OcBootManagementLib: Drop BlacklistAppleUpdate

hawie · Jun 16, 2020 · 670d4e0 · 670d4e0
1 parent c33977c
commit 670d4e0
Show file tree

Hide file tree

Showing 13 changed files with 46 additions and 43 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -8,6 +8,7 @@ OpenCore Changelog
 - Added Comet Lake HDA device code
 - Fixed audio stream position reporting on non-Intel platforms
 - Added `Firmware` mode to `ResetSystem` to reboot into preferences
+- Replaced `BlacklistAppleUpdate` with `run-efi-updater` NVRAM variable
 
 #### v0.5.9
 - Added full HiDPI support in OpenCanopy

diff --git a/Docs/Configuration.pdf b/Docs/Configuration.pdf
diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex
@@ -2204,7 +2204,6 @@ \subsection{Introduction}\label{miscintro}
   % it points to the END device path.
   \item For disk device paths (not specifying a bootloader) execute ``bless'' (may return > 1 entry).
   \item For file device paths check presence on the file system directly.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
   % Just kill all \EFI\APPLE\ paths.
   \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
   \item Mark device handle as \textit{used} in the list of partition handles if any.
@@ -2217,7 +2216,6 @@ \subsection{Introduction}\label{miscintro}
   \item If partition handle is marked as \textit{unused} execute ``bless'' primary option list retrieval. \\
     In case \texttt{BlessOverride} list is set, not only standard ``bless'' paths will be found but
     also custom ones.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
   \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
   \item Register the resulting entries as primary options and determine their types if found. \\
   The option will become auxiliary for some types (e.g. Apple HFS recovery).
@@ -2823,13 +2821,6 @@ \subsection{Security Properties}\label{miscsecurityprops}
   NVRAM and RTC, which despite being removed as soon as OpenCore starts, may be
   considered a security risk and thus is optional.
 
-\item
-  \texttt{BlacklistAppleUpdate}\\
-  \textbf{Type}: \texttt{plist\ boolean}\\
-  \textbf{Failsafe}: \texttt{false}\\
-  \textbf{Description}: Ignore boot options trying to update Apple peripheral firmware
-  (e.g. \texttt{MultiUpdater.efi}).
-
 \item
   \texttt{BootProtect}\\
   \textbf{Type}: \texttt{plist\ string}\\
@@ -3535,6 +3526,12 @@ \subsection{Other Variables}\label{nvramvarsother}
   \break
   NVIDIA Web Driver control variable. Takes ASCII digit \texttt{1} or \texttt{0}
   to enable or disable installed driver.
+\item
+  \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:run-efi-updater}
+  \break
+  Override EFI firmware updating support in macOS (MultiUpdater, ThorUtil, and so on).
+  Setting this to \texttt{No} or alternative boolean-castable value will prevent
+  any firmware updates in macOS starting with 10.10 at least.
 \item
   \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:StartupMute}
   \break

diff --git a/Docs/Differences/Differences.pdf b/Docs/Differences/Differences.pdf
diff --git a/Docs/Differences/Differences.tex b/Docs/Differences/Differences.tex
@@ -1,7 +1,7 @@
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
 %DIF DEL PreviousConfiguration.tex   Tue Jun  2 03:55:18 2020
-%DIF ADD ../Configuration.tex        Tue Jun 16 20:51:51 2020
+%DIF ADD ../Configuration.tex        Tue Jun 16 21:05:41 2020
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -2265,8 +2265,11 @@ \subsection{Introduction}\label{miscintro}
   % it points to the END device path.
   \item For disk device paths (not specifying a bootloader) execute ``bless'' (may return > 1 entry).
   \item For file device paths check presence on the file system directly.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
-  % Just kill all \EFI\APPLE\ paths.
+  \DIFdelbegin %DIFDELCMD < \item %%%
+\item%DIFAUXCMD
+\DIFdel{Exclude options with blacklisted filenames (refer to }\texttt{\DIFdel{BlacklistAppleUpdate}} %DIFAUXCMD
+\DIFdel{option).
+  }\DIFdelend % Just kill all \EFI\APPLE\ paths.
   \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
   \item Mark device handle as \textit{used} in the list of partition handles if any.
   % Each partition handle will basically have a list of boot option entries for later quick lookup.
@@ -2278,8 +2281,11 @@ \subsection{Introduction}\label{miscintro}
   \item If partition handle is marked as \textit{unused} execute ``bless'' primary option list retrieval. \\
     In case \texttt{BlessOverride} list is set, not only standard ``bless'' paths will be found but
     also custom ones.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
-  \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
+  \item \DIFdelbegin \DIFdel{Exclude options with blacklisted filenames (refer to }\texttt{\DIFdel{BlacklistAppleUpdate}} %DIFAUXCMD
+\DIFdel{option).
+  }%DIFDELCMD < \item %%%
+\item%DIFAUXCMD
+\DIFdelend On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
   \item Register the resulting entries as primary options and determine their types if found. \\
   The option will become auxiliary for some types (e.g. Apple HFS recovery).
   % Looking up primary and alternate handles could be done per handle to make sure the list is ordered.
@@ -2886,14 +2892,27 @@ \subsection{Security Properties}\label{miscsecurityprops}
   considered a security risk and thus is optional.
 
