OcAfterBootCompatLib: Added `ForceBooterSignature` quirk for Mac EFI

Also fixed enabling `DisableSingleUser` when related quirks are off.

Application/OpenCore/OpenCore.c

@@ -52,6 +52,10 @@ STATIC
 OC_CPU_INFO
 mOpenCoreCpuInfo;
 
+STATIC
+UINT8
+mOpenCoreBooterHash[SHA1_DIGEST_SIZE];
+
 STATIC
 OC_RSA_PUBLIC_KEY *
 mOpenCoreVaultKey;
@@ -131,9 +135,16 @@ OcMain (
   DEBUG ((DEBUG_INFO, "OC: OcLoadNvramSupport...\n"));
   OcLoadNvramSupport (Storage, &mOpenCoreConfiguration);
   DEBUG ((DEBUG_INFO, "OC: OcMiscMiddleInit...\n"));
-  OcMiscMiddleInit (Storage, &mOpenCoreConfiguration, mStorageRoot, LoadPath, mStorageHandle);
+  OcMiscMiddleInit (
+    Storage,
+    &mOpenCoreConfiguration,
+    mStorageRoot,
+    LoadPath,
+    mStorageHandle,
+    mOpenCoreConfiguration.Booter.Quirks.ForceBooterSignature ? mOpenCoreBooterHash : NULL
+    );
   DEBUG ((DEBUG_INFO, "OC: OcLoadUefiSupport...\n"));
-  OcLoadUefiSupport (Storage, &mOpenCoreConfiguration, &mOpenCoreCpuInfo);
+  OcLoadUefiSupport (Storage, &mOpenCoreConfiguration, &mOpenCoreCpuInfo, mOpenCoreBooterHash);
   DEBUG_CODE_BEGIN ();
   DEBUG ((DEBUG_INFO, "OC: OcMiscLoadSystemReport...\n"));
   OcMiscLoadSystemReport (&mOpenCoreConfiguration, mStorageHandle);

Changelog.md

@@ -10,6 +10,8 @@ OpenCore Changelog
 - Added Memory Type decoding for SMBIOS in `Automatic` mode
 - Properly support setting custom entries as default boot options
 - Fixed creating log file when root file system is not writable
+- Fixed `DisableSingleUser` not being enabled in certain cases
+- Added `ForceBooterSignature` quirk for Mac EFI firmware
 
 #### v0.6.7
 - Fixed ocvalidate return code to be non-zero when issues are found

Docs/Configuration.tex

@@ -1525,6 +1525,19 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
   \texttt{RebuildAppleMemoryMap} if the firmware supports memory attributes table (MAT).
   Refer to the \texttt{OCABC: MAT support is 1/0} log entry to determine whether MAT is supported.
 
+\item
+  \texttt{ForceBooterSignature}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Set macOS \texttt{boot-signature} to OpenCore launcher.
+
+  Booter signature, essentially a SHA-1 hash of the loaded image, is used by Mac EFI
+  to verify the authenticity of the bootloader when waking from hibernation. This
+  option forces macOS to use OpenCore launcher SHA-1 hash as a booter signature to let
+  OpenCore shim hibernation wake on Mac EFI firmware.
+
+  \emph{Note}: OpenCore launcher path is determined from \texttt{LauncherPath} property.
+
 \item
   \texttt{ForceExitBootServices}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
@@ -2997,12 +3010,15 @@ the default boot entry choice will remain changed until the next manual reconfig
 
   \begin{itemize}
   \tightlist
-    \item \texttt{None} --- Avoid hibernation (Recommended).
+    \item \texttt{None} --- Ignore hibernation state.
     \item \texttt{Auto} --- Use RTC and NVRAM detection.
     \item \texttt{RTC} --- Use RTC detection.
     \item \texttt{NVRAM} --- Use NVRAM detection.
   \end{itemize}
 
