OcAppleBootCompatLib: Implement ProtectUefiServices quirk

Changelog.md

@@ -11,6 +11,7 @@ OpenCore Changelog
 - Added `FwProtect` tool to configure full NVRAM access from Shell
 - Added `boot.efi` debug protocol support for 10.15.4+
 - Added `boot.efi` performance logging for 10.15.4+
+- Added `ProtectUefiServices` quirk to fix `DevirtualiseMmio` on Z390
 
 #### v0.5.6
 - Various improvements to builtin text renderer

Docs/Configuration.tex

@@ -1328,6 +1328,21 @@ To view their current state use \texttt{pmset -g} command in Terminal.
   \emph{Note}: This quirk mainly attempts to avoid issues with NVRAM implementations
   with problematic defragmentation, such as select Insyde or \texttt{MacPro5,1}.
 
+\item
+  \texttt{ProtectUefiServices}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Protect UEFI services from being overridden by the firmware.
+
+  Some modern firmwares including both hardware and virtual machines, like VMware,
+  may update pointers to UEFI services during driver loading and related actions.
+  Consequentially this directly breaks other quirks that affect memory management,
+  like \texttt{DevirtualiseMmio}, \texttt{ProtectCsmRegion}, or \texttt{ShrinkMemoryMap},
+  and may also break other quirks depending on the effects of these.
+
+  \emph{Note}: On VMware the need for this quirk may be diagnosed by ``Your Mac OS guest
+  might run unreliably with more than one virtual core.'' message.
+
 \item
   \texttt{ProvideCustomSlide}\\
   \textbf{Type}: \texttt{plist\ boolean}\\

Docs/Differences/Differences.tex

 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
 %DIF DEL PreviousConfiguration.tex   Fri Mar  6 09:43:05 2020
-%DIF ADD ../Configuration.tex        Tue Mar 10 00:51:02 2020
+%DIF ADD ../Configuration.tex        Thu Mar 12 02:08:30 2020
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -1391,7 +1391,25 @@ To view their current state use \texttt{pmset -g} command in Terminal.
   with problematic defragmentation, such as select Insyde or \texttt{MacPro5,1}.
 
 \item
-  \texttt{ProvideCustomSlide}\\
+  \DIFaddbegin \texttt{\DIFadd{ProtectUefiServices}}\\
+  \textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ boolean}}\\
+  \textbf{\DIFadd{Failsafe}}\DIFadd{: }\texttt{\DIFadd{false}}\\
+  \textbf{\DIFadd{Description}}\DIFadd{: Protect UEFI services from being overridden by the firmware.
+}
+
+  \DIFadd{Some modern firmwares including both hardware and virtual machines, like VMware,
+  may update pointers to UEFI services during driver loading and related actions.
+  Consequentially this directly breaks other quirks that affect memory management,
+  like }\texttt{\DIFadd{DevirtualiseMmio}}\DIFadd{, }\texttt{\DIFadd{ProtectCsmRegion}}\DIFadd{, or }\texttt{\DIFadd{ShrinkMemoryMap}}\DIFadd{,
+  and may also break other quirks depending on the effects of these.
+}
+
+  \emph{\DIFadd{Note}}\DIFadd{: On VMware the need for this quirk may be diagnosed by ``Your Mac OS guest
+  might run unreliably with more than one virtual core.'' message.
+}
+
+\item
+  \DIFaddend \texttt{ProvideCustomSlide}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
   \textbf{Description}: Provide custom KASLR slide on low memory.

