Changelog.md

 OpenCore Changelog
 ==================
+#### v0.9.7
+- Updated recovery_urls.txt
+- Changed OpenDuet to enforce `W^X` settings rather than fixing them in loaded images
+- Updated `FixupAppleEfiImages` quirk to fix `W^X` errors in all pre-Secure Boot Apple signed binaries
+
 #### v0.9.6
 - Updated builtin firmware versions for SMBIOS and the rest
 - Fixed hang while generating boot entries on some systems
 - Added `efidebug.tool` support for 32-bit on 32-bit using GDB or LLDB
 - Fixed potential incorrect values in kernel image capabilities calculation
+- Added `FixupAppleEfiImages` quirk to allow booting Mac OS X 10.4 and 10.5 boot.efi images on modern secure image loaders
 
 #### v0.9.5
 - Fixed GUID formatting for legacy NVRAM saving

Dockerfiles/oc-dev/Dockerfile

@@ -8,7 +8,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 SHELL [ "/bin/bash", "-c" ]
 
 RUN apt-get update && \
-    apt-get install -y lsb-release wget software-properties-common gnupg build-essential nasm uuid-dev libssl-dev libx11-dev libxext-dev iasl curl git zip && \
+    apt-get install -y lsb-release wget software-properties-common gnupg build-essential nasm uuid-dev libssl-dev libx11-dev libxext-dev iasl curl git zip file && \
     { { [ "$(dpkg --print-architecture)" != "i386" ] && [ "$(dpkg --print-architecture)" != "amd64" ] ; } || apt-get install -y gcc-multilib ; } && \
     { [ "$(dpkg --print-architecture)" == "amd64" ] || { apt-get install -y gcc-x86-64-linux-gnu && export GCC_BIN=x86_64-linux-gnu- ; } ; } && echo "export GCC_BIN=$GCC_BIN" > ~/.edk2_rc.sh && echo ". ~/.edk2_rc.sh" > /etc/profile.d/edk2-gcc5.sh && \
     wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && ./llvm.sh ${OC_DEV_EDK2_LLVM_VER} && rm -f llvm.sh && \

Docs/Configuration.md5

-df3af82157ce89c1990dff6eb26cb6d0
+9c1d9e52a55d0dfa1923f22aa158db81

Docs/Configuration.tex

@@ -94,7 +94,7 @@
 
        \vspace{0.2in}
 
-       Reference Manual (0.9.6)
+       Reference Manual (0.9.7)
 
        \vspace{0.2in}
 
@@ -1610,6 +1610,40 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
   \texttt{RebuildAppleMemoryMap} if the firmware supports memory attributes table (MAT).
   Refer to the \texttt{OCABC: MAT support is 1/0} log entry to determine whether MAT is supported.
 
+\item
+  \texttt{FixupAppleEfiImages}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Fix errors in early Mac OS X boot.efi images.
+
+  Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
+  macOS 10.4 to 10.12 due to these files containing \texttt{W\^{}X} errors
+  (in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit
+  versions only).
+
+  This quirk detects these issues and pre-processes such images in memory,
+  so that a modern loader will accept them.
+
+  Pre-processing in memory is incompatible with secure boot, as the image loaded
+  is not the image on disk, so you cannot sign files which are loaded in this way
+  based on their original disk image contents.
+  Certain firmware will offer to register the hash of new, unknown images - this would
+  still work. On the other hand, it is not particularly realistic to want to
+  start these early, insecure images with secure boot anyway.
+
+  \emph{Note 1}: When enabled, this quirk is applied to all Apple-specific Fat
+  binaries (32-bit and 64-bit versions in one image), and to any other
+  Apple-signed boot images that are not being processed for Apple secure boot.
+
+  \emph{Note 2}: The quirk is never applied during the Apple secure boot path for
+  newer macOS. The Apple secure boot path includes its own separate mitigations
+  for \texttt{boot.efi} \texttt{W\^{}X} issues.
+
+  \emph{Note 3}: This quirk is needed for macOS 10.4 to 10.12 (and
+  higher, if Apple secure boot is not enabled), but only when the firmware
+  itself includes a modern, more secure PE COFF image loader. This applies to
+  current builds of OpenDuet, and to OVMF if built from audk source code.
+
 \item
   \texttt{ForceBooterSignature}\\
   \textbf{Type}: \texttt{plist\ boolean}\\