+  \emph{Note}: If the firmware can handle hibernation itself (valid for Mac EFI firmware),
+  then \texttt{None} should be specified to hand-off hibernation state as is to OpenCore.
+
 \item
   \texttt{HideAuxiliary}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
@@ -3044,6 +3060,13 @@ the default boot entry choice will remain changed until the next manual reconfig
   \tightlist
     \item This variant is useful for some older types of firmware, typically from Insyde,
     that are unable to manage full device paths.
+  \end{itemize}
+  \item \texttt{System} --- create no boot option but assume specified custom option is blessed.
+    \begin{itemize}
+  \tightlist
+    \item This variant is useful when relying on \texttt{ForceBooterSignature} quirk and
+    OpenCore launcher path management happens through \texttt{bless} utilities without
+    involving OpenCore.
   \end{itemize} \medskip
   \end{itemize}
 

Docs/Differences/Differences.tex

 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Wed Mar  3 13:01:22 2021
-%DIF ADD ../Configuration.tex        Wed Mar  3 13:04:50 2021
+%DIF DEL PreviousConfiguration.tex   Wed Mar  3 01:46:28 2021
+%DIF ADD ../Configuration.tex        Sun Mar  7 00:32:05 2021
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -1590,7 +1590,23 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
   Refer to the \texttt{OCABC: MAT support is 1/0} log entry to determine whether MAT is supported.
 
 \item
-  \texttt{ForceExitBootServices}\\
+  \DIFaddbegin \texttt{\DIFadd{ForceBooterSignature}}\\
+  \textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ boolean}}\\
+  \textbf{\DIFadd{Failsafe}}\DIFadd{: }\texttt{\DIFadd{false}}\\
+  \textbf{\DIFadd{Description}}\DIFadd{: Set macOS }\texttt{\DIFadd{boot-signature}} \DIFadd{to OpenCore launcher.
+}
+
+  \DIFadd{Booter signature, essentially a SHA-1 hash of the loaded image, is used by Mac EFI
+  to verify the authenticity of the bootloader when waking from hibernation. This
+  option forces macOS to use OpenCore launcher SHA-1 hash as a booter signature to let
+  OpenCore shim hibernation wake on Mac EFI firmware.
+}
+
+  \emph{\DIFadd{Note}}\DIFadd{: OpenCore launcher path is determined from }\texttt{\DIFadd{LauncherPath}} \DIFadd{property.
+}
+
+\item
+  \DIFaddend \texttt{ForceExitBootServices}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
   \textbf{Description}: Retry \texttt{ExitBootServices} with new memory map on failure.
@@ -2662,7 +2678,7 @@ blocking.
   IOUSBHostFamily.kext) to remove USB port count limit of 15 ports.
 
   \emph{Note}: This option should be avoided whenever possible\DIFdelbegin \DIFdel{and may no longer
-  }%DIFDELCMD < \href{https://github.com/acidanthera/bugtracker/issues/1514}{function correctly} %%%
+  }\href{https://github.com/acidanthera/bugtracker/issues/1514}{\DIFdel{function correctly}} %DIFAUXCMD
 \DIFdel{in macOS 11.
   }\DIFdelend \DIFaddbegin \DIFadd{. }\DIFaddend USB port limit
   is imposed by the amount of used bits in locationID format and there is no
@@ -2880,7 +2896,8 @@ The algorithm to determine boot options behaves as follows:
   % Scan policy restrictions are actually checked here as we want the function to be self-contained
   % for non-scan based startup.
   \item Perform fixups (e.g. NVMe subtype correction) and expansion (e.g. for Boot Camp) of the device path.
-  \item Obtain the device handle by locating the device path of the resulting device path (ignore it on failure).
+  \item \DIFaddbegin \DIFadd{On failure, if it is an OpenCore custom entry device path, pre-construct the corresponding custom entry and succeed.
+  }\item \DIFaddend Obtain the device handle by locating the device path of the resulting device path (ignore it on failure).
   \item Locate the device handle in the list of partition handles (ignore it if missing).
   % To determine device path type we can use LocateDevicePath RemainingDevicePath argument.
   % Just check whether it points to the END device path.
@@ -2905,7 +2922,7 @@ The algorithm to determine boot options behaves as follows:
   \item Lookup alternate entries by ``bless'' recovery option list retrieval and predefined paths.
   \item Register the resulting entries as alternate auxiliary options and determine their types if found.
   \end{itemize}
-\item Custom entries and tools are added as primary options without any checks with respect to \texttt{Auxiliary}.
+\item Custom entries and tools\DIFaddbegin \DIFadd{, except such pre-constructed previously, }\DIFaddend are added as primary options without any checks with respect to \texttt{Auxiliary}.
 \item System entries, such as \texttt{Reset NVRAM}, are added as primary auxiliary options.
 \end{enumerate}
 
