timamsk/OpenCore-Legacy-Patcher
1
0
Fork 0
mirror of https://github.com/dortania/OpenCore-Legacy-Patcher.git synced 2026-06-21 22:50:51 +10:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1110 from dortania/vault_2

Browse Source 
Security - Enable vaulting by default
This commit is contained in:
Mykola Grymalyuk
2023-10-21 10:02:46 -06:00
committed by GitHub
parent 3f828d0d69 59e9ddfe3e
commit edbfa951c8
10 changed files with 78 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -11,6 +11,7 @@
- Resolve PCIe FaceTime camera support on macOS 14.1 - Resolve PCIe FaceTime camera support on macOS 14.1
- Resolve T1 Security Chip support on macOS 14 - Resolve T1 Security Chip support on macOS 14
- Applicable for MacBookPro13,2, MacBookPro13,3, MacBookPro14,2, MacBookPro14,3 - Applicable for MacBookPro13,2, MacBookPro13,3, MacBookPro14,2, MacBookPro14,3
- Add support for stand alone OpenCore Vaulting without Xcode Command Line Tools (Jazzzny)
- Increment Binaries: - Increment Binaries:
- PatcherSupportPkg 1.4.2 - release - PatcherSupportPkg 1.4.2 - release
- AirportBrcmFixup 2.1.8 - release - AirportBrcmFixup 2.1.8 - release
README.md
+1
View File
@@ -100,6 +100,7 @@ To run the project from source, see here: [Build and run from source](./SOURCE.m
* Pre-Ivy Bridge Aquantia Ethernet Patch * Pre-Ivy Bridge Aquantia Ethernet Patch
* Non-Metal Photo Booth Patch for Monterey+ * Non-Metal Photo Booth Patch for Monterey+
* GUI and Backend Development * GUI and Backend Development
* Vaulting implementation
* Amazing users who've graciously donate hardware: * Amazing users who've graciously donate hardware:
* [JohnD](https://forums.macrumors.com/members/johnd.53633/) - 2013 Mac Pro * [JohnD](https://forums.macrumors.com/members/johnd.53633/) - 2013 Mac Pro
* [SpiGAndromeda](https://github.com/SpiGAndromeda) - AMD Vega 64 * [SpiGAndromeda](https://github.com/SpiGAndromeda) - AMD Vega 64
payloads/Tools/CreateVault/RsaTool
BIN
View File
Binary file not shown.
payloads/Tools/CreateVault/create_vault.sh
+45 -22
View File
@@ -4,8 +4,10 @@
# #
# #
# Created by Rodion Shingarev on 13.04.19. # Created by Rodion Shingarev on 13.04.19.
# Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23.
# #
OCPath="$1" OCPath="$1"
UtilsPath="$PWD"
if [ "${OCPath}" = "" ]; then if [ "${OCPath}" = "" ]; then
echo "Usage ./create_vault.sh path/to/EFI/OC" echo "Usage ./create_vault.sh path/to/EFI/OC"
@@ -17,54 +19,75 @@ if [ ! -d "${OCPath}" ]; then
exit 1 exit 1
fi fi
if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then if [ ! -x /usr/bin/env ] || [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/awk ] || [ ! -x /usr/bin/sort ] || [ ! -x /usr/bin/xxd ]; then
echo "Unix environment is broken!" echo "Unix environment is broken!"
exit 1 exit 1
fi fi
if [ ! -x /usr/libexec/PlistBuddy ]; then
echo "PlistBuddy is missing!"
exit 1
fi
if [ ! -x /usr/bin/shasum ]; then
echo "shasum is missing!"
exit 1
fi
abort() { abort() {
/bin/rm -rf vault.plist vault.sig /tmp/vault_hash /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
echo "Fatal error: ${1}!" echo "Fatal error: ${1}!"
