mirror of
https://github.com/acidanthera/OpenCorePkg.git
synced 2026-02-01 15:59:39 +00:00
Docs: Update FixupAppleEfiImages wording
This commit is contained in:
Mike Beaton
parent
94ec1dc375
commit
4087300e3f
@ -1 +1 @@
|
||||
b793988590c9e9ddd71ce9318abe5369
|
||||
476c1deb24db35e352f1a9fcf36b8374
|
||||
|
||||
Binary file not shown.
@ -1620,22 +1620,20 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
|
||||
\texttt{FixupAppleEfiImages}\\
|
||||
\textbf{Type}: \texttt{plist\ boolean}\\
|
||||
\textbf{Failsafe}: \texttt{false}\\
|
||||
\textbf{Description}: Fix errors in early Mac OS X boot.efi images.
|
||||
\textbf{Description}: Fix permissions and section errors in macOS \texttt{boot.efi} images.
|
||||
|
||||
Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
|
||||
Mac OS X 10.4 to macOS 10.12 due to these files containing \texttt{W\^{}X} errors
|
||||
(in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit
|
||||
versions only).
|
||||
Mac OS X \texttt{boot.efi} images contain \texttt{W\^{}X} permissions errors
|
||||
(in all versions) and in very old versions additionally contain illegal overlapping sections
|
||||
(affects 10.4 and 10.5 32-bit versions only). Modern secure PE loaders (including the OpenCore
|
||||
loader in current releases of OpenDuet) will refuse to load these images
|
||||
unless additional mitigations are applied.
|
||||
|
||||
This quirk detects these issues and pre-processes such images in memory,
|
||||
This quirk detects these issues and pre-processes such images in memory
|
||||
so that a modern loader will accept them.
|
||||
|
||||
Pre-processing in memory is incompatible with secure boot, as the image loaded
|
||||
is not the image on disk, so you cannot sign files which are loaded in this way
|
||||
based on their original disk image contents.
|
||||
Certain firmware will offer to register the hash of new, unknown images - this would
|
||||
still work. On the other hand, it is not particularly realistic to want to
|
||||
start these early, insecure images with secure boot anyway.
|
||||
If on a system with such a secure loader, this quirk is required to load
|
||||
Mac OS X 10.4 to macOS 10.12, and is required for all newer
|
||||
macOS when \texttt{SecureBootModel} is set to \texttt{Disabled}.
|
||||
|
||||
\emph{Note 1}: The quirk is never applied during the Apple secure boot path for
|
||||
newer macOS. The Apple secure boot path includes its own separate mitigations
|
||||
@ -1652,11 +1650,13 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
|
||||
within their filesystem.
|
||||
\end{itemize}
|
||||
|
||||
\emph{Note 3}: This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
|
||||
higher, if Apple secure boot is not enabled), but only when the firmware
|
||||
itself includes a modern, more secure PE COFF image loader. This applies to
|
||||
current builds of OpenDuet, and to OVMF if built from audk source code.
|
||||
|
||||
\emph{Note 3}: Pre-processing in memory is incompatible with secure boot, as the image loaded
|
||||
is not the image on disk, so you cannot sign files which are loaded in this way
|
||||
based on their original disk image contents.
|
||||
Certain firmware will offer to register the hash of new, unknown images - this would
|
||||
still work. On the other hand, it is not particularly realistic to want to
|
||||
start these early, insecure images with secure boot anyway.
|
||||
|
||||
\item
|
||||
\texttt{ForceBooterSignature}\\
|
||||
\textbf{Type}: \texttt{plist\ boolean}\\
|
||||
|
||||
Binary file not shown.
@ -1,7 +1,7 @@
|
||||
\documentclass[]{article}
|
||||
%DIF LATEXDIFF DIFFERENCE FILE
|
||||
%DIF DEL PreviousConfiguration.tex Fri Aug 16 15:32:06 2024
|
||||
%DIF ADD ../Configuration.tex Fri Aug 16 15:32:06 2024
|
||||
%DIF DEL PreviousConfiguration.tex Tue Sep 3 09:18:54 2024
|
||||
%DIF ADD ../Configuration.tex Sun Sep 29 21:16:14 2024
|
||||
|
||||
\usepackage{lmodern}
|
||||
\usepackage{amssymb,amsmath}
|
||||
@ -118,7 +118,7 @@
|
||||
%DIF HYPERREF PREAMBLE %DIF PREAMBLE
|
||||
\providecommand{\DIFadd}[1]{\texorpdfstring{\DIFaddtex{#1}}{#1}} %DIF PREAMBLE
|
||||
\providecommand{\DIFdel}[1]{\texorpdfstring{\DIFdeltex{#1}}{}} %DIF PREAMBLE
|
||||
%DIF LISTINGS PREAMBLE %DIF PREAMBLE
|
||||
%DIF COLORLISTINGS PREAMBLE %DIF PREAMBLE
|
||||
\RequirePackage{listings} %DIF PREAMBLE
|
||||
\RequirePackage{color} %DIF PREAMBLE
|
||||
\lstdefinelanguage{DIFcode}{ %DIF PREAMBLE
|
||||
@ -1680,22 +1680,28 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
|
||||
\texttt{FixupAppleEfiImages}\\
|
||||
\textbf{Type}: \texttt{plist\ boolean}\\
|
||||
\textbf{Failsafe}: \texttt{false}\\
|
||||
\textbf{Description}: Fix errors in early Mac OS X boot.efi images.