@@ -3063,13 +3080,17 @@ the default boot entry choice will remain changed until the next manual reconfig
 
   \begin{itemize}
   \tightlist
-    \item \texttt{None} --- Avoid hibernation (Recommended).
+    \item \texttt{None} --- \DIFdelbegin \DIFdel{Avoid hibernation (Recommended)}\DIFdelend \DIFaddbegin \DIFadd{Ignore hibernation state}\DIFaddend .
     \item \texttt{Auto} --- Use RTC and NVRAM detection.
     \item \texttt{RTC} --- Use RTC detection.
     \item \texttt{NVRAM} --- Use NVRAM detection.
   \end{itemize}
 
-\item
+  \DIFaddbegin \emph{\DIFadd{Note}}\DIFadd{: If the firmware can handle hibernation itself (valid for Mac EFI firmware),
+  then }\texttt{\DIFadd{None}} \DIFadd{should be specified to hand-off hibernation state as is to OpenCore.
+}
+
+\DIFaddend \item
   \texttt{HideAuxiliary}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
@@ -3110,7 +3131,14 @@ the default boot entry choice will remain changed until the next manual reconfig
   \tightlist
     \item This variant is useful for some older types of firmware, typically from Insyde,
     that are unable to manage full device paths.
-  \end{itemize} \medskip
+  \end{itemize}
+  \DIFaddbegin \item \texttt{\DIFadd{System}} \DIFadd{--- create no boot option but assume specified custom option is blessed.
+    }\begin{itemize}
+  \tightlist
+    \item \DIFadd{This variant is useful when relying on }\texttt{\DIFadd{ForceBooterSignature}} \DIFadd{quirk and
+    OpenCore launcher path management happens through }\texttt{\DIFadd{bless}} \DIFadd{utilities without
+    involving OpenCore.
+  }\end{itemize} \DIFaddend \medskip
   \end{itemize}
 
   This option allows integration with third-party operating system installation and upgrades

Docs/Sample.plist

@@ -291,6 +291,8 @@
 			<true/>
 			<key>EnableWriteUnprotector</key>
 			<true/>
+			<key>ForceBooterSignature</key>
+			<false/>
 			<key>ForceExitBootServices</key>
 			<false/>
 			<key>ProtectMemoryRegions</key>

Docs/SampleCustom.plist

@@ -291,6 +291,8 @@
 			<true/>
 			<key>EnableWriteUnprotector</key>
 			<true/>
+			<key>ForceBooterSignature</key>
+			<false/>
 			<key>ForceExitBootServices</key>
 			<false/>
 			<key>ProtectMemoryRegions</key>

Include/Acidanthera/Library/OcAfterBootCompatLib.h

@@ -15,6 +15,7 @@
 #ifndef OC_AFTER_BOOT_COMPAT_LIB_H
 #define OC_AFTER_BOOT_COMPAT_LIB_H
 
+#include <Library/OcCryptoLib.h>
 #include <Library/OcCpuLib.h>
 
 /**
@@ -153,6 +154,17 @@ typedef struct OC_ABC_SETTINGS_ {
   ///
   BOOLEAN  SignalAppleOS;
   ///
+  /// Provide OpenCore boot-signature when loading macOS.
+  /// This resolves the ability to wake from hibernate on Mac EFI, which
+  /// checks that the hibernation signature matches the SHA-1 hash of the
+  /// EFI image it launches prior to exposing the image key.
+  ///
+  BOOLEAN  ForceBooterSignature;
+  ///
+  /// Booter signature for ForceBooterSignature.
+  ///
+  UINT8    BooterSignature[SHA1_DIGEST_SIZE];
+  ///
   /// CoreImage may update and restore GetMemoryMap during loading (see InsertImageRecord)
   /// as it needs this for segment splitting. Unfortunately it assumes nobody else
   /// changes GetMemoryMap, and thus restores to its own CoreGetMemoryMap instead of