Docs/Differences/Differences.tex

 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Mon Oct  9 15:13:53 2023
-%DIF ADD ../Configuration.tex        Mon Oct  9 15:31:36 2023
+%DIF DEL PreviousConfiguration.tex   Mon Nov  6 21:35:43 2023
+%DIF ADD ../Configuration.tex        Tue Nov  7 22:04:03 2023
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -154,7 +154,7 @@
 
        \vspace{0.2in}
 
-       Reference Manual (0.9\DIFdelbegin \DIFdel{.5}\DIFdelend \DIFaddbegin \DIFadd{.6}\DIFaddend )
+       Reference Manual (0.9\DIFdelbegin \DIFdel{.6}\DIFdelend \DIFaddbegin \DIFadd{.7}\DIFaddend )
 
        \vspace{0.2in}
 
@@ -1670,6 +1670,45 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
   \texttt{RebuildAppleMemoryMap} if the firmware supports memory attributes table (MAT).
   Refer to the \texttt{OCABC: MAT support is 1/0} log entry to determine whether MAT is supported.
 
+\item
+  \texttt{FixupAppleEfiImages}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Fix errors in early Mac OS X boot.efi images.
+
+  Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
+  \DIFdelbegin \DIFdel{Mac OS X }\DIFdelend \DIFaddbegin \DIFadd{macOS }\DIFaddend 10.4 \DIFdelbegin \DIFdel{and 10.5 }\DIFdelend \DIFaddbegin \DIFadd{to 10.12 }\DIFaddend due to these files containing \texttt{W\^{}X} errors
+  \DIFaddbegin \DIFadd{(in all versions) }\DIFaddend and illegal overlapping sections \DIFaddbegin \DIFadd{(in 10.4 and 10.5 32-bit
+  versions only)}\DIFaddend .
+
+  This quirk detects these issues and pre-processes such images in memory,
+  so that a modern loader \DIFdelbegin \DIFdel{can }\DIFdelend \DIFaddbegin \DIFadd{will }\DIFaddend accept them.
+
+  Pre-processing in memory is incompatible with secure boot, as the image loaded
+  is not the image on disk, so you cannot sign files which are loaded in this way
+  based on their original disk image contents.
+  Certain firmware will offer to register the hash of new, unknown images - this would
+  still work. On the other hand, it is not particularly realistic to want to
+  start \DIFdelbegin \DIFdel{such }\DIFdelend \DIFaddbegin \DIFadd{these }\DIFaddend early, insecure images with secure boot anyway.
+
+  \emph{Note 1}: \DIFdelbegin \DIFdel{The quirk is only applied to }\DIFdelend \DIFaddbegin \DIFadd{When enabled, this quirk is applied to all }\DIFaddend Apple-specific \DIFdelbegin \DIFdel{`fat' (both }\DIFdelend \DIFaddbegin \DIFadd{Fat
+  binaries (}\DIFaddend 32-bit and 64-bit versions in one image)\DIFdelbegin \texttt{\DIFdel{.efi}} %DIFAUXCMD
+\DIFdel{files, and }\DIFdelend \DIFaddbegin \DIFadd{, and to any other
+  Apple-signed boot images that are not being processed for Apple secure boot.
+}
+
+  \emph{\DIFadd{Note 2}}\DIFadd{: The quirk }\DIFaddend is never applied during the Apple secure boot path for
+  newer macOS. \DIFaddbegin \DIFadd{The Apple secure boot path includes its own separate mitigations
+  for }\texttt{\DIFadd{boot.efi}} \texttt{\DIFadd{W\^{}X}} \DIFadd{issues.
+}\DIFaddend 
+
+  \emph{Note \DIFdelbegin \DIFdel{2}\DIFdelend \DIFaddbegin \DIFadd{3}\DIFaddend }: \DIFdelbegin \DIFdel{The quirk is only needed for loading Mac OS X }\DIFdelend \DIFaddbegin \DIFadd{This quirk is needed for macOS }\DIFaddend 10.4 \DIFdelbegin \DIFdel{and 10.5, and even then
+  only if }\DIFdelend \DIFaddbegin \DIFadd{to 10.12 (and
+  higher, if Apple secure boot is not enabled), but only when }\DIFaddend the firmware
+  itself includes a modern, more secure PE COFF image loader. This \DIFdelbegin \DIFdel{includes
+  }\DIFdelend \DIFaddbegin \DIFadd{applies to
+  }\DIFaddend current builds of OpenDuet\DIFaddbegin \DIFadd{, and to OVMF if built from audk source code}\DIFaddend .
+
 \item
   \texttt{ForceBooterSignature}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
@@ -3072,18 +3111,17 @@ to install and troubleshoot such macOS installations.
       \texttt{x86\_64}, \texttt{i386}, \texttt{i386-user32}.
   \end{enumerate}
 