Docs/Sample.plist

@@ -256,6 +256,8 @@
 			<false/>
 			<key>ProtectSecureBoot</key>
 			<false/>
+			<key>ProtectUefiServices</key>
+			<false/>
 			<key>ProvideCustomSlide</key>
 			<true/>
 			<key>SetupVirtualMap</key>

Docs/SampleFull.plist

@@ -256,6 +256,8 @@
 			<false/>
 			<key>ProtectSecureBoot</key>
 			<false/>
+			<key>ProtectUefiServices</key>
+			<false/>
 			<key>ProvideCustomSlide</key>
 			<true/>
 			<key>SetupVirtualMap</key>

Include/Library/OcAppleBootCompatLib.h

@@ -87,6 +87,17 @@ typedef struct OC_ABC_SETTINGS_ {
   ///
   BOOLEAN  SignalAppleOS;
   ///
+  /// CoreImage may update and restore GetMemoryMap during loading (see InsertImageRecord)
+  /// as it needs this for segment splitting. Unfortunately it assumes nobody else
+  /// changes GetMemoryMap, and thus restores to its own CoreGetMemoryMap instead of
+  /// the previous value. Fix it here.
+  /// To make it worse VMware also replaces GetMemoryMap pointer in MacMisc, which CoreDxe
+  /// effectively trashes when we load drivers. As a result without this hack VMware Fusion
+  /// may show "Your Mac OS guest might run unreliably with more than one virtual core."
+  /// message when running OpenCore.
+  ///
+  BOOLEAN  ProtectUefiServices;
+  ///
   /// List of physical addresses to not be devirtualised by DevirtualiseMmio.
   ///
   EFI_PHYSICAL_ADDRESS *MmioWhitelist;

Include/Library/OcConfigurationLib.h

@@ -116,12 +116,13 @@
   _(BOOLEAN                     , DevirtualiseMmio          ,     , FALSE  , ()) \
   _(BOOLEAN                     , DisableSingleUser         ,     , FALSE  , ()) \
   _(BOOLEAN                     , DisableVariableWrite      ,     , FALSE  , ()) \
-  _(BOOLEAN                     , ProtectSecureBoot         ,     , FALSE  , ()) \
   _(BOOLEAN                     , DiscardHibernateMap       ,     , FALSE  , ()) \
   _(BOOLEAN                     , EnableSafeModeSlide       ,     , FALSE  , ()) \
   _(BOOLEAN                     , EnableWriteUnprotector    ,     , FALSE  , ()) \
   _(BOOLEAN                     , ForceExitBootServices     ,     , FALSE  , ()) \
   _(BOOLEAN                     , ProtectCsmRegion          ,     , FALSE  , ()) \
+  _(BOOLEAN                     , ProtectSecureBoot         ,     , FALSE  , ()) \
+  _(BOOLEAN                     , ProtectUefiServices       ,     , FALSE  , ()) \
   _(BOOLEAN                     , ProvideCustomSlide        ,     , FALSE  , ()) \
   _(BOOLEAN                     , SetupVirtualMap           ,     , FALSE  , ()) \
   _(BOOLEAN                     , ShrinkMemoryMap           ,     , FALSE  , ()) \