 \item
-  \texttt{BlacklistAppleUpdate}\\
-  \textbf{Type}: \texttt{plist\ boolean}\\
-  \textbf{Failsafe}: \texttt{false}\\
-  \textbf{Description}: Ignore boot options trying to update Apple peripheral firmware
-  (e.g. \texttt{MultiUpdater.efi}).
-
-\item
-  \texttt{BootProtect}\\
+  \DIFdelbegin \texttt{\DIFdel{BlacklistAppleUpdate}}%DIFAUXCMD
+%DIFDELCMD < \\
+%DIFDELCMD <   %%%
+\textbf{\DIFdel{Type}}%DIFAUXCMD
+\DIFdel{: }\texttt{\DIFdel{plist\ boolean}}%DIFAUXCMD
+%DIFDELCMD < \\
+%DIFDELCMD <   %%%
+\textbf{\DIFdel{Failsafe}}%DIFAUXCMD
+\DIFdel{: }\texttt{\DIFdel{false}}%DIFAUXCMD
+%DIFDELCMD < \\
+%DIFDELCMD <   %%%
+\textbf{\DIFdel{Description}}%DIFAUXCMD
+\DIFdel{: Ignore boot options trying to update Apple peripheral firmware
+  (e.g. }\texttt{\DIFdel{MultiUpdater.efi}}%DIFAUXCMD
+\DIFdel{).
+}%DIFDELCMD < 
+
+%DIFDELCMD < \item
+\item%DIFAUXCMD
+%DIFDELCMD <   %%%
+\DIFdelend \texttt{BootProtect}\\
   \textbf{Type}: \texttt{plist\ string}\\
   \textbf{Failsafe}: \texttt{None}\\
   \textbf{Description}: Attempt to provide bootloader persistence.
@@ -3598,7 +3617,13 @@ \subsection{Other Variables}\label{nvramvarsother}
   NVIDIA Web Driver control variable. Takes ASCII digit \texttt{1} or \texttt{0}
   to enable or disable installed driver.
 \item
-  \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:StartupMute}
+  \DIFaddbegin \texttt{\DIFadd{7C436110-AB2A-4BBB-A880-FE41995C9F82:run-efi-updater}}
+  \break
+  \DIFadd{Override EFI firmware updating support in macOS (MultiUpdater, ThorUtil, and so on).
+  Setting this to }\texttt{\DIFadd{No}} \DIFadd{or alternative boolean-castable value will prevent
+  any firmware updates in macOS starting with 10.10 at least.
+}\item
+  \DIFaddend \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:StartupMute}
   \break
   Mute startup chime sound in firmware audio support. 8-bit integer.
   The value of \texttt{0x00} means unmuted. Missing variable or any

diff --git a/Docs/Errata/Errata.pdf b/Docs/Errata/Errata.pdf
diff --git a/Docs/Sample.plist b/Docs/Sample.plist
@@ -676,8 +676,6 @@
 			<false/>
 			<key>AuthRestart</key>
 			<false/>
-			<key>BlacklistAppleUpdate</key>
-			<false/>
 			<key>BootProtect</key>
 			<string>Bootstrap</string>
 			<key>ExposeSensitiveData</key>

diff --git a/Docs/SampleFull.plist b/Docs/SampleFull.plist
@@ -676,8 +676,6 @@
 			<false/>
 			<key>AuthRestart</key>
 			<false/>
-			<key>BlacklistAppleUpdate</key>
-			<false/>
 			<key>BootProtect</key>
 			<string>Bootstrap</string>
 			<key>ExposeSensitiveData</key>

