OcAppleImg4Lib: Changed `Default` Apple Secure Boot model to `x86legacy`

dc209775 · vit9696 · 001e7b28 · dc209775 · dc209775 · dc209775
7 changed file
--- a/Changelog.md
+++ b/Changelog.md
@@ -5,6 +5,7 @@ OpenCore Changelog
 - Added `GraphicsInputMirroring` to fix lost keystrokes in some non-Apple graphical UEFI apps
 - Added support for stack canaries (security cookies / stack guards)
 - Fixed unintialised memory access in AudioDxe causing audio playback failure
+- Changed `Default` Apple Secure Boot model to `x86legacy` for better security and compatibility

 #### v0.7.1
 - Added `SyncTableIds` quirk to sync modified table OEM identifiers

--- a/Docs/Configuration.pdf
+++ b/Docs/Configuration.pdf
--- a/Docs/Configuration.tex
+++ b/Docs/Configuration.tex
@@ -4160,7 +4160,7 @@ rm vault.pub

  \begin{itemize}
  \tightlist
-  \item \texttt{Default} --- Recent available model, currently set to \texttt{j137}.
+  \item \texttt{Default} --- Recent available model, currently set to \texttt{x86legacy}.
  \item \texttt{Disabled} --- No model, Secure Boot will be disabled.
  \item \texttt{j137} --- \texttt{iMacPro1,1 (December 2017). Minimum macOS 10.13.2 (17C2111)}
  \item \texttt{j680} --- \texttt{MacBookPro15,1 (July 2018). Minimum macOS 10.13.6 (17G2112)}
@@ -4181,6 +4181,10 @@ rm vault.pub
  \item \texttt{x86legacy} --- \texttt{Macs without T2 chip and VMs. Minimum macOS 11.0.1 (20B29)}
  \end{itemize}

+  \emph{Warning}: Not all Apple Secure Boot models are supported on all hardware configurations.
+  Starting with macOS 12 \texttt{x86legacy} is the only Apple Secure Boot model compatible
+  with software update on hardware without T2 chips.
+
  Apple Secure Boot appeared in macOS 10.13 on models with T2 chips.
  Since \texttt{PlatformInfo} and \texttt{SecureBootModel} are independent,
  Apple Secure Boot can be used with any SMBIOS with and without T2.

--- a/Docs/Differences/Differences.pdf
+++ b/Docs/Differences/Differences.pdf
--- a/Docs/Differences/Differences.tex
+++ b/Docs/Differences/Differences.tex
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Mon Jul  5 23:47:05 2021
-%DIF ADD ../Configuration.tex        Mon Jul  5 23:50:39 2021
+%DIF DEL PreviousConfiguration.tex   Tue Jul 13 10:00:32 2021
+%DIF ADD ../Configuration.tex        Sat Jul 17 23:16:11 2021

 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -3899,10 +3899,13 @@ nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-log |
  after loading to macOS DMG recovery. Mount the system volume partition,
  unless it has already been mounted, and execute the following command:

-\begin{lstlisting}[label=blesspersona, style=ocbash]
-bless bless --folder "/Volumes/Macintosh HD/System/Library/CoreServices" \
+\DIFmodbegin
+\begin{lstlisting}[label=blesspersona, style=ocbash,alsolanguage=DIFcode]
+%DIF < bless bless --folder "/Volumes/Macintosh HD/System/Library/CoreServices" \
+%DIF > bless --folder "/Volumes/Macintosh HD/System/Library/CoreServices" \
  --bootefi --personalize
 \end{lstlisting}
+\DIFmodend

  On macOS versions before macOS 11, which introduced a dedicated \texttt{x86legacy}
  model for models without the T2 chip, personalised Apple Secure Boot
@@ -4220,7 +4223,7 @@ rm vault.pub

  \begin{itemize}
  \tightlist
-  \item \texttt{Default} --- Recent available model, currently set to \texttt{j137}.
+  \item \texttt{Default} --- Recent available model, currently set to \texttt{\DIFdelbegin \DIFdel{j137}\DIFdelend \DIFaddbegin \DIFadd{x86legacy}\DIFaddend }.
  \item \texttt{Disabled} --- No model, Secure Boot will be disabled.
  \item \texttt{j137} --- \texttt{iMacPro1,1 (December 2017). Minimum macOS 10.13.2 (17C2111)}
  \item \texttt{j680} --- \texttt{MacBookPro15,1 (July 2018). Minimum macOS 10.13.6 (17G2112)}
@@ -4241,7 +4244,12 @@ rm vault.pub
  \item \texttt{x86legacy} --- \texttt{Macs without T2 chip and VMs. Minimum macOS 11.0.1 (20B29)}
  \end{itemize}

