Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
OpenCorePKG_MOD
提交
ca110047
O
OpenCorePKG_MOD
项目概览
btwise
/
OpenCorePKG_MOD
通知
26
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
OpenCorePKG_MOD
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
ca110047
编写于
5月 15, 2019
作者:
V
vit9696
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
OpenCoreMisc: Initial ScanPolicy support and prevent leaking some NVRAM vars to OS
上级
6ad8321d
变更
12
隐藏空白更改
内联
并排
Showing
12 changed file
with
156 addition
and
6 deletion
+156
-6
Application/Bootstrap/Bootstrap.inf
Application/Bootstrap/Bootstrap.inf
+1
-0
Changelog.md
Changelog.md
+1
-0
Docs/Configuration.pdf
Docs/Configuration.pdf
+0
-0
Docs/Configuration.tex
Docs/Configuration.tex
+65
-1
Docs/Differences/Differences.pdf
Docs/Differences/Differences.pdf
+0
-0
Docs/Differences/Differences.tex
Docs/Differences/Differences.tex
+70
-3
Docs/Sample.plist
Docs/Sample.plist
+2
-0
Docs/SampleFull.plist
Docs/SampleFull.plist
+2
-0
Include/OpenCore.h
Include/OpenCore.h
+2
-0
Platform/OpenCore/OpenCore.c
Platform/OpenCore/OpenCore.c
+1
-1
Platform/OpenCore/OpenCoreMisc.c
Platform/OpenCore/OpenCoreMisc.c
+11
-0
Platform/OpenCore/OpenCoreUefi.c
Platform/OpenCore/OpenCoreUefi.c
+1
-1
未找到文件。
Application/Bootstrap/Bootstrap.inf
浏览文件 @
ca110047
...
...
@@ -37,6 +37,7 @@
[Packages]
OpenCorePkg/OpenCorePkg.dec
OcSupportPkg/OcSupportPkg.dec
EfiPkg/EfiPkg.dec
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
...
...
Changelog.md
浏览文件 @
ca110047
...
...
@@ -12,6 +12,7 @@ OpenCore Changelog
-
Dropped
`UpdateSMBIOSMode`
`Auto`
mode in favour of
`Create`
-
Fixed SMBIOS CPU detection for Xeon and Core models
-
Moved
`ConsoleControl`
configuration to
`Protocols`
-
Added
`Security`
->
`ScanPolicy`
preference
#### v0.0.1
-
Initial developer preview release
Docs/Configuration.pdf
浏览文件 @
ca110047
无法预览此类型文件
Docs/Configuration.tex
浏览文件 @
ca110047
...
...
@@ -1275,7 +1275,6 @@ behaviour that does not go to any other sections
\textbf
{
Description
}
: Apply security configuration described in
\hyperref
[miscsecurityprops]
{
Security Properties
}
section below.
\end{enumerate}
\subsection
{
Boot Properties
}
\label
{
miscbootprops
}
...
...
@@ -1605,6 +1604,71 @@ rm vault.pub
can be found in
\href
{
https:
//
habr.com
/
post
/
273497
/
}{
Taming UEFI SecureBoot
}
paper
(
in Russian
)
.
\item
\texttt
{
ScanPolicy
}
\\
\textbf
{
Type
}
:
\texttt
{
plist
\
integer
}
,
32
bit
\\
\textbf
{
Default value
}
:
\texttt
{
0
xF
0103
}
\\
\textbf
{
Description
}
: Define operating system detection policy.
This value allows to prevent scanning
(
and booting
)
from untrusted
source based on a bitmask
(
sum
)
of select flags. As it is not possible
to reliably detect every file system or device type, this feature
cannot be fully relied upon in open environments, and the additional
measures are to be applied.
Third party drivers may introduce additional security
(
and performance
)
measures following the provided scan policy. Scan policy is exposed
in
\texttt
{
scan
-
policy
}
variable of
\texttt
{
4
D
1
FDA
02
-
38
C
7
-
4
A
6
A
-
9
CC
6
-
4
BCCA
8
B
30102
}
GUID for UEFI Boot Services only.
