OcBootManagementLib: Drop BlacklistAppleUpdate

670d4e0c · vit9696 · c33977ca · 670d4e0c · 670d4e0c · 670d4e0c
13 changed file
--- a/Changelog.md
+++ b/Changelog.md
@@ -8,6 +8,7 @@ OpenCore Changelog
 - Added Comet Lake HDA device code
 - Fixed audio stream position reporting on non-Intel platforms
 - Added `Firmware` mode to `ResetSystem` to reboot into preferences
+- Replaced `BlacklistAppleUpdate` with `run-efi-updater` NVRAM variable

 #### v0.5.9
 - Added full HiDPI support in OpenCanopy

--- a/Docs/Configuration.pdf
+++ b/Docs/Configuration.pdf
--- a/Docs/Configuration.tex
+++ b/Docs/Configuration.tex
@@ -2204,7 +2204,6 @@ for more details. Algorithm to determine boot options behaves as follows:
  % it points to the END device path.
  \item For disk device paths (not specifying a bootloader) execute ``bless'' (may return > 1 entry).
  \item For file device paths check presence on the file system directly.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
  % Just kill all \EFI\APPLE\ paths.
  \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
  \item Mark device handle as \textit{used} in the list of partition handles if any.
@@ -2217,7 +2216,6 @@ for more details. Algorithm to determine boot options behaves as follows:
  \item If partition handle is marked as \textit{unused} execute ``bless'' primary option list retrieval. \\
    In case \texttt{BlessOverride} list is set, not only standard ``bless'' paths will be found but
    also custom ones.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
  \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
  \item Register the resulting entries as primary options and determine their types if found. \\
  The option will become auxiliary for some types (e.g. Apple HFS recovery).
@@ -2823,13 +2821,6 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
  NVRAM and RTC, which despite being removed as soon as OpenCore starts, may be
  considered a security risk and thus is optional.

-\item
-  \texttt{BlacklistAppleUpdate}\\
-  \textbf{Type}: \texttt{plist\ boolean}\\
-  \textbf{Failsafe}: \texttt{false}\\
-  \textbf{Description}: Ignore boot options trying to update Apple peripheral firmware
-  (e.g. \texttt{MultiUpdater.efi}).
-
 \item
  \texttt{BootProtect}\\
  \textbf{Type}: \texttt{plist\ string}\\
@@ -3535,6 +3526,12 @@ troubleshooting:
  \break
  NVIDIA Web Driver control variable. Takes ASCII digit \texttt{1} or \texttt{0}
  to enable or disable installed driver.
+\item
+  \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:run-efi-updater}
+  \break
+  Override EFI firmware updating support in macOS (MultiUpdater, ThorUtil, and so on).
+  Setting this to \texttt{No} or alternative boolean-castable value will prevent
+  any firmware updates in macOS starting with 10.10 at least.
 \item
  \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:StartupMute}
  \break

--- a/Docs/Differences/Differences.pdf
+++ b/Docs/Differences/Differences.pdf
--- a/Docs/Differences/Differences.tex
+++ b/Docs/Differences/Differences.tex
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
 %DIF DEL PreviousConfiguration.tex   Tue Jun  2 03:55:18 2020
-%DIF ADD ../Configuration.tex        Tue Jun 16 20:51:51 2020
+%DIF ADD ../Configuration.tex        Tue Jun 16 21:05:41 2020

 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -2265,8 +2265,11 @@ for more details. Algorithm to determine boot options behaves as follows:
  % it points to the END device path.
  \item For disk device paths (not specifying a bootloader) execute ``bless'' (may return > 1 entry).
  \item For file device paths check presence on the file system directly.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
-  % Just kill all \EFI\APPLE\ paths.
+  \DIFdelbegin %DIFDELCMD < \item %%%
+\item%DIFAUXCMD
+\DIFdel{Exclude options with blacklisted filenames (refer to }\texttt{\DIFdel{BlacklistAppleUpdate}} %DIFAUXCMD
+\DIFdel{option).
+  }\DIFdelend % Just kill all \EFI\APPLE\ paths.
  \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
  \item Mark device handle as \textit{used} in the list of partition handles if any.
  % Each partition handle will basically have a list of boot option entries for later quick lookup.
@@ -2278,8 +2281,11 @@ for more details. Algorithm to determine boot options behaves as follows:
  \item If partition handle is marked as \textit{unused} execute ``bless'' primary option list retrieval. \\
    In case \texttt{BlessOverride} list is set, not only standard ``bless'' paths will be found but
    also custom ones.
-  \item Exclude options with blacklisted filenames (refer to \texttt{BlacklistAppleUpdate} option).
-  \item On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
+  \item \DIFdelbegin \DIFdel{Exclude options with blacklisted filenames (refer to }\texttt{\DIFdel{BlacklistAppleUpdate}} %DIFAUXCMD
+\DIFdel{option).
+  }%DIFDELCMD < \item %%%
+\item%DIFAUXCMD
+\DIFdelend On OpenCore boot partition exclude all OpenCore bootstrap files by header checks.
  \item Register the resulting entries as primary options and determine their types if found. \\
  The option will become auxiliary for some types (e.g. Apple HFS recovery).
  % Looking up primary and alternate handles could be done per handle to make sure the list is ordered.
@@ -2886,14 +2892,27 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
  considered a security risk and thus is optional.