-  Unlike macOS~10.7 (where certain board identifiers are treated as \DIFdelbegin \DIFdel{the }\DIFdelend \texttt{i386}
+  Unlike macOS~10.7 (where certain board identifiers are treated as \texttt{i386}
   only machines), and macOS~10.5 or earlier (where \texttt{x86\_64} is not supported
   by the macOS kernel), macOS~10.6 is very special. The architecture choice on macOS~10.6
   depends on many factors including not only the board identifier, but also the macOS
   product type (client vs server), macOS point release, and amount of RAM. The detection
   of all these is complicated and impractical, as several point releases had implementation
   flaws resulting in a failure to properly execute the server detection in the first place.
-  For this reason \DIFaddbegin \DIFadd{when }\texttt{\DIFadd{Auto}} \DIFadd{is set}\DIFaddend , OpenCore on macOS~10.6 falls back
-  \DIFdelbegin \DIFdel{on }\DIFdelend \DIFaddbegin \DIFadd{to }\DIFaddend the \texttt{x86\_64} architecture \DIFdelbegin \DIFdel{whenever }\DIFdelend \DIFaddbegin \DIFadd{when }\DIFaddend it is supported by the board, as
-  \DIFdelbegin \DIFdel{it is }\DIFdelend on macOS~10.7. \DIFaddbegin \DIFadd{The 32-bit }\texttt{\DIFadd{KernelArch}} \DIFadd{options can still be configured
+  For this reason when \texttt{Auto} is set, OpenCore on macOS~10.6 falls back
+  to the \texttt{x86\_64} architecture when it is supported by the board, as
+  on macOS~10.7. The 32-bit \texttt{KernelArch} options can still be configured
   explicitly however.
-}\DIFaddend 
 
   A 64-bit Mac model compatibility matrix corresponding to actual
   EfiBoot behaviour on macOS 10.6.8 and 10.7.5 is outlined below.
@@ -6777,8 +6815,8 @@ functioning. Feature highlights:
 
 \subsection{OpenLegacyBoot}\label{legacyboot}
 OpenLegacyBoot is an OpenCore plugin implementing \texttt{OC\_BOOT\_ENTRY\_PROTOCOL}.
-It aims to detect and boot legacy installed operating systems \DIFaddbegin \DIFadd{on supported systems, such as
-OpenDuet and Mac models capable of legacy booting}\DIFaddend .
+It aims to detect and boot legacy installed operating systems on supported systems, such as
+OpenDuet and Mac models capable of legacy booting.
 
 Usage:
 
@@ -9362,7 +9400,7 @@ requires several steps and careful configuration of certain settings as explaine
 
   \begin{itemize}
   \item MBR (Master Boot Record) installations are legacy and are only supported
-  with the OpenLegacyBoot driver \DIFaddbegin \DIFadd{on legacy systems}\DIFaddend .
+  with the OpenLegacyBoot driver on legacy systems.
   \item All the modifications applied (to ACPI, NVRAM, SMBIOS, etc.) are supposed
   to be operating system agnostic, i.e. apply equally regardless of the OS booted.
   This enables Boot Camp software experience on Windows.

Docs/Differences/PreviousConfiguration.tex

@@ -94,7 +94,7 @@
 
        \vspace{0.2in}
 
-       Reference Manual (0.9.5)
+       Reference Manual (0.9.6)
 
        \vspace{0.2in}
 
@@ -1610,6 +1610,34 @@ To view their current state, use the \texttt{pmset -g} command in Terminal.
   \texttt{RebuildAppleMemoryMap} if the firmware supports memory attributes table (MAT).
   Refer to the \texttt{OCABC: MAT support is 1/0} log entry to determine whether MAT is supported.
 