\begin
{
itemize
}
\tightlist
\item
\texttt
{
0
x
00000001
}
---
\texttt
{
OC
\_
SCAN
\_
FILE
\_
SYSTEM
\_
LOCK
}
, restricts
scanning to only known file systems defined as a part of this policy. File system
drivers may not be aware of this policy, and to avoid mounting of undesired file
systems it is best not to load its driver. This bit does not affect dmg mounting,
which may have any file system. Known file systems are prefixed with
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
FS
\_
}
.
\item
\texttt
{
0
x
00000002
}
---
\texttt
{
OC
\_
SCAN
\_
DEVICE
\_
LOCK
}
, restricts scanning
to only known device types defined as a part of this policy. This is not always possible
to detect protocol tunneling, so be aware that on some systems it may be possible for
e.g. USB HDDs to be recognised as SATA. Cases like this must be reported. Known device
types are prefixed with
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
}
.
\item
\texttt
{
0
x
00000100
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
FS
\_
APFS
}
, allows scanning
of APFS file system.
\item
\texttt
{
0
x
00010000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SATA
}
, allow
scanning SATA devices.
\item
\texttt
{
0
x
00020000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SASEX
}
, allow
scanning SAS and Mac NVMe devices.
\item
\texttt
{
0
x
00040000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SCSI
}
, allow
scanning SCSI devices.
\item
\texttt
{
0
x
00080000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
NVME
}
, allow
scanning NVMe devices.
\item
\texttt
{
0
x
00100000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
ATAPI
}
, allow
scanning CD
/
DVD devices.
\item
\texttt
{
0
x
00200000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
USB
}
, allow
scanning USB devices.
\item
\texttt
{
0
x
00400000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
FIREWIRE
}
, allow
scanning FireWire devices.
\item
\texttt
{
0
x
00800000
}
---
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SDCARD
}
, allow
scanning card reader devices.
\end
{
itemize
}
\emph
{
Note
}
: Given the above description,
\texttt
{
0
xF
0103
}
value is expected to allow
scanning of SATA, SAS, SCSI, and NVMe devices with APFS file system, and prevent scanning
of any devices with HFS or FAT
32
file systems in addition to not scanning APFS file systems
on USB, CD, USB, and FireWire drives. The combination reads as:
\begin
{
itemize
}
\tightlist
\item
\texttt
{
OC
\_
SCAN
\_
FILE
\_
SYSTEM
\_
LOCK
}
\item
\texttt
{
OC
\_
SCAN
\_
DEVICE
\_
LOCK
}
\item
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
FS
\_
APFS
}
\item
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SATA
}
\item
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SASEX
}
\item
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SCSI
}
\item
\texttt
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
NVME
}
\end
{
itemize
}
\end
{
enumerate
}
\section
{
NVRAM
}
\label
{
nvram
}
...
...
Docs/Differences/Differences.pdf
浏览文件 @
ca110047
无法预览此类型文件
Docs/Differences/Differences.tex
浏览文件 @
ca110047
\documentclass
[]
{
article
}
%DIF LATEXDIFF DIFFERENCE FILE
%DIF DEL PreviousConfiguration.tex Fri May 3 12:13:06 2019
%DIF ADD ../Configuration.tex
Tue May 14 07:48:46
2019
%DIF ADD ../Configuration.tex
Wed May 15 01:27:22
2019
\usepackage
{
lmodern
}
\usepackage
{
amssymb,amsmath
}
...
...
@@ -1359,7 +1359,6 @@ behaviour that does not go to any other sections
\textbf
{
Description
}
: Apply security configuration described in
\hyperref
[miscsecurityprops]
{
Security Properties
}
section below.
\end{enumerate}
\subsection
{
Boot Properties
}
\label
{
miscbootprops
}
...
...
