archive-gh-me/OpenCorePkg
1
0
Fork 0
mirror of https://github.com/acidanthera/OpenCorePkg.git synced 2025-12-08 19:25:01 +00:00
Code Issues Projects Releases Wiki Activity

OcBootManagementLib: Ensure initiator variable deletion and fix docs

Browse Source
This commit is contained in:
vit9696 2020-08-31 16:45:16 +03:00
parent acd769a557
commit f972e643b5
6 changed files with 178 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Docs/Configuration.pdf
View File

Binary file not shown.

87
Docs/Configuration.tex
View File

@ -19,6 +19,7 @@
\usepackage{textcomp}
\usepackage{tikz}
\setcounter{tocdepth}{2}
\usetikzlibrary{trees}
\tikzstyle{every node}=[draw=black,thick,anchor=west]
\tikzstyle{selected}=[draw=blue]
@ -2479,6 +2480,10 @@ refer to \hyperref[legacyapple]{Legacy Apple OS}.
\end{tabular}
\end{center}
\emph{Note}: \texttt{3+2} and \texttt{6+4} hotkeys to choose the preferred
architecture are unsupported due to being handled by EfiBoot and thus
being hard to properly detect.
\item
\texttt{KernelCache}\\
\textbf{Type}: \texttt{plist\ string}\\
@ -3223,13 +3228,40 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
\href{https://support.apple.com/en-us/HT208330}{\texttt{Full Security}} of Apple
Secure Boot.
\emph{Note 1}: You will have to reinstall the operating system or use macOS DMG recovery
to \texttt{bless --personalize} your installation after setting this value to non-zero.
Installing the operating system with \texttt{ApECID} value set to non-zero is only
possible through macOS recovery or personalized builds created with \texttt{asr}.
To start using personalised Apple Secure Boot you will have to reinstall the
operating system or personalise it. Until your operating system is personalised
you will only be able to load macOS DMG recovery. If you do not have DMG recovery
you could always download it with \texttt{macrecovery} utility and put to
\texttt{com.apple.recovery.boot} as explained in
\hyperref[reinstallmacos]{Tips and Tricks} section. Keep in mind that
\hyperref[securedmgloading]{DMG loading} needs to be set to \texttt{Signed}
to use any DMG with Apple Secure Boot.
\emph{Note 2}: Currently the use of this option is unrealiable (apparently to a bug
in macOS installer), and thus its use is not recommended.
To personalise an existing operating system use \texttt{bless} command
after loading to macOS DMG recovery. Mount the system volume partition,
unless it has already been mounted, and execute the following command:
\begin{lstlisting}[label=blesspersona, style=ocbash]
bless bless --folder "/Volumes/Macintosh HD/System/Library/CoreServices" \
--bootefi --personalize
\end{lstlisting}
When reinstalling the operating system, keep in mind that current versions
of macOS Installer, tested as of 10.15.6, will usually run out of free memory
on the \texttt{/var/tmp} partition when trying to install macOS
with the personalised Apple Secure Boot. Soon after downloading the macOS installer
image an \texttt{Unable to verify macOS} error message will appear. To workaround
this issue allocate a dedicated RAM disk of 2 MBs for macOS personalisation
by entering the following commands in macOS recovery terminal before starting the
installation:
\begin{lstlisting}[label=secureboot, style=ocbash]
disk=$(hdiutil attach -nomount ram://4096)
diskutil erasevolume HFS+ SecureBoot $disk
diskutil unmount $disk
mkdir /var/tmp/OSPersonalizationTemp