|
||||
\textbf{Description}: Fix \DIFdelbegin \DIFdel{errors in early Mac OS X boot.efi }\DIFdelend \DIFaddbegin \DIFadd{permissions and section errors in macOS }\texttt{\DIFadd{boot.efi}} \DIFaddend images.
|
||||
|
||||
Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
|
||||
Mac OS X 10.4 to macOS 10.12 due to these files containing \texttt{W\^{}X} errors
|
||||
(in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit
|
||||
versions only).
|
||||
\DIFdelbegin \DIFdel{Modern secure PE loaders will refuse to load }\texttt{\DIFdel{boot.efi}} %DIFAUXCMD
|
||||
\DIFdel{images from
|
||||
}\DIFdelend Mac OS X \DIFdelbegin \DIFdel{10.4 to macOS 10.12 due to these files containing }\DIFdelend \DIFaddbegin \texttt{\DIFadd{boot.efi}} \DIFadd{images contain }\DIFaddend \texttt{W\^{}X} \DIFaddbegin \DIFadd{permissions }\DIFaddend errors
|
||||
(in all versions) and \DIFaddbegin \DIFadd{in very old versions additionally contain }\DIFaddend illegal overlapping sections
|
||||
(\DIFdelbegin \DIFdel{in }\DIFdelend \DIFaddbegin \DIFadd{affects }\DIFaddend 10.4 and 10.5 32-bit versions only). \DIFaddbegin \DIFadd{Modern secure PE loaders (including the OpenCore
|
||||
loader in current releases of OpenDuet) will refuse to load these images
|
||||
unless additional mitigations are applied.
|
||||
}\DIFaddend
|
||||
|
||||
This quirk detects these issues and pre-processes such images in memory,
|
||||
so that a modern loader will accept them.
|
||||
This quirk detects these issues and pre-processes such images in memory
|
||||
\DIFdelbegin \DIFdel{,
|
||||
}\DIFdelend so that a modern loader will accept them.
|
||||
|
||||
Pre-processing in memory is incompatible with secure boot, as the image loaded
|
||||
\DIFdelbegin \DIFdel{Pre-processing in memory is incompatible with secure boot, as the image loaded
|
||||
is not the image on disk, so you cannot sign files which are loaded in this way
|
||||
based on their original disk image contents.
|
||||
Certain firmware will offer to register the hash of new, unknown images - this would
|
||||
still work. On the other hand, it is not particularly realistic to want to
|
||||
start these early, insecure images with secure boot anyway.
|
||||
still work. On the other hand, it is not particularly realistic to want to start these early, insecure images with secure boot anyway}\DIFdelend \DIFaddbegin \DIFadd{If on a system with such a secure loader, this quirk is required to load
|
||||
Mac OS X 10.4 to macOS 10.12, and is required for all newer
|
||||
macOS when }\texttt{\DIFadd{SecureBootModel}} \DIFadd{is set to }\texttt{\DIFadd{Disabled}}\DIFaddend .
|
||||
|
||||
\emph{Note 1}: The quirk is never applied during the Apple secure boot path for
|
||||
newer macOS. The Apple secure boot path includes its own separate mitigations
|
||||
@ -1712,10 +1718,15 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
|
||||
within their filesystem.
|
||||
\end{itemize}
|
||||
|
||||
\emph{Note 3}: This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
|
||||
higher, if Apple secure boot is not enabled), but only when the firmware
|
||||
itself includes a modern, more secure PE COFF image loader. This applies to
|
||||
current builds of OpenDuet, and to OVMF if built from audk source code.
|
||||
\emph{Note 3}: \DIFdelbegin \DIFdel{This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
|
||||
higher, if Apple secure bootis not enabled), but only when the firmware
|
||||
itself includes a modern, more secure PE COFF image loader.
|
||||
This applies to current builds of OpenDuet, and to OVMF if built from audk source code}\DIFdelend \DIFaddbegin \DIFadd{Pre-processing in memory is incompatible with secure boot, as the image loaded
|
||||
is not the image on disk, so you cannot sign files which are loaded in this way
|
||||
based on their original disk image contents.
|
||||
Certain firmware will offer to register the hash of new, unknown images - this would
|
||||
still work. On the other hand, it is not particularly realistic to want to
|
||||
start these early, insecure images with secure boot anyway}\DIFaddend .
|
||||
|
||||
\item
|
||||
\texttt{ForceBooterSignature}\\
|
||||
|
||||
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user