Include/Acidanthera/Library/OcConfigurationLib.h

@@ -139,6 +139,7 @@
   _(BOOLEAN                     , DiscardHibernateMap       ,     , FALSE  , ()) \
   _(BOOLEAN                     , EnableSafeModeSlide       ,     , FALSE  , ()) \
   _(BOOLEAN                     , EnableWriteUnprotector    ,     , FALSE  , ()) \
+  _(BOOLEAN                     , ForceBooterSignature      ,     , FALSE  , ()) \
   _(BOOLEAN                     , ForceExitBootServices     ,     , FALSE  , ()) \
   _(BOOLEAN                     , ProtectMemoryRegions      ,     , FALSE  , ()) \
   _(BOOLEAN                     , ProtectSecureBoot         ,     , FALSE  , ()) \

Include/Acidanthera/Library/OcMainLib.h

@@ -195,12 +195,14 @@ OcLoadPlatformSupport (
   @param[in]  Storage   OpenCore storage.
   @param[in]  Config    OpenCore configuration.
   @param[in]  CpuInfo   CPU information.
+  @param[out] Signature OpenCore SHA-1 booter signature, all zero when unavailable.
 **/
 VOID
 OcLoadUefiSupport (
   IN OC_STORAGE_CONTEXT  *Storage,
   IN OC_GLOBAL_CONFIG    *Config,
-  IN OC_CPU_INFO         *CpuInfo
+  IN OC_CPU_INFO         *CpuInfo,
+  IN UINT8               *Signature
   );
 
 /**
@@ -278,9 +280,10 @@ OcMiscEarlyInit (
 
   @param[in]  Storage        OpenCore storage.
   @param[in]  Config         OpenCore configuration.
-  @param[in]  RootPath   Root load path.
-  @param[in]  LoadPath   OpenCore loading path.
-  @param[in]  LoadHandle OpenCore loading handle.
+  @param[in]  RootPath       Root load path (e.g. path to OC directory).
+  @param[in]  LoadPath       OpenCore loading device path (absolute).
+  @param[in]  StorageHandle  OpenCore storage loading handle (e.g. FS handle).
+  @param[out] Signature      OpenCore SHA-1 booter signature, optional.
 
   @retval EFI_SUCCESS on success, informational.
 **/
@@ -290,7 +293,8 @@ OcMiscMiddleInit (
   IN  OC_GLOBAL_CONFIG          *Config,
   IN  CONST CHAR16              *RootPath,
   IN  EFI_DEVICE_PATH_PROTOCOL  *LoadPath,
-  IN  EFI_HANDLE                LoadHandle
+  IN  EFI_HANDLE                StorageHandle,
+  OUT UINT8                     *Signature  OPTIONAL
   );
 
 /**

Library/OcAfterBootCompatLib/KernelSupport.c

@@ -352,18 +352,30 @@ AppleMapPrepareForBooting (
     // First, there is a BootArgs entry for XNU.
     //
     OcRemoveArgumentFromCmd (BA.CommandLine, "-s");
+  }
 
-    //
-    // Second, there is a DT entry.
-    //
+  if (BootCompat->Settings.DisableSingleUser
+    || BootCompat->Settings.ForceBooterSignature) {
     DTInit ((VOID *)(UINTN) *BA.DeviceTreeP, BA.DeviceTreeLength);
     Status = DTLookupEntry (NULL, "/chosen", &Chosen);
     if (!EFI_ERROR (Status)) {
+      if (BootCompat->Settings.DisableSingleUser) {
+        //
+        // Second, there is a DT entry.
+        //
         Status = DTGetProperty (Chosen, "boot-args", (VOID **) &ArgsStr, &ArgsSize);
         if (!EFI_ERROR (Status) && ArgsSize > 0) {
           OcRemoveArgumentFromCmd (ArgsStr, "-s");
         }
       }
+
+      if (BootCompat->Settings.ForceBooterSignature) {
+        Status = DTGetProperty (Chosen, "boot-signature", (VOID **) &ArgsStr, &ArgsSize);
+        if (!EFI_ERROR (Status) && ArgsSize == SHA1_DIGEST_SIZE) {
+          CopyMem (ArgsStr, BootCompat->Settings.BooterSignature, ArgsSize);
+        }
+      }
+    }
   }
 
   if (BootCompat->KernelState.RelocationBlock != 0) {
@@ -612,7 +624,9 @@ AppleMapPrepareKernelJump (
   //
   if (!BootCompat->Settings.AvoidRuntimeDefrag
     && !BootCompat->Settings.DiscardHibernateMap
-    && !BootCompat->Settings.AllowRelocationBlock) {
+    && !BootCompat->Settings.AllowRelocationBlock
+    && !BootCompat->Settings.DisableSingleUser
+    && !BootCompat->Settings.ForceBooterSignature) {
     return;
   }
 