diskutil mount -mountpoint /var/tmp/OSPersonalizationTemp $disk
\end{lstlisting}
\item
\texttt{AuthRestart}\\
@ -3548,6 +3580,9 @@ rm vault.pub
\item The list of cached drivers may be different, resulting in the need
to change the list of \texttt{Added} or \texttt{Forced} kernel drivers.
For example, \texttt{IO80211Family} cannot be injected in this case.
\item System volume alterations on operating systems with sealing, like
macOS~11, may result in the operating system being unbootable. Do not
try to disable system volume encryption unless you disable Apple Secure Boot.
\item If your platform requires certain settings, but they were not enabled,
because the obvious issues did not trigger before, you may get boot failure.
Be extra careful with \texttt{IgnoreInvalidFlexRatio} or \texttt{HashServices}.
@ -6028,15 +6063,45 @@ older macOS operating systems.
\begin{itemize}
\item All previous issues apply.
\item Last released installer images for macOS~10.6 are macOS~10.6.7
builds \texttt{10J3250} and \texttt{10J4139} (without Xcode).
These images are limited to certain model identifiers and have no
\texttt{-no\_compat\_check} boot argument support. Images without
such restrictions can be found \href{https://mega.nz/folder/z5YUhYTb#gA\_IRY5KMuYpnNCg7kR3ug}{here},
builds \texttt{10J3250} (for \texttt{MacBookPro8,x}) and
\texttt{10J4139} (for \texttt{iMac12,x}), without Xcode). These
images are limited to their target model identifiers and have no
\texttt{-no\_compat\_check} boot argument support. Modified images
(with \texttt{ACDT} suffix) without model restrictions can be found
\href{https://mega.nz/folder/z5YUhYTb#gA\_IRY5KMuYpnNCg7kR3ug}{here},
assuming that you legally own macOS~10.6. Read \texttt{DIGEST.txt}
for more details. Keep in mind, that these are the earliest tested
versions of macOS~10.6 with OpenCore.
\end{itemize}
You can also patch out model checking yourself by editing \texttt{OSInstall.mpkg}
with e.g. \texttt{Flat Package Editor} by making \texttt{Distribution}
script to always return \texttt{true} in \texttt{hwbeModelCheck} function.
Since updating the only file in the image and not corrupting other files
can be difficult and may cause slow booting due to kernel cache date
changes, it is recommended to script image rebuilding as shown below:
\begin{lstlisting}[label=snowrebuild, style=ocbash]
#!/bin/bash
# Original.dmg is original image, OSInstall.mpkg is patched package
mkdir RO
hdiutil mount Original.dmg -noverify -noautoopen -noautoopenrw -noautofsck -mountpoint RO
cp RO/.DS_Store DS_STORE
hdiutil detach RO -force
rm -rf RO
hdiutil convert Original.dmg -format UDRW -o ReadWrite.dmg
mkdir RW
xattr -c OSInstall.mpkg
hdiutil mount ReadWrite.dmg -noverify -noautoopen -noautoopenrw -noautofsck -mountpoint RW
cp OSInstall.mpkg RW/System/Installation/Packages/OSInstall.mpkg
killall Finder fseventsd
rm -rf RW/.fseventsd
cp DS_STORE RW/.DS_Store
hdiutil detach RW -force
rm -rf DS_STORE RW
hdiutil convert ReadWrite.dmg -format UDZO -o ReadOnly.dmg
\end{lstlisting}
\subsection{UEFI Secure Boot}\label{uefisecureboot}
@ -6312,7 +6377,7 @@ you will need \texttt{debug=0x8} boot argument.
the operating system within the OpenCore variable space. Note, that \texttt{RequestBootVarRouting}
requires a separate driver for functioning.
\item
\item \label{reinstallmacos}
\textbf{What is the simplest way to install macOS?}
Copy online recovery image (\texttt{*.dmg} and \texttt{*.chunklist} files)

