Add user-configurable Vaulting

Closes https://github.com/dortania/Opencore-Legacy-Patcher/issues/86
2026-06-20 14:10:51 +10:00 · 2021-03-09 18:32:48 -07:00
parent 062c93e77b
commit fef47af891
11 changed files with 238 additions and 1 deletions
@@ -10,6 +10,7 @@
 - Fix External Display Support on MacBookPro10,1
 - Inject Patcher version into NVRAM for easier debugging
 - Add user-configurable ShowPicker
 - Add user-configurable Vaulting, enabled by default
 ## 0.0.15
 - Add user-configurable OpenCore DEBUG builds
@@ -165,6 +165,24 @@ pressing the "Esc" key
            self.constants.showpicker = False
        else:
            print("Invalid option")
    def change_vault(self):
        utilities.cls()
        utilities.header(["Set OpenCore Vaulting"])
        print("""By default, this patcher will sign all your files and ensure none of the 
 contents can be tampered with. However for more advanced users, you may
 want to be able to freely edit the config.plist and files.
 Note: For secuirty reasons, OpenShell will be disabled when Vault is set.
        """)
        change_kext_menu = input("Enable Vault(y/n): ")
        if change_kext_menu in {"y", "Y", "yes", "Yes"}:
            self.constants.vault = True
        elif change_kext_menu in {"n", "N", "no", "No"}:
            self.constants.vault = False
        else:
            print("Invalid option")
    def patcher_settings(self):
        response = None
@@ -182,6 +200,7 @@ pressing the "Esc" key
                [f"Assume Metal GPU Always:\t\tCurrently {self.constants.kext_debug}", self.change_metal],
                [f"Assume Upgraded Wifi Always:\tCurrently {self.constants.kext_debug}", self.change_wifi],
                [f"Set ShowPicker Mode:\t\tCurrently {self.constants.showpicker}", self.change_showpicker],
                [f"Set Vault Mode:\t\t\tCurrently {self.constants.vault}", self.change_vault],
                [f"Set SMBIOS Mode:\t\t\tCurrently {self.constants.serial_settings}", self.change_serial], 
            ]
@@ -52,6 +52,12 @@ To use, simply:
 For nightly builds, you can either run `OpenCore-Patcher.command` from [main](https://github.com/dortania/Opencore-Legacy-Patcher/archive/main.zip) or grab the binary from  [Github Actions](https://github.com/dortania/Opencore-Legacy-Patcher/actions). Note the latter does not require a py3 install.
 ## Post-Installation
 Once finished, see below for common post-installation steps:
 * [Post-Installation](./POST-INSTALL.md)
 ## How to uninstall OpenCore?
 To remove OpenCore is actually quite simply:
@@ -51,6 +51,7 @@ class Constants:
        self.gui_mode = False
        self.serial_settings = "Minimal"
        self.showpicker = True
        self.vault = True
    # Payload Location
    # OpenCore
@@ -137,6 +138,8 @@ class Constants:
    # Tools
    @property
    def macserial_path(self): return self.payload_path / Path("Tools/macserial")
    @property
    def vault_path(self): return self.payload_path / Path("Tools/CreateVault/sign.command")
    # Icons
    @property
@@ -227,6 +227,10 @@ class BuildOpenCore:
            print("- Hiding picker and enabling PollAppleHotKeys")
            self.config["Misc"]["Boot"]["ShowPicker"] = False
            self.config["Misc"]["Boot"]["PollAppleHotKeys"] = True
        if self.constants.vault == True:
            print("- Setting Vault configuration")
            self.config["Misc"]["Security"]["Vault"] = "Secure"
            self.get_tool_by__path("OpenShell.efi")["Enabled"] = False
    def set_smbios(self):
        spoofed_model = self.model
@@ -360,6 +364,13 @@ class BuildOpenCore:
            print(f"- Could not find kext {bundle_path}!")
            raise IndexError
        return kext
    def get_tool_by__path(self, bundle_path):
        tool = self.get_item_by_kv(self.config["Misc"]["Tools"], "Path", bundle_path)
        if not tool:
            print(f"- Could not find Tool {bundle_path}!")
            raise IndexError
        return tool
    def enable_kext(self, kext_name, kext_version, kext_path, check=False):
        kext = self.get_kext_by_bundle_path(kext_name)
@@ -389,11 +400,17 @@ class BuildOpenCore:
            shutil.rmtree(i)
        Path(self.constants.opencore_zip_copied).unlink()
    def sign_files(self):
        if self.constants.vault == True:
            print("- Vaulting EFI")
            subprocess.run([self.constants.vault_path] + f"{self.constants.oc_folder}/".split(), stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
    def build_opencore(self):
        self.build_efi()
        self.set_smbios()
        self.cleanup()
        self.sign_files()
        print("")
        print("Your OpenCore EFI has been built at:")
        print(f"    {self.constants.opencore_release_folder}")
@@ -0,0 +1,29 @@
 # Post-Installation
 * [Booting without USB drive](#booting-without-usb-drive)
 * [Booting seamlessly without Verbose or OpenCore Picker](#booting-seamlessly-without-verbose-or-opencore-picker)
 ## Booting without USB drive
 Once you've installed macOS through OpenCore, you can boot up and go through the regular install process. To boot without the USB drive plugged in is quite simple:
 * Download OpenCore Legacy Patcher
 * Change Patcher settings as you'd like
 * Build OpenCore again
 * Install OpenCore to internal drive
 * Reboot holding Option, and select the internal EFI
 And voila! No more USB drive required
 ## Booting seamlessly without Verbose or OpenCore Picker
 To do this, run the OpenCore Patcher and head to Patcher Settings:
 ![](../images/settings.png)
 Here you can change different patcher settings, however the main 2 of interest are:
 * Enable Verbose Mode
 * Set ShowPicker Mode
 Once you've toggled them both off, build your OpenCore EFI once again and install to your desired drive. Now to show OpenCore picker, you can simply press "Esc" key repeatedly.