Library/OcAfterBootCompatLib/OcAfterBootCompatLib.c

@@ -112,11 +112,12 @@ OcAbcInitialize (
 
   DEBUG ((
     DEBUG_INFO,
-    "OCABC: ALRBL %d RTDFRG %d DEVMMIO %d NOSU %d NOVRWR %d NOSB %d NOHBMAP %d SMSLIDE %d WRUNPROT %d\n",
+    "OCABC: ALRBL %d RTDFRG %d DEVMMIO %d NOSU %d NOVRWR %d NOSB %d FBSIG %d NOHBMAP %d SMSLIDE %d WRUNPROT %d\n",
     Settings->AllowRelocationBlock,
     Settings->AvoidRuntimeDefrag,
     Settings->DevirtualiseMmio,
     Settings->DisableSingleUser,
+    Settings->ForceBooterSignature,
     Settings->DisableVariableWrite,
     Settings->ProtectSecureBoot,
     Settings->DiscardHibernateMap,

Library/OcConfigurationLib/OcConfigurationLib.c

@@ -182,6 +182,7 @@ mBooterQuirksSchema[] = {
   OC_SCHEMA_BOOLEAN_IN ("DiscardHibernateMap",    OC_GLOBAL_CONFIG, Booter.Quirks.DiscardHibernateMap),
   OC_SCHEMA_BOOLEAN_IN ("EnableSafeModeSlide",    OC_GLOBAL_CONFIG, Booter.Quirks.EnableSafeModeSlide),
   OC_SCHEMA_BOOLEAN_IN ("EnableWriteUnprotector", OC_GLOBAL_CONFIG, Booter.Quirks.EnableWriteUnprotector),
+  OC_SCHEMA_BOOLEAN_IN ("ForceBooterSignature",   OC_GLOBAL_CONFIG, Booter.Quirks.ForceBooterSignature),
   OC_SCHEMA_BOOLEAN_IN ("ForceExitBootServices",  OC_GLOBAL_CONFIG, Booter.Quirks.ForceExitBootServices),
   OC_SCHEMA_BOOLEAN_IN ("ProtectMemoryRegions",   OC_GLOBAL_CONFIG, Booter.Quirks.ProtectMemoryRegions),
   OC_SCHEMA_BOOLEAN_IN ("ProtectSecureBoot",      OC_GLOBAL_CONFIG, Booter.Quirks.ProtectSecureBoot),

Library/OcMainLib/OpenCoreMisc.c

@@ -601,61 +601,49 @@ OcMiscEarlyInit (
 }
 
 /**
-  Registers LauncherOption according to the BootProtect mode.
+  Generates bootstrap path according to the BootProtect mode.
 
   @param[in]  RootPath      Root load path.
-  @param[in]  LoadHandle    OpenCore loading handle.
-  @param[in]  LauncherPath  Launcher path to write.
-  @param[in]  ShortForm     Whether to encode a short option.
+  @param[in]  LauncherPath  Launcher path to write, optional.
+  @param[out] MatchSuffix   Match suffix to optimise lookup.
 
   @returns  BootProtect bitmask.
 **/
+
 STATIC
-UINT32
-RegisterLauncherOption (
+CHAR16 *
+BuildLauncherPath (
   IN   CONST CHAR16  *RootPath,
-  IN EFI_HANDLE    LoadHandle,
   IN   CONST CHAR8   *LauncherPath,
-  IN BOOLEAN       ShortForm
+  OUT  CONST CHAR16  **MatchSuffix
   )
 {
   CHAR16        *BootstrapPath;
   UINTN         BootstrapSize;
-  CONST CHAR16  *MatchSuffix;
 