BIN
Docs/Differences/Differences.pdf
View File

Binary file not shown.

108
Docs/Differences/Differences.tex
View File

@ -1,7 +1,7 @@
\documentclass[]{article}
%DIF LATEXDIFF DIFFERENCE FILE
%DIF DEL PreviousConfiguration.tex Sat Aug 8 20:55:30 2020
%DIF ADD ../Configuration.tex Sat Aug 29 20:30:21 2020
%DIF ADD ../Configuration.tex Mon Aug 31 16:42:45 2020
\usepackage{lmodern}
\usepackage{amssymb,amsmath}
@ -25,6 +25,9 @@
\usepackage{textcomp}
\usepackage{tikz}
%DIF 23a22
\setcounter{tocdepth}{2} %DIF >
%DIF -------
\usetikzlibrary{trees}
\tikzstyle{every node}=[draw=black,thick,anchor=west]
\tikzstyle{selected}=[draw=blue]
@ -2593,6 +2596,11 @@ refer to }\hyperref[legacyapple]{Legacy Apple OS}\DIFadd{.
\end{tabular}
\end{center}
\emph{\DIFadd{Note}}\DIFadd{: }\texttt{\DIFadd{3+2}} \DIFadd{and }\texttt{\DIFadd{6+4}} \DIFadd{hotkeys to choose the preferred
architecture are unsupported due to being handled by EfiBoot and thus
being hard to properly detect.
}
\item
\texttt{\DIFadd{KernelCache}}\\
\textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ string}}\\
@ -3344,16 +3352,48 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
Secure Boot.
}
\emph{\DIFadd{Note 1}}\DIFadd{: You will have to reinstall the operating system or use macOS DMG recovery
to }\texttt{\DIFadd{bless --personalize}} \DIFadd{your installation after setting this value to non-zero.
Installing the operating system with }\texttt{\DIFadd{ApECID}} \DIFadd{value set to non-zero is only
possible through macOS recovery or personalized builds created with }\texttt{\DIFadd{asr}}\DIFadd{.
\DIFadd{To start using personalised Apple Secure Boot you will have to reinstall the
operating system or personalise it. Until your operating system is personalised
you will only be able to load macOS DMG recovery. If you do not have DMG recovery
you could always download it with }\texttt{\DIFadd{macrecovery}} \DIFadd{utility and put to
}\texttt{\DIFadd{com.apple.recovery.boot}} \DIFadd{as explained in
}\hyperref[reinstallmacos]{Tips and Tricks} \DIFadd{section. Keep in mind that
}\hyperref[securedmgloading]{DMG loading} \DIFadd{needs to be set to }\texttt{\DIFadd{Signed}}
\DIFadd{to use any DMG with Apple Secure Boot.
}
\emph{\DIFadd{Note 2}}\DIFadd{: Currently the use of this option is unrealiable (apparently to a bug
in macOS installer), and thus its use is not recommended.
\DIFadd{To personalise an existing operating system use }\texttt{\DIFadd{bless}} \DIFadd{command
after loading to macOS DMG recovery. Mount the system volume partition,
unless it has already been mounted, and execute the following command:
}
\DIFmodbegin
\begin{lstlisting}[label=blesspersona, style=ocbash,alsolanguage=DIFcode]
%DIF > bless bless --folder "/Volumes/Macintosh HD/System/Library/CoreServices" \
%DIF > --bootefi --personalize
\end{lstlisting}
\DIFmodend
\DIFadd{When reinstalling the operating system, keep in mind that current versions
of macOS Installer, tested as of 10.15.6, will usually run out of free memory
on the }\texttt{\DIFadd{/var/tmp}} \DIFadd{partition when trying to install macOS
with the personalised Apple Secure Boot. Soon after downloading the macOS installer
image an }\texttt{\DIFadd{Unable to verify macOS}} \DIFadd{error message will appear. To workaround
this issue allocate a dedicated RAM disk of 2 MBs for macOS personalisation
by entering the following commands in macOS recovery terminal before starting the
installation:
}
\DIFmodbegin
\begin{lstlisting}[label=secureboot, style=ocbash,alsolanguage=DIFcode]
%DIF > disk=$(hdiutil attach -nomount ram://4096)
%DIF > diskutil erasevolume HFS+ SecureBoot $disk
%DIF > diskutil unmount $disk
%DIF > mkdir /var/tmp/OSPersonalizationTemp
%DIF > diskutil mount -mountpoint /var/tmp/OSPersonalizationTemp $disk
\end{lstlisting}
\DIFmodend
\item
\DIFaddend \texttt{AuthRestart}\\
\textbf{Type}: \texttt{plist\ boolean}\\
@ -3679,6 +3719,9 @@ rm vault.pub
}\item \DIFadd{The list of cached drivers may be different, resulting in the need
to change the list of }\texttt{\DIFadd{Added}} \DIFadd{or }\texttt{\DIFadd{Forced}} \DIFadd{kernel drivers.
For example, }\texttt{\DIFadd{IO80211Family}} \DIFadd{cannot be injected in this case.
}\item \DIFadd{System volume alterations on operating systems with sealing, like
macOS~11, may result in the operating system being unbootable. Do not
try to disable system volume encryption unless you disable Apple Secure Boot.
}\item \DIFadd{If your platform requires certain settings, but they were not enabled,
because the obvious issues did not trigger before, you may get boot failure.
Be extra careful with }\texttt{\DIFadd{IgnoreInvalidFlexRatio}} \DIFadd{or }\texttt{\DIFadd{HashServices}}\DIFadd{.
