Skip to content

Commit

Permalink
Docs: FixupAppleEfiImages additional updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@mikebeaton
mikebeaton committed Oct 2, 2024
1 parent 4087300 commit f369831
Show file tree
Hide file tree
Showing 6 changed files with 38 additions and 30 deletions.
2 changes: 1 addition & 1 deletion Docs/Configuration.md5
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
476c1deb24db35e352f1a9fcf36b8374
cb57ec4e948616df3786174e681fd99a
Binary file modified Docs/Configuration.pdf
View file
Binary file not shown.
30 changes: 17 additions & 13 deletions Docs/Configuration.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1623,21 +1623,25 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
\textbf{Description}: Fix permissions and section errors in macOS \texttt{boot.efi} images.

Mac OS X \texttt{boot.efi} images contain \texttt{W\^{}X} permissions errors
(in all versions) and in very old versions additionally contain illegal overlapping sections
(affects 10.4 and 10.5 32-bit versions only). Modern secure PE loaders (including the OpenCore
loader in current releases of OpenDuet) will refuse to load these images
unless additional mitigations are applied.
in all versions, and 10.4 and 10.5 32-bit versions also contain illegal overlapping
sections. Modern, strict PE loaders will refuse to load such images unless additional
mitigations are applied. The image loader which matters here is the one provided by
the system firmware, or by OpenDuet if OpenDuet is providing
the UEFI compatibility layer. Image loaders which enforce these stricter
rules include the loader provided with current versions of OpenDuet,
the loader in OVMF if compiled from \href{https://github.com/acidanthera/audk}{audk},
and possibly the image loaders of some very recent 3rd party firmware (e.g. Microsoft).

This quirk detects these issues and pre-processes such images in memory
so that a modern loader will accept them.
so that a stricter loader will accept them.

If on a system with such a secure loader, this quirk is required to load
On a system with such a modern, stricter loader this quirk is required to load
Mac OS X 10.4 to macOS 10.12, and is required for all newer
macOS when \texttt{SecureBootModel} is set to \texttt{Disabled}.

\emph{Note 1}: The quirk is never applied during the Apple secure boot path for
newer macOS. The Apple secure boot path includes its own separate mitigations
for \texttt{boot.efi} \texttt{W\^{}X} issues.
newer macOS. The Apple secure boot path in OpenCore includes its own separate
mitigations for \texttt{boot.efi} \texttt{W\^{}X} issues.

\emph{Note 2}: When enabled, and when not processing for Apple secure boot, this quirk
is applied to:
Expand All @@ -1650,12 +1654,12 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
within their filesystem.
\end{itemize}

\emph{Note 3}: Pre-processing in memory is incompatible with secure boot, as the image loaded
is not the image on disk, so you cannot sign files which are loaded in this way
\emph{Note 3}: Pre-processing in memory is incompatible with UEFI secure boot, as the image
loaded is not the image on disk, so you cannot sign files which are loaded in this way
based on their original disk image contents.
Certain firmware will offer to register the hash of new, unknown images - this would
still work. On the other hand, it is not particularly realistic to want to
start these early, insecure images with secure boot anyway.
Certain firmware will offer to register the hash of new, unknown images for future
secure boot - this would still work. On the other hand, it is not particularly realistic
to want to start these early, insecure images with secure boot anyway.

\item
\texttt{ForceBooterSignature}\\
Expand Down
Binary file modified Docs/Differences/Differences.pdf
View file
Binary file not shown.
36 changes: 20 additions & 16 deletions Docs/Differences/Differences.tex
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
\documentclass[]{article}
%DIF LATEXDIFF DIFFERENCE FILE
%DIF DEL PreviousConfiguration.tex Tue Sep 3 09:18:54 2024
%DIF ADD ../Configuration.tex Sun Sep 29 21:16:14 2024
%DIF ADD ../Configuration.tex Wed Oct 2 22:40:01 2024

\usepackage{lmodern}
\usepackage{amssymb,amsmath}
Expand Down Expand Up @@ -1684,28 +1684,32 @@ \subsection{Quirks Properties}\label{booterpropsquirks}