+  //
+  // MatchSuffix allows us to reduce option duplication when switching between
+  // OpenCore versions. Using OpenCore.efi (OPEN_CORE_APP_PATH) will overwrite
+  // any option with this path (e.g. OC\OpenCore.efi and OC2\OpenCore.efi).
+  // For custom paths no deduplication happens.
+  //
   if (AsciiStrCmp (LauncherPath, "Default") == 0) {
     BootstrapSize = StrSize (RootPath) + StrSize (OPEN_CORE_APP_PATH);
     BootstrapPath = AllocatePool (BootstrapSize);
     if (BootstrapPath == NULL) {
-      return 0;
+      return NULL;
     }
     UnicodeSPrint (BootstrapPath, BootstrapSize, L"%s\\%s", RootPath, OPEN_CORE_APP_PATH);
-    MatchSuffix = OPEN_CORE_APP_PATH;
+    *MatchSuffix = OPEN_CORE_APP_PATH;
   } else {
     BootstrapPath = AsciiStrCopyToUnicode (LauncherPath, 0);
     if (BootstrapPath == NULL) {
-      return 0;
+      return NULL;
     }
-    MatchSuffix = BootstrapPath;
+    *MatchSuffix = BootstrapPath;
   }
 
-  //
-  // MatchSuffix allows us to reduce option duplication when switching between
-  // OpenCore versions. Using OpenCore.efi (OPEN_CORE_APP_PATH) will overwrite
-  // any option with this path (e.g. OC\OpenCore.efi and OC2\OpenCore.efi).
-  // For custom paths no deduplication happens.
-  //
-  OcRegisterBootstrapBootOption (
-    L"OpenCore",
-    LoadHandle,
-    BootstrapPath,
-    ShortForm,
-    MatchSuffix,
-    StrLen (MatchSuffix)
-    );
-  FreePool (BootstrapPath);
-
-  return OC_BOOT_PROTECT_VARIABLE_BOOTSTRAP;
+  return BootstrapPath;
 }
 
 VOID
@@ -664,12 +652,22 @@ OcMiscMiddleInit (
   IN  OC_GLOBAL_CONFIG          *Config,
   IN  CONST CHAR16              *RootPath,
   IN  EFI_DEVICE_PATH_PROTOCOL  *LoadPath,
-  IN  EFI_HANDLE                LoadHandle
+  IN  EFI_HANDLE                StorageHandle,
+  OUT UINT8                     *Signature  OPTIONAL
   )
 {
+  EFI_STATUS                       Status;
+  EFI_SIMPLE_FILE_SYSTEM_PROTOCOL  *FileSystem;
   CONST CHAR8                      *LauncherOption;
   CONST CHAR8                      *LauncherPath;
+  CHAR16                           *FullLauncherPath;
+  CONST CHAR16                     *MatchSuffix;
+  VOID                             *LauncherData;
+  UINT32                           LauncherSize;
   UINT32                           BootProtectFlag;
+  BOOLEAN                          HasFullLauncher;
+  BOOLEAN                          HasShortLauncher;
+  BOOLEAN                          HasSystemLauncher;
 
   if ((Config->Misc.Security.ExposeSensitiveData & OCS_EXPOSE_BOOT_PATH) != 0) {
     OcStoreLoadPath (LoadPath);
@@ -680,22 +678,67 @@ OcMiscMiddleInit (
   LauncherPath = OC_BLOB_GET (&Config->Misc.Boot.LauncherPath);
   DEBUG ((
     DEBUG_INFO,
-    "OC: LoadHandle %p with %a LauncherOption pointing to %a\n",
-    LoadHandle,
+    "OC: StorageHandle %p with %a LauncherOption pointing to %a\n",
+    StorageHandle,
     LauncherOption,
     LauncherPath
     ));
+
   //
   // Full-form paths cause entry duplication on e.g. HP 15-ab237ne, InsydeH2O.
   //
-  if (AsciiStrCmp (LauncherOption, "Full") == 0) {
-    BootProtectFlag = RegisterLauncherOption (RootPath, LoadHandle, LauncherPath, FALSE);
-  } else if (AsciiStrCmp (LauncherOption, "Short") == 0) {
-    BootProtectFlag = RegisterLauncherOption (RootPath, LoadHandle, LauncherPath, TRUE);
-  } else {
-    BootProtectFlag = 0;
+  HasFullLauncher   = AsciiStrCmp (LauncherOption, "Full") == 0;
+  HasShortLauncher  = !HasFullLauncher && AsciiStrCmp (LauncherOption, "Short") == 0;
+  HasSystemLauncher = !HasFullLauncher && !HasShortLauncher && AsciiStrCmp (LauncherOption, "System") == 0;
+  if (!HasFullLauncher && !HasShortLauncher && !HasSystemLauncher) {
+    LauncherPath = "Default";
   }
 