Library/OcAppleBootCompatLib/ServiceOverrides.c

@@ -259,145 +259,6 @@ DevirtualiseMmio (
   }
 }
 
-/**
-  UEFI Boot Services StartImage override. Called to start an efi image.
-  If this is boot.efi, then our overrides are enabled.
-**/
-STATIC
-EFI_STATUS
-EFIAPI
-OcStartImage (
-  IN  EFI_HANDLE  ImageHandle,
-  OUT UINTN       *ExitDataSize,
-  OUT CHAR16      **ExitData  OPTIONAL
-  )
-{
-  EFI_STATUS                  Status;
-  EFI_LOADED_IMAGE_PROTOCOL   *AppleLoadedImage;
-  EFI_OS_INFO_PROTOCOL        *OSInfo;
-  BOOT_COMPAT_CONTEXT         *BootCompat;
-  OC_FWRT_CONFIG              Config;
-  UINTN                       DataSize;
-
-  BootCompat        = GetBootCompatContext ();
-  AppleLoadedImage  = OcGetAppleBootLoadedImage (ImageHandle);
-
-  //
-  // Clear monitoring vars
-  //
-  BootCompat->ServiceState.MinAllocatedAddr = 0;
-
-  if (AppleLoadedImage != NULL) {
-    //
-    // Report about macOS being loaded.
-    //
-    ++BootCompat->ServiceState.AppleBootNestedCount;
-    BootCompat->ServiceState.AppleHibernateWake = OcIsAppleHibernateWake ();
-    BootCompat->ServiceState.AppleCustomSlide = OcCheckArgumentFromEnv (
-      AppleLoadedImage,
-      BootCompat->ServicePtrs.GetVariable,
-      "slide=",
-      L_STR_LEN ("slide=")
-      );
-
-    if (BootCompat->Settings.EnableSafeModeSlide) {
-      ASSERT (AppleLoadedImage->ImageSize <= MAX_UINTN);
-      AppleSlideUnlockForSafeMode (
-        (UINT8 *) AppleLoadedImage->ImageBase,
-        (UINTN)AppleLoadedImage->ImageSize
-        );
-    }
-
-    AppleMapPrepareBooterState (
-      BootCompat,
-      AppleLoadedImage,
-      BootCompat->ServicePtrs.GetMemoryMap
-      );
-  } else if (BootCompat->Settings.SignalAppleOS) {
-    Status = gBS->LocateProtocol (
-      &gEfiOSInfoProtocolGuid,
-      NULL,
-      (VOID *) &OSInfo
-      );
-
-    if (!EFI_ERROR (Status)) {
-      OSInfo->OSVendor (EFI_OS_INFO_APPLE_VENDOR_NAME);
-      OSInfo->OSName ("Mac OS X 10.15");
-    }
-  }
-
-  if (BootCompat->ServiceState.FwRuntime != NULL) {
-    BootCompat->ServiceState.FwRuntime->GetCurrent (&Config);
-
-    //
-    // Support for ReadOnly and WriteOnly variables is OpenCore & Lilu security basics.
-    // For now always enable it.
-    //
-    Config.RestrictedVariables = TRUE;
-
-    //
-    // Restrict secure boot variables and never let them slip unless once restricted.
-    //
-    Config.ProtectSecureBoot = BootCompat->Settings.ProtectSecureBoot;
-
-    //
-    // Enable Boot#### variable redirection if OpenCore requested it.
-    // Do NOT disable it once enabled for stability reasons.
-    //
-    DataSize = sizeof (Config.BootVariableRedirect);
-    BootCompat->ServicePtrs.GetVariable (
-      OC_BOOT_REDIRECT_VARIABLE_NAME,
-      &gOcVendorVariableGuid,
-      NULL,
-      &DataSize,
-      &Config.BootVariableRedirect
-      );
-
-    //
-    // Do the same thing for Boot#### variable fallback.
-    //
-    DataSize = sizeof (Config.BootVariableFallback);
-    BootCompat->ServicePtrs.GetVariable (
-      OC_BOOT_FALLBACK_VARIABLE_NAME,
-      &gOcVendorVariableGuid,
-      NULL,
-      &DataSize,
-      &Config.BootVariableFallback
-      );
-
-    //
-    // Enable Apple-specific changes if requested.
-    // Disable them when this is no longer Apple.
-    //
-    if (BootCompat->ServiceState.AppleBootNestedCount > 0) {
-      Config.WriteProtection  = BootCompat->Settings.DisableVariableWrite;
-      Config.WriteUnprotector = BootCompat->Settings.EnableWriteUnprotector;
-    } else {
-      Config.WriteProtection  = FALSE;
-      Config.WriteUnprotector = FALSE;
-    }
-
-    BootCompat->ServiceState.FwRuntime->SetMain (
-      &Config
-      );
-  }
-
-  Status = BootCompat->ServicePtrs.StartImage (
-    ImageHandle,
-    ExitDataSize,
-    ExitData
-    );
-
-  if (AppleLoadedImage != NULL) {
-    //
-    // We failed but other operating systems should be loadable.
-    //
-    --BootCompat->ServiceState.AppleBootNestedCount;
-  }
-
-  return Status;
-}
-
 /**
   UEFI Boot Services AllocatePages override.
   Returns pages from free memory block to boot.efi for kernel boot image.
@@ -537,6 +398,156 @@ OcGetMemoryMap (
   return Status;
 }
 