diff --git a/Include/Acidanthera/Library/OcBootManagementLib.h b/Include/Acidanthera/Library/OcBootManagementLib.h
@@ -565,10 +565,6 @@ struct OC_PICKER_CONTEXT_ {
   //
   BOOLEAN                    CustomBootGuid;
   //
-  // Ignore Apple peripheral firmware updates.
-  //
-  BOOLEAN                    BlacklistAppleUpdate;
-  //
   // Custom entry reading routine, optional for no custom entries.
   //
   OC_CUSTOM_READ             CustomRead;

diff --git a/Include/Acidanthera/Library/OcConfigurationLib.h b/Include/Acidanthera/Library/OcConfigurationLib.h
@@ -311,7 +311,6 @@ typedef enum {
   _(UINT32                      , ScanPolicy                  ,      , OC_SCAN_DEFAULT_POLICY  , ()) \
   _(BOOLEAN                     , AllowNvramReset             ,      , FALSE                   , ()) \
   _(BOOLEAN                     , AllowSetDefault             ,      , FALSE                   , ()) \
-  _(BOOLEAN                     , BlacklistAppleUpdate        ,      , FALSE                   , ()) \
   _(BOOLEAN                     , ExposeSensitiveData         ,      , OCS_EXPOSE_VERSION      , ()) \
   _(BOOLEAN                     , AuthRestart                 ,      , FALSE                   , ()) \
   _(BOOLEAN                     , EnablePassword              ,      , FALSE                   , ()) \

diff --git a/Library/OcBootManagementLib/BootEntryManagement.c b/Library/OcBootManagementLib/BootEntryManagement.c
@@ -406,15 +406,6 @@ AddBootEntryOnFileSystem (
     return EFI_UNSUPPORTED;
   }
 
-  //
-  // Skip firmware updates.
-  //
-  if (BootContext->PickerContext->BlacklistAppleUpdate
-    && EntryType == OC_BOOT_APPLE_FW_UPDATE) {
-    DEBUG ((DEBUG_INFO, "OCB: Discarding discovered Apple FW update\n"));
-    return EFI_UNSUPPORTED;
-  }
-
   //
   // Skip duplicated entries, which may happen in BootOrder.
   // For example, macOS during hibernation may leave Boot0082 in BootNext and Boot0080 in BootOrder,

diff --git a/Library/OcConfigurationLib/OcConfigurationLib.c b/Library/OcConfigurationLib/OcConfigurationLib.c
@@ -355,7 +355,6 @@ mMiscConfigurationSecuritySchema[] = {
   OC_SCHEMA_BOOLEAN_IN ("AllowNvramReset",      OC_GLOBAL_CONFIG, Misc.Security.AllowNvramReset),
   OC_SCHEMA_BOOLEAN_IN ("AllowSetDefault",      OC_GLOBAL_CONFIG, Misc.Security.AllowSetDefault),
   OC_SCHEMA_BOOLEAN_IN ("AuthRestart",          OC_GLOBAL_CONFIG, Misc.Security.AuthRestart),
-  OC_SCHEMA_BOOLEAN_IN ("BlacklistAppleUpdate", OC_GLOBAL_CONFIG, Misc.Security.BlacklistAppleUpdate),
   OC_SCHEMA_STRING_IN  ("BootProtect",          OC_GLOBAL_CONFIG, Misc.Security.BootProtect),
   OC_SCHEMA_BOOLEAN_IN ("EnablePassword",       OC_GLOBAL_CONFIG, Misc.Security.EnablePassword),
   OC_SCHEMA_INTEGER_IN ("ExposeSensitiveData",  OC_GLOBAL_CONFIG, Misc.Security.ExposeSensitiveData),

diff --git a/Platform/OpenCore/OpenCoreMisc.c b/Platform/OpenCore/OpenCoreMisc.c
@@ -804,7 +804,6 @@ OcMiscBoot (
   Context->TakeoffDelay          = Config->Misc.Boot.TakeoffDelay;
   Context->StartImage            = StartImage;
   Context->CustomBootGuid        = CustomBootGuid;
-  Context->BlacklistAppleUpdate  = Config->Misc.Security.BlacklistAppleUpdate;
   Context->LoaderHandle          = LoadHandle;
   Context->CustomEntryContext    = Storage;
   Context->CustomRead            = OcToolLoadEntry;