+\item
+  \texttt{FixupAppleEfiImages}\\
+  \textbf{Type}: \texttt{plist\ boolean}\\
+  \textbf{Failsafe}: \texttt{false}\\
+  \textbf{Description}: Fix errors in early Mac OS X boot.efi images.
+
+  Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
+  Mac OS X 10.4 and 10.5 due to these files containing \texttt{W\^{}X} errors
+  and illegal overlapping sections.
+
+  This quirk detects these issues and pre-processes such images in memory,
+  so that a modern loader can accept them.
+
+  Pre-processing in memory is incompatible with secure boot, as the image loaded
+  is not the image on disk, so you cannot sign files which are loaded in this way
+  based on their original disk image contents.
+  Certain firmware will offer to register the hash of new, unknown images - this would
+  still work. On the other hand, it is not particularly realistic to want to
+  start such early, insecure images with secure boot anyway.
+
+  \emph{Note 1}: The quirk is only applied to Apple-specific `fat' (both 32-bit and 64-bit
+  versions in one image) \texttt{.efi} files, and is never applied during the Apple secure
+  boot path for newer macOS.
+
+  \emph{Note 2}: The quirk is only needed for loading Mac OS X 10.4 and 10.5, and even then
+  only if the firmware itself includes a modern, more secure PE COFF image loader. This includes
+  current builds of OpenDuet.
+
 \item
   \texttt{ForceBooterSignature}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
@@ -3012,15 +3040,17 @@ to install and troubleshoot such macOS installations.
       \texttt{x86\_64}, \texttt{i386}, \texttt{i386-user32}.
   \end{enumerate}
 
-  Unlike macOS~10.7 (where certain board identifiers are treated as the \texttt{i386}
+  Unlike macOS~10.7 (where certain board identifiers are treated as \texttt{i386}
   only machines), and macOS~10.5 or earlier (where \texttt{x86\_64} is not supported
   by the macOS kernel), macOS~10.6 is very special. The architecture choice on macOS~10.6
   depends on many factors including not only the board identifier, but also the macOS
   product type (client vs server), macOS point release, and amount of RAM. The detection
   of all these is complicated and impractical, as several point releases had implementation
   flaws resulting in a failure to properly execute the server detection in the first place.
-  For this reason, OpenCore on macOS~10.6 falls back on the \texttt{x86\_64}
-  architecture whenever it is supported by the board, as it is on macOS~10.7.
+  For this reason when \texttt{Auto} is set, OpenCore on macOS~10.6 falls back
+  to the \texttt{x86\_64} architecture when it is supported by the board, as
+  on macOS~10.7. The 32-bit \texttt{KernelArch} options can still be configured
+  explicitly however.
 
   A 64-bit Mac model compatibility matrix corresponding to actual
   EfiBoot behaviour on macOS 10.6.8 and 10.7.5 is outlined below.
@@ -5170,7 +5200,7 @@ troubleshooting:
 
   \begin{itemize}
   \item \texttt{boot-save-log=VALUE} --- debug log save mode for normal boot.
-  	\begin{itemize}
+    \begin{itemize}
     \item \texttt{0}
     \item \texttt{1}
     \item \texttt{2} --- (default).
@@ -5178,7 +5208,7 @@ troubleshooting:
     \item \texttt{4} --- (save to file).
     \end{itemize}
   \item \texttt{wake-save-log=VALUE} --- debug log save mode for hibernation wake.
-  	\begin{itemize}
+    \begin{itemize}
     \item \texttt{0} --- disabled.
     \item \texttt{1}
     \item \texttt{2} --- (default).
@@ -6714,7 +6744,8 @@ functioning. Feature highlights:
 
 \subsection{OpenLegacyBoot}\label{legacyboot}
 OpenLegacyBoot is an OpenCore plugin implementing \texttt{OC\_BOOT\_ENTRY\_PROTOCOL}.
-It aims to detect and boot legacy installed operating systems.
+It aims to detect and boot legacy installed operating systems on supported systems, such as
+OpenDuet and Mac models capable of legacy booting.
 