exit 1 exit 1
} }
echo "Chose ${OCPath} for hashing..." # plist output functions so we don't need PlistBuddy
write_header() {
cat <<EOF > "$1"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Files</key>
<dict>
EOF
}
write_file_name_and_hash() {
{
echo -e "\t\t<key>${2}</key>"
echo -e "\t\t<data>"
echo -e -n "\t\t"
cat "$3"
echo -e "\t\t</data>"
} >> "$1"
}
write_footer() {
cat <<EOF >> "$1"
</dict>
<key>Version</key>
<integer>1</integer>
</dict>
</plist>
EOF
}
cd "${OCPath}" || abort "Failed to reach ${OCPath}" cd "${OCPath}" || abort "Failed to reach ${OCPath}"
/bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup" /bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
echo "Hashing files in ${OCPath}..." echo "Hashing OpenCore configuration..."
write_header vault.plist
/usr/bin/find . -not -path '*/\.*' -type f \ /usr/bin/find . -not -path '*/\.*' -type f \
\( ! -iname ".*" \) \ \( ! -iname ".*" \) \
\( ! -iname "vault.*" \) \ \( ! -iname "vault.*" \) \
\( ! -iname "OpenCore.efi" \) | while read -r fname; do \( ! -iname "MemTest86.log" \) \
\( ! -iname "MemTest86-Report-*.html" \) \
\( ! -iname "OpenCore.efi" \) | env LC_COLLATE=POSIX /usr/bin/sort | while read -r fname; do
fname="${fname#"./"}" fname="${fname#"./"}"
wname="${fname//\//\\\\}" wname="${fname//\//\\\\}"
shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}" sha=$("${UtilsPath}"/openssl sha256 "${fname}" | /usr/bin/awk '{print $2}') || abort "Failed to hash ${fname}"
sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then
abort "Got invalid hash: ${sha}!" abort "Got invalid hash: ${sha}!"
fi fi
echo "${wname}: ${sha}" echo "${sha}" | /usr/bin/xxd -r -p | "${UtilsPath}"/openssl base64 > /tmp/vault_hash || abort "Hashing failure"
write_file_name_and_hash vault.plist "${wname}" /tmp/vault_hash
echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
/usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
done done
/bin/rm -rf /tmp/vault_hash /bin/rm -rf /tmp/vault_hash
echo "All done!" write_footer vault.plist
exit 0 exit 0
payloads/Tools/CreateVault/openssl
Executable
BIN
View File
Binary file not shown.
payloads/Tools/CreateVault/sign.command
+8 -25
View File
@@ -1,16 +1,18 @@
#!/bin/sh #!/bin/sh
# Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23.
abort() { abort() {
echo "Fatal error: ${1}!" echo "Fatal error: ${1}!"
exit 1 exit 1
} }
# shellcheck disable=SC2317
cleanup() { cleanup() {
echo "Cleaning up keys"
rm -rf "${KeyPath}" rm -rf "${KeyPath}"
} }
if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/awk ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
abort "Unix environment is broken!" abort "Unix environment is broken!"
fi fi
@@ -22,10 +24,8 @@ if [ "$OCPath" = "" ]; then
OCPath=../../EFI/OC OCPath=../../EFI/OC
fi fi
KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)" KeyPath="/tmp/$(/usr/bin/uuidgen)"
OCBin="${OCPath}/OpenCore.efi" OCBin="${OCPath}/OpenCore.efi"
RootCA="${KeyPath}/ca.pem"
PrivKey="${KeyPath}/privatekey.cer"
PubKey="${KeyPath}/vault.pub" PubKey="${KeyPath}/vault.pub"
if [ ! -d "${OCPath}" ]; then if [ ! -d "${OCPath}" ]; then
@@ -58,31 +58,14 @@ fi
./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!" ./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
if [ ! -f "${RootCA}" ]; then echo "Signing OpenCore..."
/usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
if [ -f "${PrivKey}" ]; then
echo "WARNING: Private key exists without CA"
fi
fi
/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
echo "Issuing a new private key..."
/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
echo "Getting public key based off private key..."
./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
echo "Signing ${OCBin}..."