@@ -1761,7 +1760,75 @@ rm vault.pub
can be found in
\href
{
https:
//
habr.com
/
post
/
273497
/
}{
Taming UEFI SecureBoot
}
paper
(
in Russian
)
.
\end
{
enumerate
}
\DIFaddbegin
\item
\texttt
{
\DIFadd
{
ScanPolicy
}}
\\
\textbf
{
\DIFadd
{
Type
}}
\DIFadd
{
:
}
\texttt
{
\DIFadd
{
plist
\
integer
}}
\DIFadd
{
,
32
bit
}
\\
\textbf
{
\DIFadd
{
Default value
}}
\DIFadd
{
:
}
\texttt
{
\DIFadd
{
0
xF
0103
}}
\\
\textbf
{
\DIFadd
{
Description
}}
\DIFadd
{
: Define operating system detection policy.
}
\DIFadd
{
This value allows to prevent scanning
(
and booting
)
from untrusted
source based on a bitmask
(
sum
)
of select flags. As it is not possible
to reliably detect every file system or device type, this feature
cannot be fully relied upon in open environments, and the additional
measures are to be applied.
}
\DIFadd
{
Third party drivers may introduce additional security
(
and performance
)
measures following the provided scan policy. Scan policy is exposed
in
}
\texttt
{
\DIFadd
{
scan
-
policy
}}
\DIFadd
{
variable of
}
\texttt
{
\DIFadd
{
4
D
1
FDA
02
-
38
C
7
-
4
A
6
A
-
9
CC
6
-
4
BCCA
8
B
30102
}}
\DIFadd
{
GUID for UEFI Boot Services only.
}
\begin
{
itemize
}
\tightlist
\item
\texttt
{
\DIFadd
{
0
x
00000001
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
FILE
\_
SYSTEM
\_
LOCK
}}
\DIFadd
{
, restricts
scanning to only known file systems defined as a part of this policy. File system
drivers may not be aware of this policy, and to avoid mounting of undesired file
systems it is best not to load its driver. This bit does not affect dmg mounting,
which may have any file system. Known file systems are prefixed with
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
FS
\_
}}
\DIFadd
{
.
}
\item
\texttt
{
\DIFadd
{
0
x
00000002
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
DEVICE
\_
LOCK
}}
\DIFadd
{
, restricts scanning
to only known device types defined as a part of this policy. This is not always possible
to detect protocol tunneling, so be aware that on some systems it may be possible for
e.g. USB HDDs to be recognised as SATA. Cases like this must be reported. Known device
types are prefixed with
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
}}
\DIFadd
{
.
}
\item
\texttt
{
\DIFadd
{
0
x
00000100
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
FS
\_
APFS
}}
\DIFadd
{
, allows scanning
of APFS file system.
}
\item
\texttt
{
\DIFadd
{
0
x
00010000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SATA
}}
\DIFadd
{
, allow
scanning SATA devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00020000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SASEX
}}
\DIFadd
{
, allow
scanning SAS and Mac NVMe devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00040000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SCSI
}}
\DIFadd
{
, allow
scanning SCSI devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00080000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
NVME
}}
\DIFadd
{
, allow
scanning NVMe devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00100000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
ATAPI
}}
\DIFadd
{
, allow
scanning CD
/
DVD devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00200000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
USB
}}
\DIFadd
{
, allow
scanning USB devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00400000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
FIREWIRE
}}
\DIFadd
{
, allow
scanning FireWire devices.
}
\item
\texttt
{
\DIFadd
{
0
x
00800000
}}
\DIFadd
{
---
}
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SDCARD
}}
\DIFadd
{
, allow
scanning card reader devices.
