0bcf43c..f1e96a0eb 100644 --- a/resources/build/support.py +++ b/resources/build/support.py @@ -108,17 +108,11 @@ class BuildSupport: if self.constants.vault is False: return - if utilities.check_command_line_tools() is False: - # sign.command checks for the existence of '/usr/bin/strings' however does not verify whether it's executable - # sign.command will continue to run and create an unbootable OpenCore.efi due to the missing strings binary - # macOS has dummy binaries that just reroute to the actual binaries after you install Xcode's Command Line Tools - logging.info("- Missing Command Line tools, skipping Vault for saftey reasons") - logging.info("- Install via 'xcode-select --install' and rerun OCLP if you wish to vault this config") - return - - logging.info("- Vaulting EFI") - subprocess.run([str(self.constants.vault_path), f"{self.constants.oc_folder}/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT) - + logging.info("- Vaulting EFI\n=========================================") + popen = subprocess.Popen([str(self.constants.vault_path), f"{self.constants.oc_folder}/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True) + for stdout_line in iter(popen.stdout.readline, ""): + logging.info(stdout_line.strip()) + logging.info("=========================================") def validate_pathing(self) -> None: """ diff --git a/resources/wx_gui/gui_settings.py b/resources/wx_gui/gui_settings.py index 0cad46cfc..3e3d51572 100644 --- a/resources/wx_gui/gui_settings.py +++ b/resources/wx_gui/gui_settings.py @@ -277,16 +277,16 @@ class SettingsFrame(wx.Frame): "wrap_around 2": { "type": "wrap_around", }, - "APFS Trim": { + "OpenCore Vaulting": { "type": "checkbox", - "value": self.constants.apfs_trim_timeout, - "variable": "apfs_trim_timeout", + "value": self.constants.vault, + "variable": "vault", "description": [ - "Recommended for all users, however faulty", - "SSDs may benefit from disabling this.", + "Digitally sign OpenCore to prevent", + "tampering or corruption." ], - }, + "Show OpenCore Boot Picker": { "type": "checkbox", "value": self.constants.showpicker, @@ -443,6 +443,16 @@ class SettingsFrame(wx.Frame): ], "condition": not bool(self.constants.computer.third_party_sata_ssd is False and not self.constants.custom_model) }, + "APFS Trim": { + "type": "checkbox", + "value": self.constants.apfs_trim_timeout, + "variable": "apfs_trim_timeout", + "description": [ + "Recommended for all users, however faulty", + "SSDs may benefit from disabling this.", + ], + + }, }, "Advanced": { "Miscellaneous": { @@ -836,6 +846,7 @@ class SettingsFrame(wx.Frame): "Export constants.py values to a txt file.", ], }, + "Developer Root Volume Patching": { "type": "title", },