+/**
+  UEFI Boot Services StartImage override. Called to start an efi image.
+  If this is boot.efi, then our overrides are enabled.
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+OcStartImage (
+  IN  EFI_HANDLE  ImageHandle,
+  OUT UINTN       *ExitDataSize,
+  OUT CHAR16      **ExitData  OPTIONAL
+  )
+{
+  EFI_STATUS                  Status;
+  EFI_LOADED_IMAGE_PROTOCOL   *AppleLoadedImage;
+  EFI_OS_INFO_PROTOCOL        *OSInfo;
+  BOOT_COMPAT_CONTEXT         *BootCompat;
+  OC_FWRT_CONFIG              Config;
+  UINTN                       DataSize;
+
+  BootCompat        = GetBootCompatContext ();
+  AppleLoadedImage  = OcGetAppleBootLoadedImage (ImageHandle);
+
+  //
+  // Recover firmware-replaced GetMemoryMap pointer.
+  //
+  if (BootCompat->Settings.ProtectUefiServices
+    && BootCompat->ServicePtrs.GetMemoryMap != OcGetMemoryMap) {
+    DEBUG ((DEBUG_INFO, "OCABC: Recovering trashed GetMemoryMap pointer\n"));
+    gBS->GetMemoryMap = OcGetMemoryMap;
+    gBS->Hdr.CRC32    = 0;
+    gBS->CalculateCrc32 (gBS, gBS->Hdr.HeaderSize, &gBS->Hdr.CRC32);
+  }
+
+  //
+  // Clear monitoring vars
+  //
+  BootCompat->ServiceState.MinAllocatedAddr = 0;
+
+  if (AppleLoadedImage != NULL) {
+    //
+    // Report about macOS being loaded.
+    //
+    ++BootCompat->ServiceState.AppleBootNestedCount;
+    BootCompat->ServiceState.AppleHibernateWake = OcIsAppleHibernateWake ();
+    BootCompat->ServiceState.AppleCustomSlide = OcCheckArgumentFromEnv (
+      AppleLoadedImage,
+      BootCompat->ServicePtrs.GetVariable,
+      "slide=",
+      L_STR_LEN ("slide=")
+      );
+
+    if (BootCompat->Settings.EnableSafeModeSlide) {
+      ASSERT (AppleLoadedImage->ImageSize <= MAX_UINTN);
+      AppleSlideUnlockForSafeMode (
+        (UINT8 *) AppleLoadedImage->ImageBase,
+        (UINTN)AppleLoadedImage->ImageSize
+        );
+    }
+
+    AppleMapPrepareBooterState (
+      BootCompat,
+      AppleLoadedImage,
+      BootCompat->ServicePtrs.GetMemoryMap
+      );
+  } else if (BootCompat->Settings.SignalAppleOS) {
+    Status = gBS->LocateProtocol (
+      &gEfiOSInfoProtocolGuid,
+      NULL,
+      (VOID *) &OSInfo
+      );
+
+    if (!EFI_ERROR (Status)) {
+      OSInfo->OSVendor (EFI_OS_INFO_APPLE_VENDOR_NAME);
+      OSInfo->OSName ("Mac OS X 10.15");
+    }
+  }
+
+  if (BootCompat->ServiceState.FwRuntime != NULL) {
+    BootCompat->ServiceState.FwRuntime->GetCurrent (&Config);
+
+    //
+    // Support for ReadOnly and WriteOnly variables is OpenCore & Lilu security basics.
+    // For now always enable it.
+    //
+    Config.RestrictedVariables = TRUE;
+
+    //
+    // Restrict secure boot variables and never let them slip unless once restricted.
+    //
+    Config.ProtectSecureBoot = BootCompat->Settings.ProtectSecureBoot;
+
+    //
+    // Enable Boot#### variable redirection if OpenCore requested it.
+    // Do NOT disable it once enabled for stability reasons.
+    //
+    DataSize = sizeof (Config.BootVariableRedirect);
+    BootCompat->ServicePtrs.GetVariable (
+      OC_BOOT_REDIRECT_VARIABLE_NAME,
+      &gOcVendorVariableGuid,
+      NULL,
+      &DataSize,
+      &Config.BootVariableRedirect
+      );
+
+    //
+    // Do the same thing for Boot#### variable fallback.
+    //
+    DataSize = sizeof (Config.BootVariableFallback);
+    BootCompat->ServicePtrs.GetVariable (
+      OC_BOOT_FALLBACK_VARIABLE_NAME,
+      &gOcVendorVariableGuid,
+      NULL,
+      &DataSize,
+      &Config.BootVariableFallback
+      );
+
+    //
+    // Enable Apple-specific changes if requested.
+    // Disable them when this is no longer Apple.
+    //
+    if (BootCompat->ServiceState.AppleBootNestedCount > 0) {
+      Config.WriteProtection  = BootCompat->Settings.DisableVariableWrite;
+      Config.WriteUnprotector = BootCompat->Settings.EnableWriteUnprotector;
+    } else {
+      Config.WriteProtection  = FALSE;
+      Config.WriteUnprotector = FALSE;
+    }
+
+    BootCompat->ServiceState.FwRuntime->SetMain (
+      &Config
+      );
+  }
+
+  Status = BootCompat->ServicePtrs.StartImage (
+    ImageHandle,
+    ExitDataSize,
+    ExitData
+    );
+
+  if (AppleLoadedImage != NULL) {
+    //
+    // We failed but other operating systems should be loadable.
+    //
+    --BootCompat->ServiceState.AppleBootNestedCount;
+  }
+
+  return Status;
+}
+
 /**
   UEFI Boot Services ExitBootServices override.
   Patches kernel entry point with jump to our KernelEntryPatchJumpBack().