}
\end
{
itemize
}
\emph
{
\DIFadd
{
Note
}}
\DIFadd
{
: Given the above description,
}
\texttt
{
\DIFadd
{
0
xF
0103
}}
\DIFadd
{
value is expected to allow
scanning of SATA, SAS, SCSI, and NVMe devices with APFS file system, and prevent scanning
of any devices with HFS or FAT
32
file systems in addition to not scanning APFS file systems
on USB, CD, USB, and FireWire drives. The combination reads as:
}
\begin
{
itemize
}
\tightlist
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
FILE
\_
SYSTEM
\_
LOCK
}}
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
DEVICE
\_
LOCK
}}
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
FS
\_
APFS
}}
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SATA
}}
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SASEX
}}
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
SCSI
}}
\item
\texttt
{
\DIFadd
{
OC
\_
SCAN
\_
ALLOW
\_
DEVICE
\_
NVME
}}
\end
{
itemize
}
\DIFaddend
\end
{
enumerate
}
\section
{
NVRAM
}
\label
{
nvram
}
...
...
Docs/Sample.plist
浏览文件 @
ca110047
...
...
@@ -417,6 +417,8 @@
<true/>
<key>
RequireVault
</key>
<true/>
<key>
ScanPolicy
</key>
<integer>
983299
</integer>
</dict>
</dict>
<key>
NVRAM
</key>
...
...
Docs/SampleFull.plist
浏览文件 @
ca110047
...
...
@@ -417,6 +417,8 @@
<true/>
<key>
RequireVault
</key>
<true/>
<key>
ScanPolicy
</key>
<integer>
983299
</integer>
</dict>
</dict>
<key>
NVRAM
</key>
...
...
Include/OpenCore.h
浏览文件 @
ca110047
...
...
@@ -70,6 +70,8 @@
#define OPEN_CORE_NVRAM_ATTR (EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)
#define OPEN_CORE_INT_NVRAM_ATTR EFI_VARIABLE_BOOTSERVICE_ACCESS
/**
Obtain cryptographic key if it was installed.
...
...
Platform/OpenCore/OpenCore.c
浏览文件 @
ca110047
...
...
@@ -239,7 +239,7 @@ OcMain (
DEBUG
((
DEBUG_INFO
,
"OC: OpenCore is loaded, showing boot menu...
\n
"
));
Status
=
OcRunSimpleBootPicker
(
OC_SCAN_DEFAULT_POLICY
,
mOpenCoreConfiguration
.
Misc
.
Security
.
ScanPolicy
,
OC_LOAD_DEFAULT_POLICY
,
mOpenCoreConfiguration
.
Misc
.
Boot
.
Timeout
,
OcStartImage
,
...
...
Platform/OpenCore/OpenCoreMisc.c
浏览文件 @
ca110047
...
...
@@ -270,6 +270,17 @@ OcMiscUefiQuirksLoaded (
IN
OC_GLOBAL_CONFIG
*
Config
)
{
//
// Inform drivers about our scan policy.
//
gRT
->
SetVariable
(
OC_SCAN_POLICY_VARIABLE_NAME
,
&
gOcVendorVariableGuid
,
OPEN_CORE_INT_NVRAM_ATTR
,
sizeof
(
Config
->
Misc
.
Security
.
ScanPolicy
),
&
Config
->
Misc
.
Security
.
ScanPolicy
);
OcConsoleControlSetBehaviour
(
ParseConsoleControlBehaviour
(
OC_BLOB_GET
(
&
Config
->
Misc
.
Boot
.
ConsoleBehaviourUi
)
...
...
Platform/OpenCore/OpenCoreUefi.c
浏览文件 @
ca110047
...
...
@@ -290,7 +290,7 @@ OcLoadUefiSupport (
gRT
->
SetVariable
(
OC_BOOT_REDIRECT_VARIABLE_NAME
,
&
gOcVendorVariableGuid
,
OPEN_CORE_NVRAM_ATTR
,
OPEN_CORE_
INT_
NVRAM_ATTR
,
sizeof
(
Config
->
Uefi
.
Quirks
.
RequestBootVarRouting
),
&
Config
->
Uefi
.
Quirks
.
RequestBootVarRouting
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录