\DIFdelbegin \DIFdel{Modern secure PE loaders will refuse to load }\texttt{\DIFdel{boot.efi}} %DIFAUXCMD
\DIFdel{images from
}\DIFdelend Mac OS X \DIFdelbegin \DIFdel{10.4 to macOS 10.12 due to these files containing }\DIFdelend \DIFaddbegin \texttt{\DIFadd{boot.efi}} \DIFadd{images contain }\DIFaddend \texttt{W\^{}X} \DIFaddbegin \DIFadd{permissions }\DIFaddend errors
(in all versions) and \DIFaddbegin \DIFadd{in very old versions additionally contain }\DIFaddend illegal overlapping sections
(\DIFdelbegin \DIFdel{in }\DIFdelend \DIFaddbegin \DIFadd{affects }\DIFaddend 10.4 and 10.5 32-bit versions only). \DIFaddbegin \DIFadd{Modern secure PE loaders (including the OpenCore
loader in current releases of OpenDuet) will refuse to load these images
unless additional mitigations are applied.
}\DIFaddend
}\DIFdelend Mac OS X \DIFdelbegin \DIFdel{10.4 to macOS 10.12 due to these files containing }\DIFdelend \DIFaddbegin \texttt{\DIFadd{boot.efi}} \DIFadd{images contain }\DIFaddend \texttt{W\^{}X} \DIFdelbegin \DIFdel{errors
(}\DIFdelend \DIFaddbegin \DIFadd{permissions errors
}\DIFaddend in all versions\DIFdelbegin \DIFdel{) and illegal overlapping sections (in }\DIFdelend \DIFaddbegin \DIFadd{, and }\DIFaddend 10.4 and 10.5 32-bit versions \DIFdelbegin \DIFdel{only}\DIFdelend \DIFaddbegin \DIFadd{also contain illegal overlapping
sections. Modern, strict PE loaders will refuse to load such images unless additional
mitigations are applied. The image loader which matters here is the one provided by
the system firmware, or by OpenDuet if OpenDuet is providing
the UEFI compatibility layer. Image loaders which enforce these stricter
rules include the loader provided with current versions of OpenDuet,
the loader in OVMF if compiled from }\href{https://github.com/acidanthera/audk}{\DIFadd{audk}}\DIFadd{,
and possibly the image loaders of some very recent 3rd party firmware (e.g. Microsoft}\DIFaddend ).

This quirk detects these issues and pre-processes such images in memory
\DIFdelbegin \DIFdel{,
}\DIFdelend so that a modern loader will accept them.
}\DIFdelend so that a \DIFdelbegin \DIFdel{modern }\DIFdelend \DIFaddbegin \DIFadd{stricter }\DIFaddend loader will accept them.

\DIFdelbegin \DIFdel{Pre-processing in memory is incompatible with secure boot, as the image loaded
is not the image on disk, so you cannot sign files which are loaded in this way
based on their original disk image contents.
Certain firmware will offer to register the hash of new, unknown images - this would
still work. On the other hand, it is not particularly realistic to want to start these early, insecure images with secure boot anyway}\DIFdelend \DIFaddbegin \DIFadd{If on a system with such a secure loader, this quirk is required to load
still work. On the other hand, it is not particularly realistic to want to start these early, insecure images with secure boot anyway}\DIFdelend \DIFaddbegin \DIFadd{On a system with such a modern, stricter loader this quirk is required to load
Mac OS X 10.4 to macOS 10.12, and is required for all newer
macOS when }\texttt{\DIFadd{SecureBootModel}} \DIFadd{is set to }\texttt{\DIFadd{Disabled}}\DIFaddend .

\emph{Note 1}: The quirk is never applied during the Apple secure boot path for
newer macOS. The Apple secure boot path includes its own separate mitigations
for \texttt{boot.efi} \texttt{W\^{}X} issues.
newer macOS. The Apple secure boot path \DIFaddbegin \DIFadd{in OpenCore }\DIFaddend includes its own separate
mitigations for \texttt{boot.efi} \texttt{W\^{}X} issues.

\emph{Note 2}: When enabled, and when not processing for Apple secure boot, this quirk
is applied to:
Expand All @@ -1721,12 +1725,12 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
\emph{Note 3}: \DIFdelbegin \DIFdel{This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
higher, if Apple secure bootis not enabled), but only when the firmware
itself includes a modern, more secure PE COFF image loader.
This applies to current builds of OpenDuet, and to OVMF if built from audk source code}\DIFdelend \DIFaddbegin \DIFadd{Pre-processing in memory is incompatible with secure boot, as the image loaded
is not the image on disk, so you cannot sign files which are loaded in this way
This applies to current builds of OpenDuet, and to OVMF if built from audk source code}\DIFdelend \DIFaddbegin \DIFadd{Pre-processing in memory is incompatible with UEFI secure boot, as the image
loaded is not the image on disk, so you cannot sign files which are loaded in this way
based on their original disk image contents.
Certain firmware will offer to register the hash of new, unknown images - this would
still work. On the other hand, it is not particularly realistic to want to
start these early, insecure images with secure boot anyway}\DIFaddend .
Certain firmware will offer to register the hash of new, unknown images for future
secure boot - this would still work. On the other hand, it is not particularly realistic
to want to start these early, insecure images with secure boot anyway}\DIFaddend .

\item
\texttt{ForceBooterSignature}\\
Expand Down
Binary file modified Docs/Errata/Errata.pdf
View file
Binary file not shown.

0 comments on commit f369831

Please sign in to comment.