Library/OcConfigurationLib/OcConfigurationLib.c

@@ -174,6 +174,7 @@ mBooterQuirksSchema[] = {
   OC_SCHEMA_BOOLEAN_IN ("ForceExitBootServices",  OC_GLOBAL_CONFIG, Booter.Quirks.ForceExitBootServices),
   OC_SCHEMA_BOOLEAN_IN ("ProtectCsmRegion",       OC_GLOBAL_CONFIG, Booter.Quirks.ProtectCsmRegion),
   OC_SCHEMA_BOOLEAN_IN ("ProtectSecureBoot",      OC_GLOBAL_CONFIG, Booter.Quirks.ProtectSecureBoot),
+  OC_SCHEMA_BOOLEAN_IN ("ProtectUefiServices",    OC_GLOBAL_CONFIG, Booter.Quirks.ProtectUefiServices),
   OC_SCHEMA_BOOLEAN_IN ("ProvideCustomSlide",     OC_GLOBAL_CONFIG, Booter.Quirks.ProvideCustomSlide),
   OC_SCHEMA_BOOLEAN_IN ("SetupVirtualMap",        OC_GLOBAL_CONFIG, Booter.Quirks.SetupVirtualMap),
   OC_SCHEMA_BOOLEAN_IN ("ShrinkMemoryMap",        OC_GLOBAL_CONFIG, Booter.Quirks.ShrinkMemoryMap),

Platform/OpenCore/OpenCoreUefi.c

@@ -356,6 +356,7 @@ OcLoadBooterUefiSupport (
   AbcSettings.SetupVirtualMap        = Config->Booter.Quirks.SetupVirtualMap;
   AbcSettings.ShrinkMemoryMap        = Config->Booter.Quirks.ShrinkMemoryMap;
   AbcSettings.SignalAppleOS          = Config->Booter.Quirks.SignalAppleOS;
+  AbcSettings.ProtectUefiServices    = Config->Booter.Quirks.ProtectUefiServices;
 
   if (AbcSettings.DevirtualiseMmio && Config->Booter.MmioWhitelist.Count > 0) {
     AbcSettings.MmioWhitelist = AllocatePool (