@@ -28,7 +28,11 @@ With OpenCore Legacy Patcher, we rely on Apple Secure Boot to ensure OS updates
 ## Reboot when entering Hibernation (`Sleep Wake Failure`)
-Resolved in OpenCore-Legacy-Patcher v0.0.14
+[Known issue on some models](https://github.com/dortania/Opencore-Legacy-Patcher/issues/72), temporary fix is to disable Hibernation:
 ```
 sudo pmset -a hibernatemode 0
 ```
 ## Booting with a non-flashed GPU
@@ -0,0 +1,70 @@
 #!/bin/bash
 #  create_vault.sh
 #
 #
 #  Created by Rodion Shingarev on 13.04.19.
 #
 OCPath="$1"
 if [ "${OCPath}" = "" ]; then
  echo "Usage ./create_vault.sh path/to/EFI/OC"
  exit 1
 fi
 if [ ! -d "${OCPath}" ]; then
  echo "Path $OCPath is missing!"
  exit 1
 fi
 if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then
  echo "Unix environment is broken!"
  exit 1
 fi
 if [ ! -x /usr/libexec/PlistBuddy ]; then
  echo "PlistBuddy is missing!"
  exit 1
 fi
 if [ ! -x /usr/bin/shasum ]; then
  echo "shasum is missing!"
  exit 1
 fi
 abort() {
  /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
  echo "Fatal error: ${1}!"
  exit 1
 }
 echo "Chose ${OCPath} for hashing..."
 cd "${OCPath}" || abort "Failed to reach ${OCPath}"
 /bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
 /usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
 echo "Hashing files in ${OCPath}..."
 /usr/bin/find . -not -path '*/\.*' -type f \
  \( ! -iname ".*" \) \
  \( ! -iname "vault.*" \) \
  \( ! -iname "OpenCore.efi" \) | while read -r fname; do
  fname="${fname#"./"}"
  wname="${fname//\//\\\\}"
  shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}"
  sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
  if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then
    abort "Got invalid hash: ${sha}!"
  fi
  echo "${wname}: ${sha}"
  echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
  /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
 done
 /bin/rm -rf /tmp/vault_hash
 echo "All done!"
 exit 0
@@ -0,0 +1,88 @@
 #!/bin/sh
 abort() {
  echo "Fatal error: ${1}!"
  exit 1
 }
 cleanup() {
  echo "Cleaning up keys"
  rm -rf "${KeyPath}"
 }
 if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
  abort "Unix environment is broken!"
 fi
 cd "$(/usr/bin/dirname "$0")" || abort "Failed to enter working directory!"
 OCPath="$1"
 if [ "$OCPath" = "" ]; then
  OCPath=../../EFI/OC
 fi
 KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)"
 OCBin="${OCPath}/OpenCore.efi"
 RootCA="${KeyPath}/ca.pem"
 PrivKey="${KeyPath}/privatekey.cer"
 PubKey="${KeyPath}/vault.pub"
 if [ ! -d "${OCPath}" ]; then
  abort "Path ${OCPath} is missing!"
 fi
 if [ ! -f "${OCBin}" ]; then
  abort "OpenCore.efi is missing!"
 fi
 if [ ! -x ./RsaTool ] || [ ! -x ./create_vault.sh ]; then
  if [ -f ./RsaTool ]; then
    /bin/chmod a+x ./RsaTool || abort "Failed to set permission for RsaTool"
  else
    abort "Failed to find RsaTool!"
  fi
  if [ -f ./create_vault.sh ]; then
    /bin/chmod a+x ./create_vault.sh || abort "Failed to set permission for create_vault.sh"
  else
    abort "Failed to find create_vault.sh!"
  fi
 fi
 trap cleanup EXIT INT TERM
 if [ ! -d "${KeyPath}" ]; then
  /bin/mkdir -p "${KeyPath}" || abort "Failed to create path ${KeyPath}"
 fi
 ./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
 if [ ! -f "${RootCA}" ]; then
  /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
  if [ -f "${PrivKey}" ]; then
    echo "WARNING: Private key exists without CA"
  fi
 fi
 /bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
 echo "Issuing a new private key..."
 /usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
 /bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
 echo "Getting public key based off private key..."
 ./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
 echo "Signing ${OCBin}..."
 ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
 echo "Bin-patching ${OCBin}..."
 off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
 if [ "${off}" -le 16 ]; then
  abort "${OCBin} is borked"
 fi
 /bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
 echo "All done!"
 exit 0