 Usage:
 
@@ -6739,10 +6770,10 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
 
 \begin{itemize}
   \tightlist
-	\item \texttt{-{}-hide-devices} - String value, no default. \medskip
+  \item \texttt{-{}-hide-devices} - String value, no default. \medskip
 
   When this option is present and has one or more values separated by semicolons \\
-  (e.g. -{}-hide-devices=PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(2,GPT,...)), 
+  (e.g. -{}-hide-devices=PciRoot(0x0)/Pci(0x1F,0x2)/Sata(0x0,0xFFFF,0x0)/HD(2,GPT,...)),
   it disables scanning the specified disks for legacy operating system boot sectors.\medskip
 \end{itemize}
 
@@ -6825,7 +6856,7 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
 
 \begin{itemize}
 \tightlist
-	\item \texttt{flags} - Default: all flags are set except the following:
+  \item \texttt{flags} - Default: all flags are set except the following:
   \begin{itemize}
   \tightlist
     \item \texttt{LINUX\_BOOT\_ADD\_RW},
@@ -6834,7 +6865,7 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
   \end{itemize}
   \medskip
 
-	Available flags are: \medskip
+  Available flags are: \medskip
 
   \begin{itemize}
   \tightlist
@@ -6842,43 +6873,43 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
     Allows scanning for entries on EFI System Partition.
     \item \texttt{0x00000002} (bit \texttt{1}) --- \texttt{LINUX\_BOOT\_SCAN\_XBOOTLDR},
     Allows scanning for entries on Extended Boot Loader Partition.
-	  \item \texttt{0x00000004} (bit \texttt{2}) --- \texttt{LINUX\_BOOT\_SCAN\_LINUX\_ROOT},
-	  Allows scanning for entries on Linux Root filesystems.
-	  \item \texttt{0x00000008} (bit \texttt{3}) --- \texttt{LINUX\_BOOT\_SCAN\_LINUX\_DATA},
-	  Allows scanning for entries on Linux Data filesystems.
-	  \item \texttt{0x00000080} (bit \texttt{7}) --- \texttt{LINUX\_BOOT\_SCAN\_OTHER},
-	  Allows scanning for entries on file systems not matched by any of the above. \medskip
+    \item \texttt{0x00000004} (bit \texttt{2}) --- \texttt{LINUX\_BOOT\_SCAN\_LINUX\_ROOT},
+    Allows scanning for entries on Linux Root filesystems.
+    \item \texttt{0x00000008} (bit \texttt{3}) --- \texttt{LINUX\_BOOT\_SCAN\_LINUX\_DATA},
+    Allows scanning for entries on Linux Data filesystems.
+    \item \texttt{0x00000080} (bit \texttt{7}) --- \texttt{LINUX\_BOOT\_SCAN\_OTHER},
+    Allows scanning for entries on file systems not matched by any of the above. \medskip
 
-	  The following notes apply to all of the above options: \medskip
+    The following notes apply to all of the above options: \medskip
 
-	  \emph{Note 1}: Apple filesystems APFS and HFS are never scanned.
+    \emph{Note 1}: Apple filesystems APFS and HFS are never scanned.
     \medskip
 
-	  \emph{Note 2}: Regardless of the above flags, a file system must first be
-	  allowed by \texttt{Misc/Security/ScanPolicy} before it can be seen by
+    \emph{Note 2}: Regardless of the above flags, a file system must first be
+    allowed by \texttt{Misc/Security/ScanPolicy} before it can be seen by
     OpenLinuxBoot or any other \texttt{OC\_BOOT\_ENTRY\_PROTOCOL} driver.
     \medskip
 
-	  \emph{Note 3}: It is recommended to enable scanning \texttt{LINUX\_ROOT} and \texttt{LINUX\_DATA}
+    \emph{Note 3}: It is recommended to enable scanning \texttt{LINUX\_ROOT} and \texttt{LINUX\_DATA}
     in both OpenLinuxBoot flags and \texttt{Misc/Security/ScanPolicy} in order to be sure to detect
     all valid Linux installs, since Linux boot filesystems are very often marked as \texttt{LINUX\_DATA}.
     \medskip
 