+  FullLauncherPath = BuildLauncherPath (RootPath, LauncherPath, &MatchSuffix);
+  if (FullLauncherPath != NULL) {
+    if (HasFullLauncher || HasShortLauncher) {
+      OcRegisterBootstrapBootOption (
+        L"OpenCore",
+        StorageHandle,
+        FullLauncherPath,
+        HasShortLauncher,
+        MatchSuffix,
+        StrLen (MatchSuffix)
+        );
+      BootProtectFlag = OC_BOOT_PROTECT_VARIABLE_BOOTSTRAP;
+    }
+
+    //
+    // Note: This technically is a TOCTOU, but no Macs support Secure Boot with OC anyway.
+    //
+    if (Signature != NULL) {
+      Status = gBS->HandleProtocol (
+        StorageHandle,
+        &gEfiSimpleFileSystemProtocolGuid,
+        (VOID **) &FileSystem
+        );
+      if (!EFI_ERROR (Status)) {
+        LauncherData = ReadFile (FileSystem, FullLauncherPath, &LauncherSize, BASE_32MB);
+        if (LauncherData != NULL) {
+          Sha1 (Signature, LauncherData, LauncherSize);
+          DEBUG ((
+            DEBUG_INFO,
+            "OC: Launcher %s signature is %02X%02X%02X%02X\n",
+            FullLauncherPath,
+            Signature[0],
+            Signature[1],
+            Signature[2],
+            Signature[3]
+            ));
+          FreePool (LauncherData);
+        }
+      }
+    }
+
+    FreePool (FullLauncherPath);
+  }
+
+
   //
   // Inform about boot protection.
   //

Library/OcMainLib/OpenCoreUefi.c

@@ -513,7 +513,8 @@ OcInstallPermissiveSecurityPolicy (
 VOID
 OcLoadBooterUefiSupport (
   IN OC_GLOBAL_CONFIG  *Config,
-  IN OC_CPU_INFO       *CpuInfo
+  IN OC_CPU_INFO       *CpuInfo,
+  IN UINT8             *Signature
   )
 {
   OC_ABC_SETTINGS        AbcSettings;
@@ -534,6 +535,8 @@ OcLoadBooterUefiSupport (
   AbcSettings.EnableSafeModeSlide    = Config->Booter.Quirks.EnableSafeModeSlide;
   AbcSettings.EnableWriteUnprotector = Config->Booter.Quirks.EnableWriteUnprotector;
   AbcSettings.ForceExitBootServices  = Config->Booter.Quirks.ForceExitBootServices;
+  AbcSettings.ForceBooterSignature   = Config->Booter.Quirks.ForceBooterSignature;
+  CopyMem (AbcSettings.BooterSignature, Signature, sizeof (AbcSettings.BooterSignature));
   AbcSettings.ProtectMemoryRegions   = Config->Booter.Quirks.ProtectMemoryRegions;
   AbcSettings.ProvideCustomSlide     = Config->Booter.Quirks.ProvideCustomSlide;
   AbcSettings.ProvideMaxSlide        = Config->Booter.Quirks.ProvideMaxSlide;
@@ -713,7 +716,8 @@ VOID
 OcLoadUefiSupport (
   IN OC_STORAGE_CONTEXT  *Storage,
   IN OC_GLOBAL_CONFIG    *Config,
-  IN OC_CPU_INFO         *CpuInfo
+  IN OC_CPU_INFO         *CpuInfo,
+  IN UINT8               *Signature
   )
 {
   EFI_HANDLE            *DriversToConnect;
@@ -730,7 +734,7 @@ OcLoadUefiSupport (
   //
   // Setup Apple bootloader specific UEFI features.
   //
-  OcLoadBooterUefiSupport (Config, CpuInfo);
+  OcLoadBooterUefiSupport (Config, CpuInfo, Signature);
 
   if (Config->Uefi.Quirks.ActivateHpetSupport) {
     ActivateHpetSupport ();