Add user-configurable Vaulting

Closes https://github.com/dortania/Opencore-Legacy-Patcher/issues/86
2026-06-14 03:16:28 +10:00 · 2021-03-09 18:32:48 -07:00
parent 062c93e77b
commit fef47af891
11 changed files with 238 additions and 1 deletions
@@ -10,6 +10,7 @@
 - Fix External Display Support on MacBookPro10,1
 - Inject Patcher version into NVRAM for easier debugging
 - Add user-configurable ShowPicker
+- Add user-configurable Vaulting, enabled by default

 ## 0.0.15
 - Add user-configurable OpenCore DEBUG builds
@@ -165,6 +165,24 @@ pressing the "Esc" key
            self.constants.showpicker = False
        else:
            print("Invalid option")
+        
+    def change_vault(self):
+        utilities.cls()
+        utilities.header(["Set OpenCore Vaulting"])
+        print("""By default, this patcher will sign all your files and ensure none of the 
+contents can be tampered with. However for more advanced users, you may
+want to be able to freely edit the config.plist and files.
+
+Note: For secuirty reasons, OpenShell will be disabled when Vault is set.
+
+        """)
+        change_kext_menu = input("Enable Vault(y/n): ")
+        if change_kext_menu in {"y", "Y", "yes", "Yes"}:
+            self.constants.vault = True
+        elif change_kext_menu in {"n", "N", "no", "No"}:
+            self.constants.vault = False
+        else:
+            print("Invalid option")

    def patcher_settings(self):
        response = None
@@ -182,6 +200,7 @@ pressing the "Esc" key
                [f"Assume Metal GPU Always:\t\tCurrently {self.constants.kext_debug}", self.change_metal],
                [f"Assume Upgraded Wifi Always:\tCurrently {self.constants.kext_debug}", self.change_wifi],
                [f"Set ShowPicker Mode:\t\tCurrently {self.constants.showpicker}", self.change_showpicker],
+                [f"Set Vault Mode:\t\t\tCurrently {self.constants.vault}", self.change_vault],
                [f"Set SMBIOS Mode:\t\t\tCurrently {self.constants.serial_settings}", self.change_serial], 
            ]

@@ -52,6 +52,12 @@ To use, simply:

 For nightly builds, you can either run `OpenCore-Patcher.command` from [main](https://github.com/dortania/Opencore-Legacy-Patcher/archive/main.zip) or grab the binary from  [Github Actions](https://github.com/dortania/Opencore-Legacy-Patcher/actions). Note the latter does not require a py3 install.

+## Post-Installation
+
+Once finished, see below for common post-installation steps:
+
+* [Post-Installation](./POST-INSTALL.md)
+
 ## How to uninstall OpenCore?

 To remove OpenCore is actually quite simply:
@@ -51,6 +51,7 @@ class Constants:
        self.gui_mode = False
        self.serial_settings = "Minimal"
        self.showpicker = True
+        self.vault = True

    # Payload Location
    # OpenCore
@@ -137,6 +138,8 @@ class Constants:
    # Tools
    @property
    def macserial_path(self): return self.payload_path / Path("Tools/macserial")
+    @property
+    def vault_path(self): return self.payload_path / Path("Tools/CreateVault/sign.command")

    # Icons
    @property
@@ -227,6 +227,10 @@ class BuildOpenCore:
            print("- Hiding picker and enabling PollAppleHotKeys")
            self.config["Misc"]["Boot"]["ShowPicker"] = False
            self.config["Misc"]["Boot"]["PollAppleHotKeys"] = True
+        if self.constants.vault == True:
+            print("- Setting Vault configuration")
+            self.config["Misc"]["Security"]["Vault"] = "Secure"
+            self.get_tool_by__path("OpenShell.efi")["Enabled"] = False

    def set_smbios(self):
        spoofed_model = self.model
@@ -360,6 +364,13 @@ class BuildOpenCore:
            print(f"- Could not find kext {bundle_path}!")
            raise IndexError
        return kext
+    
+    def get_tool_by__path(self, bundle_path):
+        tool = self.get_item_by_kv(self.config["Misc"]["Tools"], "Path", bundle_path)
+        if not tool:
+            print(f"- Could not find Tool {bundle_path}!")
+            raise IndexError
+        return tool

    def enable_kext(self, kext_name, kext_version, kext_path, check=False):
        kext = self.get_kext_by_bundle_path(kext_name)
@@ -389,11 +400,17 @@ class BuildOpenCore:
            shutil.rmtree(i)

        Path(self.constants.opencore_zip_copied).unlink()
+    
+    def sign_files(self):
+        if self.constants.vault == True:
+            print("- Vaulting EFI")
+            subprocess.run([self.constants.vault_path] + f"{self.constants.oc_folder}/".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