-  Apple Secure Boot appeared in macOS 10.13 on models with T2 chips.
+  \DIFaddbegin \emph{\DIFadd{Warning}}\DIFadd{: Not all }\DIFaddend Apple Secure Boot \DIFaddbegin \DIFadd{models are supported on all hardware configurations.
+  Starting with macOS 12 }\texttt{\DIFadd{x86legacy}} \DIFadd{is the only Apple Secure Boot model compatible
+  with software update on hardware without T2 chips.
+}
+
+  \DIFadd{Apple Secure Boot }\DIFaddend appeared in macOS 10.13 on models with T2 chips.
  Since \texttt{PlatformInfo} and \texttt{SecureBootModel} are independent,
  Apple Secure Boot can be used with any SMBIOS with and without T2.
  Setting \texttt{SecureBootModel} to any valid value but \texttt{Disabled}
@@ -6545,7 +6553,36 @@ functioning. Feature highlights:
  \end{itemize}

  \item
-  \texttt{PointerSpeedDiv}\\
+  \DIFaddbegin \texttt{\DIFadd{GraphicsInputMirroring}}\\
+  \textbf{\DIFadd{Type}}\DIFadd{: }\texttt{\DIFadd{plist\ boolean}}\\
+  \textbf{\DIFadd{Failsafe}}\DIFadd{: }\texttt{\DIFadd{false}}\\
+  \textbf{\DIFadd{Description}}\DIFadd{:
+  Apple’s own implementation of AppleEvent prevents keyboard input during graphics applications from appearing
+  on the basic console input stream.
+}
+
+  \DIFadd{With the default setting of }\texttt{\DIFadd{false}}\DIFadd{, OC's builtin implementation of AppleEvent replicates this behaviour.
+  }
+
+  \DIFadd{On non-Apple hardware this can stop keyboard input working in graphics-based applications such as Windows BitLocker
+  which use non-Apple key input methods.
+  }
+
+  \DIFadd{The recommended setting on all hardware is }\texttt{\DIFadd{true}}\DIFadd{.
+}
+
+  \emph{\DIFadd{Note}}\DIFadd{: AppleEvent's default behaviour is intended to prevent unwanted queued keystrokes from appearing
+  after exiting graphics-based UEFI applications; this issue is already handled separately within OpenCore.
+  }
+
+  \begin{itemize}
+  \tightlist
+  \item \texttt{\DIFadd{true}} \DIFadd{--- Allow keyboard input to reach graphics mode apps which are not using Apple input protocols.
+  }\item \texttt{\DIFadd{false}} \DIFadd{--- Prevent key input mirroring to non-Apple protocols when in graphics mode.
+  }\end{itemize}
+
+  \item
+  \DIFaddend \texttt{PointerSpeedDiv}\\
  \textbf{Type}: \texttt{plist\ integer}\\
  \textbf{Failsafe}: \texttt{1}\\
  \textbf{Description}: Configure pointer speed divisor in OpenCore implementation
@@ -7153,7 +7190,7 @@ functioning. Feature highlights:

  \emph{Note 2}: On systems without native
  support for \texttt{ForceDisplayRotationInEFI}, \texttt{DirectGopRendering=true}
-  is also required for this setting to have a visible effect.
+  is also required for this setting to have \DIFdelbegin \DIFdel{a visible }\DIFdelend \DIFaddbegin \DIFadd{an }\DIFaddend effect.

 \item
  \texttt{AppleFramebufferInfo}\\

--- a/Docs/Errata/Errata.pdf
+++ b/Docs/Errata/Errata.pdf
--- a/Library/OcAppleImg4Lib/OcAppleImg4Lib.c
+++ b/Library/OcAppleImg4Lib/OcAppleImg4Lib.c
@@ -42,7 +42,7 @@ typedef struct OC_SB_MODEL_DESC_ {

 STATIC CHAR8 mCryptoDigestMethod[16] = "sha2-384";
 STATIC DERImg4Environment mEnvInfo;
-STATIC CONST CHAR8 *mModelDefault = "j137";
+STATIC CONST CHAR8 *mModelDefault = "x86legacy";
 ///
 /// List of model mapping to board identifiers.
 /// Alphabetically sorted (!), for release order refer to the documentation.