 \item
-  \texttt{BlacklistAppleUpdate}\\
-  \textbf{Type}: \texttt{plist\ boolean}\\
-  \textbf{Failsafe}: \texttt{false}\\
-  \textbf{Description}: Ignore boot options trying to update Apple peripheral firmware
-  (e.g. \texttt{MultiUpdater.efi}).
-
-\item
-  \texttt{BootProtect}\\
+  \DIFdelbegin \texttt{\DIFdel{BlacklistAppleUpdate}}%DIFAUXCMD
+%DIFDELCMD < \\
+%DIFDELCMD <   %%%
+\textbf{\DIFdel{Type}}%DIFAUXCMD
+\DIFdel{: }\texttt{\DIFdel{plist\ boolean}}%DIFAUXCMD
+%DIFDELCMD < \\
+%DIFDELCMD <   %%%
+\textbf{\DIFdel{Failsafe}}%DIFAUXCMD
+\DIFdel{: }\texttt{\DIFdel{false}}%DIFAUXCMD
+%DIFDELCMD < \\
+%DIFDELCMD <   %%%
+\textbf{\DIFdel{Description}}%DIFAUXCMD
+\DIFdel{: Ignore boot options trying to update Apple peripheral firmware
+  (e.g. }\texttt{\DIFdel{MultiUpdater.efi}}%DIFAUXCMD
+\DIFdel{).
+}%DIFDELCMD < 
+
+%DIFDELCMD < \item
+\item%DIFAUXCMD
+%DIFDELCMD <   %%%
+\DIFdelend \texttt{BootProtect}\\
  \textbf{Type}: \texttt{plist\ string}\\
  \textbf{Failsafe}: \texttt{None}\\
  \textbf{Description}: Attempt to provide bootloader persistence.
@@ -3598,7 +3617,13 @@ troubleshooting:
  NVIDIA Web Driver control variable. Takes ASCII digit \texttt{1} or \texttt{0}
  to enable or disable installed driver.
 \item
-  \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:StartupMute}
+  \DIFaddbegin \texttt{\DIFadd{7C436110-AB2A-4BBB-A880-FE41995C9F82:run-efi-updater}}
+  \break
+  \DIFadd{Override EFI firmware updating support in macOS (MultiUpdater, ThorUtil, and so on).
+  Setting this to }\texttt{\DIFadd{No}} \DIFadd{or alternative boolean-castable value will prevent
+  any firmware updates in macOS starting with 10.10 at least.
+}\item
+  \DIFaddend \texttt{7C436110-AB2A-4BBB-A880-FE41995C9F82:StartupMute}
  \break
  Mute startup chime sound in firmware audio support. 8-bit integer.
  The value of \texttt{0x00} means unmuted. Missing variable or any

--- a/Docs/Errata/Errata.pdf
+++ b/Docs/Errata/Errata.pdf
--- a/Docs/Sample.plist
+++ b/Docs/Sample.plist
@@ -676,8 +676,6 @@
 			<false/>
 			<key>AuthRestart</key>
 			<false/>
-			<key>BlacklistAppleUpdate</key>
-			<false/>
 			<key>BootProtect</key>
 			<string>Bootstrap</string>
 			<key>ExposeSensitiveData</key>

--- a/Docs/SampleFull.plist
+++ b/Docs/SampleFull.plist
@@ -676,8 +676,6 @@
 			<false/>
 			<key>AuthRestart</key>
 			<false/>
-			<key>BlacklistAppleUpdate</key>
-			<false/>
 			<key>BootProtect</key>
 			<string>Bootstrap</string>
 			<key>ExposeSensitiveData</key>