@ -6130,9 +6173,8 @@ functioning. Feature highlights:
\end{enumerate}
\section{Troubleshooting}\label{troubleshooting}
\DIFaddbegin
\subsection{\DIFadd{Legacy Apple OS}}\label{legacyapple}
\DIFaddbegin \subsection{\DIFadd{Legacy Apple OS}}\label{legacyapple}
\DIFadd{Older operating systems may be more complicated to install, but sometimes can
be necessary to use for all kinds of reasons. While a compatible board identifier
@ -6177,15 +6219,48 @@ older macOS operating systems.
\begin{itemize}
\item \DIFadd{All previous issues apply.
}\item \DIFadd{Last released installer images for macOS~10.6 are macOS~10.6.7
builds }\texttt{\DIFadd{10J3250}} \DIFadd{and }\texttt{\DIFadd{10J4139}} \DIFadd{(without Xcode).
These images are limited to certain model identifiers and have no
}\texttt{\DIFadd{-no\_compat\_check}} \DIFadd{boot argument support. Images without
such restrictions can be found }\href{https://mega.nz/folder/z5YUhYTb#gA\_IRY5KMuYpnNCg7kR3ug}{here}\DIFadd{,
builds }\texttt{\DIFadd{10J3250}} \DIFadd{(for }\texttt{\DIFadd{MacBookPro8,x}}\DIFadd{) and
}\texttt{\DIFadd{10J4139}} \DIFadd{(for }\texttt{\DIFadd{iMac12,x}}\DIFadd{), without Xcode). These
images are limited to their target model identifiers and have no
}\texttt{\DIFadd{-no\_compat\_check}} \DIFadd{boot argument support. Modified images
(with }\texttt{\DIFadd{ACDT}} \DIFadd{suffix) without model restrictions can be found
}\href{https://mega.nz/folder/z5YUhYTb#gA\_IRY5KMuYpnNCg7kR3ug}{here}\DIFadd{,
assuming that you legally own macOS~10.6. Read }\texttt{\DIFadd{DIGEST.txt}}
\DIFadd{for more details. Keep in mind, that these are the earliest tested
versions of macOS~10.6 with OpenCore.
}\end{itemize}
\DIFadd{You can also patch out model checking yourself by editing }\texttt{\DIFadd{OSInstall.mpkg}}
\DIFadd{with e.g. }\texttt{\DIFadd{Flat Package Editor}} \DIFadd{by making }\texttt{\DIFadd{Distribution}}
\DIFadd{script to always return }\texttt{\DIFadd{true}} \DIFadd{in }\texttt{\DIFadd{hwbeModelCheck}} \DIFadd{function.
Since updating the only file in the image and not corrupting other files
can be difficult and may cause slow booting due to kernel cache date
changes, it is recommended to script image rebuilding as shown below:
}
\DIFmodbegin
\begin{lstlisting}[label=snowrebuild, style=ocbash,alsolanguage=DIFcode]
%DIF > #!/bin/bash
%DIF > # Original.dmg is original image, OSInstall.mpkg is patched package
%DIF > mkdir RO
%DIF > hdiutil mount Original.dmg -noverify -noautoopen -noautoopenrw -noautofsck -mountpoint RO
%DIF > cp RO/.DS_Store DS_STORE
%DIF > hdiutil detach RO -force
%DIF > rm -rf RO
%DIF > hdiutil convert Original.dmg -format UDRW -o ReadWrite.dmg
%DIF > mkdir RW
%DIF > xattr -c OSInstall.mpkg
%DIF > hdiutil mount ReadWrite.dmg -noverify -noautoopen -noautoopenrw -noautofsck -mountpoint RW
%DIF > cp OSInstall.mpkg RW/System/Installation/Packages/OSInstall.mpkg
%DIF > killall Finder fseventsd
%DIF > rm -rf RW/.fseventsd
%DIF > cp DS_STORE RW/.DS_Store
%DIF > hdiutil detach RW -force
%DIF > rm -rf DS_STORE RW
%DIF > hdiutil convert ReadWrite.dmg -format UDZO -o ReadOnly.dmg
\end{lstlisting}
\DIFmodend
\subsection{\DIFadd{UEFI Secure Boot}}\label{uefisecureboot}
@ -6240,9 +6315,8 @@ requires several steps and careful configuration of select settings as explained
}\item \DIFadd{Password-protect changing firmware settings to ensure that UEFI Secure Boot
cannot be disabled without your knowledge.
}\end{enumerate}
\DIFaddend
\subsection{Windows support}\label{troubleshootingwin}
\DIFaddend \subsection{Windows support}\label{troubleshootingwin}
\textbf{Can I install Windows?}
@ -6463,8 +6537,8 @@ you will need \texttt{debug=0x8} boot argument.
the operating system within the OpenCore variable space. Note, that \texttt{RequestBootVarRouting}
requires a separate driver for functioning.
\item
\textbf{What is the simplest way to install macOS?}
\item \DIFaddbegin \label{reinstallmacos}
\DIFaddend \textbf{What is the simplest way to install macOS?}
Copy online recovery image (\texttt{*.dmg} and \texttt{*.chunklist} files)
to \texttt{com.apple.recovery.boot} directory on a FAT32 partition with OpenCore.

BIN
Docs/Errata/Errata.pdf
View File

Binary file not shown.

11
Library/OcBootManagementLib/AppleRecovery.c
View File

@ -48,6 +48,17 @@ InternalGetRecoveryInitiator (
return NULL;
}
//
// Also delete recovery initiator just in case.
//
gRT->SetVariable (
APPLE_RECOVERY_BOOT_INITIATOR_VARIABLE_NAME,
&gAppleVendorVariableGuid,
EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_NON_VOLATILE,
0,
NULL
);
if (!IsDevicePathValid (DevicePath, DevicePathSize)) {
DEBUG ((DEBUG_INFO, "OCB: Recovery initiator (%u) is invalid\n", (UINT32) DevicePathSize));
FreePool (DevicePath);