    def build_opencore(self):
        self.build_efi()
        self.set_smbios()
        self.cleanup()
+        self.sign_files()
        print("")
        print("Your OpenCore EFI has been built at:")
        print(f"    {self.constants.opencore_release_folder}")
@@ -0,0 +1,29 @@
+# Post-Installation
+
+* [Booting without USB drive](#booting-without-usb-drive)
+* [Booting seamlessly without Verbose or OpenCore Picker](#booting-seamlessly-without-verbose-or-opencore-picker)
+
+## Booting without USB drive
+
+Once you've installed macOS through OpenCore, you can boot up and go through the regular install process. To boot without the USB drive plugged in is quite simple:
+
+* Download OpenCore Legacy Patcher
+* Change Patcher settings as you'd like
+* Build OpenCore again
+* Install OpenCore to internal drive
+* Reboot holding Option, and select the internal EFI
+
+And voila! No more USB drive required
+
+## Booting seamlessly without Verbose or OpenCore Picker
+
+To do this, run the OpenCore Patcher and head to Patcher Settings:
+
+![](../images/settings.png)
+
+Here you can change different patcher settings, however the main 2 of interest are:
+
+* Enable Verbose Mode
+* Set ShowPicker Mode
+
+Once you've toggled them both off, build your OpenCore EFI once again and install to your desired drive. Now to show OpenCore picker, you can simply press "Esc" key repeatedly.
@@ -28,7 +28,11 @@ With OpenCore Legacy Patcher, we rely on Apple Secure Boot to ensure OS updates

 ## Reboot when entering Hibernation (`Sleep Wake Failure`)

-Resolved in OpenCore-Legacy-Patcher v0.0.14
+[Known issue on some models](https://github.com/dortania/Opencore-Legacy-Patcher/issues/72), temporary fix is to disable Hibernation:
+
+```
+sudo pmset -a hibernatemode 0
+```

 ## Booting with a non-flashed GPU

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+#  create_vault.sh
+#
+#
+#  Created by Rodion Shingarev on 13.04.19.
+#
+OCPath="$1"
+
+if [ "${OCPath}" = "" ]; then
+  echo "Usage ./create_vault.sh path/to/EFI/OC"
+  exit 1
+fi
+
+if [ ! -d "${OCPath}" ]; then
+  echo "Path $OCPath is missing!"
+  exit 1
+fi
+
+if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then
+  echo "Unix environment is broken!"
+  exit 1
+fi
+
+if [ ! -x /usr/libexec/PlistBuddy ]; then
+  echo "PlistBuddy is missing!"
+  exit 1
+fi
+
+if [ ! -x /usr/bin/shasum ]; then
+  echo "shasum is missing!"
+  exit 1
+fi
+
+abort() {
+  /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
+  echo "Fatal error: ${1}!"
+  exit 1
+}
+
+echo "Chose ${OCPath} for hashing..."
+
+cd "${OCPath}" || abort "Failed to reach ${OCPath}"
+/bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
+/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
+
+echo "Hashing files in ${OCPath}..."
+
+/usr/bin/find . -not -path '*/\.*' -type f \
+  \( ! -iname ".*" \) \
+  \( ! -iname "vault.*" \) \
+  \( ! -iname "OpenCore.efi" \) | while read -r fname; do
+  fname="${fname#"./"}"
+  wname="${fname//\//\\\\}"
+  shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}"
+  sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
+  if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then
+    abort "Got invalid hash: ${sha}!"
+  fi
+
+  echo "${wname}: ${sha}"
+
+  echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
+  /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
+done
+
+/bin/rm -rf /tmp/vault_hash
+
+echo "All done!"
+exit 0
@@ -0,0 +1,88 @@
+#!/bin/sh
+
+abort() {
+  echo "Fatal error: ${1}!"
+  exit 1
+}
+
+cleanup() {
+  echo "Cleaning up keys"
+  rm -rf "${KeyPath}"
+}
+
+if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
+  abort "Unix environment is broken!"
+fi
+
+cd "$(/usr/bin/dirname "$0")" || abort "Failed to enter working directory!"
+
+OCPath="$1"
+
+if [ "$OCPath" = "" ]; then
+  OCPath=../../EFI/OC
+fi
+
+KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)"
+OCBin="${OCPath}/OpenCore.efi"
+RootCA="${KeyPath}/ca.pem"
+PrivKey="${KeyPath}/privatekey.cer"
+PubKey="${KeyPath}/vault.pub"
+
+if [ ! -d "${OCPath}" ]; then
+  abort "Path ${OCPath} is missing!"
+fi
+
+if [ ! -f "${OCBin}" ]; then
+  abort "OpenCore.efi is missing!"
+fi
+
+if [ ! -x ./RsaTool ] || [ ! -x ./create_vault.sh ]; then
+  if [ -f ./RsaTool ]; then
+    /bin/chmod a+x ./RsaTool || abort "Failed to set permission for RsaTool"
+  else
+    abort "Failed to find RsaTool!"
+  fi
+
+  if [ -f ./create_vault.sh ]; then
+    /bin/chmod a+x ./create_vault.sh || abort "Failed to set permission for create_vault.sh"
+  else
+    abort "Failed to find create_vault.sh!"
+  fi
+fi
+
+trap cleanup EXIT INT TERM
+
+if [ ! -d "${KeyPath}" ]; then
+  /bin/mkdir -p "${KeyPath}" || abort "Failed to create path ${KeyPath}"
+fi
+
+./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
+
+if [ ! -f "${RootCA}" ]; then
+  /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
+  if [ -f "${PrivKey}" ]; then
+    echo "WARNING: Private key exists without CA"
+  fi
+fi
+
+/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
+echo "Issuing a new private key..."
+/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
+
+/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
+echo "Getting public key based off private key..."
+./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
+
+echo "Signing ${OCBin}..."
+./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
+
+echo "Bin-patching ${OCBin}..."
+off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
+if [ "${off}" -le 16 ]; then
+  abort "${OCBin} is borked"
+fi
+
+/bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
+
+echo "All done!"
+exit 0