./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}" ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
off=$(($(./strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
echo "Bin-patching ${OCBin}..."
off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
if [ "${off}" -le 16 ]; then if [ "${off}" -le 16 ]; then
abort "${OCBin} is borked" abort "${OCBin} is borked"
fi fi
/bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}" /bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
echo "All done!" echo "Signing complete"
exit 0 exit 0
payloads/Tools/CreateVault/strings
Executable
BIN
View File
Binary file not shown.
resources/build/misc.py
+1 -3
View File
@@ -342,11 +342,9 @@ class BuildMiscellaneous:
logging.info(f"- Setting custom OpenCore picker timeout to {self.constants.oc_timeout} seconds") logging.info(f"- Setting custom OpenCore picker timeout to {self.constants.oc_timeout} seconds")
self.config["Misc"]["Boot"]["Timeout"] = self.constants.oc_timeout self.config["Misc"]["Boot"]["Timeout"] = self.constants.oc_timeout
if self.constants.vault is True and utilities.check_command_line_tools() is True: if self.constants.vault is True:
logging.info("- Setting Vault configuration") logging.info("- Setting Vault configuration")
self.config["Misc"]["Security"]["Vault"] = "Secure" self.config["Misc"]["Security"]["Vault"] = "Secure"
support.BuildSupport(self.model, self.constants, self.config).get_efi_binary_by_path("OpenShell.efi", "Misc", "Tools")["Enabled"] = False
def _t1_handling(self) -> None: def _t1_handling(self) -> None:
""" """
resources/build/support.py
+5 -11
View File
@@ -108,17 +108,11 @@ class BuildSupport:
if self.constants.vault is False: if self.constants.vault is False:
return return
if utilities.check_command_line_tools() is False: logging.info("- Vaulting EFI\n=========================================")
# sign.command checks for the existence of '/usr/bin/strings' however does not verify whether it's executable popen = subprocess.Popen([str(self.constants.vault_path), f"{self.constants.oc_folder}/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, universal_newlines=True)
# sign.command will continue to run and create an unbootable OpenCore.efi due to the missing strings binary for stdout_line in iter(popen.stdout.readline, ""):
# macOS has dummy binaries that just reroute to the actual binaries after you install Xcode's Command Line Tools logging.info(stdout_line.strip())
logging.info("- Missing Command Line tools, skipping Vault for saftey reasons") logging.info("=========================================")
logging.info("- Install via 'xcode-select --install' and rerun OCLP if you wish to vault this config")
return
logging.info("- Vaulting EFI")
subprocess.run([str(self.constants.vault_path), f"{self.constants.oc_folder}/"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
def validate_pathing(self) -> None: def validate_pathing(self) -> None:
""" """
resources/wx_gui/gui_settings.py
+17 -6
View File
@@ -277,16 +277,16 @@ class SettingsFrame(wx.Frame):
"wrap_around 2": { "wrap_around 2": {
"type": "wrap_around", "type": "wrap_around",
}, },
"APFS Trim": { "OpenCore Vaulting": {
"type": "checkbox", "type": "checkbox",
"value": self.constants.apfs_trim_timeout, "value": self.constants.vault,
"variable": "apfs_trim_timeout", "variable": "vault",
"description": [ "description": [
"Recommended for all users, however faulty", "Digitally sign OpenCore to prevent",
"SSDs may benefit from disabling this.", "tampering or corruption."
], ],
}, },
"Show OpenCore Boot Picker": { "Show OpenCore Boot Picker": {
"type": "checkbox", "type": "checkbox",
"value": self.constants.showpicker, "value": self.constants.showpicker,
@@ -443,6 +443,16 @@ class SettingsFrame(wx.Frame):
], ],
"condition": not bool(self.constants.computer.third_party_sata_ssd is False and not self.constants.custom_model) "condition": not bool(self.constants.computer.third_party_sata_ssd is False and not self.constants.custom_model)
}, },
"APFS Trim": {
"type": "checkbox",
"value": self.constants.apfs_trim_timeout,
"variable": "apfs_trim_timeout",
"description": [
"Recommended for all users, however faulty",
"SSDs may benefit from disabling this.",
],
},
}, },
"Advanced": { "Advanced": {
"Miscellaneous": { "Miscellaneous": {
@@ -836,6 +846,7 @@ class SettingsFrame(wx.Frame):
"Export constants.py values to a txt file.", "Export constants.py values to a txt file.",
], ],
}, },
"Developer Root Volume Patching": { "Developer Root Volume Patching": {
"type": "title", "type": "title",
}, },