--- a/Include/Acidanthera/Library/OcBootManagementLib.h
+++ b/Include/Acidanthera/Library/OcBootManagementLib.h
@@ -565,10 +565,6 @@ struct OC_PICKER_CONTEXT_ {
  //
  BOOLEAN                    CustomBootGuid;
  //
-  // Ignore Apple peripheral firmware updates.
-  //
-  BOOLEAN                    BlacklistAppleUpdate;
-  //
  // Custom entry reading routine, optional for no custom entries.
  //
  OC_CUSTOM_READ             CustomRead;

--- a/Include/Acidanthera/Library/OcConfigurationLib.h
+++ b/Include/Acidanthera/Library/OcConfigurationLib.h
@@ -311,7 +311,6 @@ typedef enum {
  _(UINT32                      , ScanPolicy                  ,      , OC_SCAN_DEFAULT_POLICY  , ()) \
  _(BOOLEAN                     , AllowNvramReset             ,      , FALSE                   , ()) \
  _(BOOLEAN                     , AllowSetDefault             ,      , FALSE                   , ()) \
-  _(BOOLEAN                     , BlacklistAppleUpdate        ,      , FALSE                   , ()) \
  _(BOOLEAN                     , ExposeSensitiveData         ,      , OCS_EXPOSE_VERSION      , ()) \
  _(BOOLEAN                     , AuthRestart                 ,      , FALSE                   , ()) \
  _(BOOLEAN                     , EnablePassword              ,      , FALSE                   , ()) \

--- a/Library/OcBootManagementLib/BootEntryManagement.c
+++ b/Library/OcBootManagementLib/BootEntryManagement.c
@@ -406,15 +406,6 @@ AddBootEntryOnFileSystem (
    return EFI_UNSUPPORTED;
  }

-  //
-  // Skip firmware updates.
-  //
-  if (BootContext->PickerContext->BlacklistAppleUpdate
-    && EntryType == OC_BOOT_APPLE_FW_UPDATE) {
-    DEBUG ((DEBUG_INFO, "OCB: Discarding discovered Apple FW update\n"));
-    return EFI_UNSUPPORTED;
-  }
-
  //
  // Skip duplicated entries, which may happen in BootOrder.
  // For example, macOS during hibernation may leave Boot0082 in BootNext and Boot0080 in BootOrder,

--- a/Library/OcConfigurationLib/OcConfigurationLib.c
+++ b/Library/OcConfigurationLib/OcConfigurationLib.c
@@ -355,7 +355,6 @@ mMiscConfigurationSecuritySchema[] = {
  OC_SCHEMA_BOOLEAN_IN ("AllowNvramReset",      OC_GLOBAL_CONFIG, Misc.Security.AllowNvramReset),
  OC_SCHEMA_BOOLEAN_IN ("AllowSetDefault",      OC_GLOBAL_CONFIG, Misc.Security.AllowSetDefault),
  OC_SCHEMA_BOOLEAN_IN ("AuthRestart",          OC_GLOBAL_CONFIG, Misc.Security.AuthRestart),
-  OC_SCHEMA_BOOLEAN_IN ("BlacklistAppleUpdate", OC_GLOBAL_CONFIG, Misc.Security.BlacklistAppleUpdate),
  OC_SCHEMA_STRING_IN  ("BootProtect",          OC_GLOBAL_CONFIG, Misc.Security.BootProtect),
  OC_SCHEMA_BOOLEAN_IN ("EnablePassword",       OC_GLOBAL_CONFIG, Misc.Security.EnablePassword),
  OC_SCHEMA_INTEGER_IN ("ExposeSensitiveData",  OC_GLOBAL_CONFIG, Misc.Security.ExposeSensitiveData),

--- a/Platform/OpenCore/OpenCoreMisc.c
+++ b/Platform/OpenCore/OpenCoreMisc.c
@@ -804,7 +804,6 @@ OcMiscBoot (
  Context->TakeoffDelay          = Config->Misc.Boot.TakeoffDelay;
  Context->StartImage            = StartImage;
  Context->CustomBootGuid        = CustomBootGuid;
-  Context->BlacklistAppleUpdate  = Config->Misc.Security.BlacklistAppleUpdate;
  Context->LoaderHandle          = LoadHandle;
  Context->CustomEntryContext    = Storage;
  Context->CustomRead            = OcToolLoadEntry;