-	  \item \texttt{0x00000100} (bit \texttt{8}) --- \texttt{LINUX\_BOOT\_ALLOW\_AUTODETECT},
-	  If set allows autodetecting and linking \texttt{vmlinuz*} and \texttt{init*} ramdisk files
-	  when \texttt{loader/entries} files are not found.
-	  \item \texttt{0x00000200} (bit \texttt{9}) --- \texttt{LINUX\_BOOT\_USE\_LATEST},
-	  When a Linux entry generated by OpenLinuxBoot is selected as the default boot entry
+    \item \texttt{0x00000100} (bit \texttt{8}) --- \texttt{LINUX\_BOOT\_ALLOW\_AUTODETECT},
+    If set allows autodetecting and linking \texttt{vmlinuz*} and \texttt{init*} ramdisk files
+    when \texttt{loader/entries} files are not found.
+    \item \texttt{0x00000200} (bit \texttt{9}) --- \texttt{LINUX\_BOOT\_USE\_LATEST},
+    When a Linux entry generated by OpenLinuxBoot is selected as the default boot entry
     in OpenCore, automatically switch to the latest kernel when a new version is installed. \medskip
 
-	  When this option is set, an internal menu entry id is shared between kernel versions from the same install
+    When this option is set, an internal menu entry id is shared between kernel versions from the same install
     of Linux. Linux boot options are always sorted highest kernel version first, so this means that
     the latest kernel version of the same install always shows as the default, with this option set. \medskip
 
-	  \emph{Note}: This option is recommended on all systems. \medskip
+    \emph{Note}: This option is recommended on all systems. \medskip
 
-	  \item \texttt{0x00000400} (bit \texttt{10}) --- \texttt{LINUX\_BOOT\_ADD\_RO},
-	  This option applies to autodetected Linux only (i.e. not to BLSpec or
+    \item \texttt{0x00000400} (bit \texttt{10}) --- \texttt{LINUX\_BOOT\_ADD\_RO},
+    This option applies to autodetected Linux only (i.e. not to BLSpec or
     Fedora-style distributions which have \texttt{/loader/entries/*.conf} files).
     Some distributions run a filesystem check on loading which requires the root
     filesystem to initially be mounted read-only via the \texttt{ro} kernel option, which requires this
@@ -6888,8 +6919,8 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
     When there are multiple distros and it is required to specify this option for specific distros only, use
     \texttt{autoopts:\{PARTUUID\}+=ro} to manually add the option where required, instead of using this flag.
 
-	  \item \texttt{0x00000800} (bit \texttt{11}) --- \texttt{LINUX\_BOOT\_ADD\_RW},
-	  Like \texttt{LINUX\_BOOT\_ADD\_RO}, this option applies to autodetected Linux only. It is not
+    \item \texttt{0x00000800} (bit \texttt{11}) --- \texttt{LINUX\_BOOT\_ADD\_RW},
+    Like \texttt{LINUX\_BOOT\_ADD\_RO}, this option applies to autodetected Linux only. It is not
     required for most distros (which usually require either \texttt{ro} or nothing to be added to
     detected boot options), but is required on some Arch-derived distros, e.g. EndeavourOS.
     When there are multiple distros and it is required to specify this option for specific distros only, use
@@ -6897,27 +6928,27 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
     If this option and \texttt{LINUX\_BOOT\_ADD\_RO} are both specified, only this option is applied
     and \texttt{LINUX\_BOOT\_ADD\_RO} is ignored.
 
-	  \item \texttt{0x00002000} (bit \texttt{13}) --- \texttt{LINUX\_BOOT\_ALLOW\_CONF\_AUTO\_ROOT},
-	  In some instances of \texttt{BootLoaderSpecByDefault} in combination with \texttt{ostree}, the
+    \item \texttt{0x00002000} (bit \texttt{13}) --- \texttt{LINUX\_BOOT\_ALLOW\_CONF\_AUTO\_ROOT},
+    In some instances of \texttt{BootLoaderSpecByDefault} in combination with \texttt{ostree}, the
     \texttt{/loader/entries/*.conf} files do not specify a required \texttt{root=...} kernel
     option -- it is added by GRUB. If this bit is set and this situation is detected, then
     automatically add this option. (Required for example by Endless OS.)
-	  \item \texttt{0x00004000} (bit \texttt{14}) --- \texttt{LINUX\_BOOT\_LOG\_VERBOSE},
-	  Add additional debug log info about files encountered and autodetect options added while scanning for
+    \item \texttt{0x00004000} (bit \texttt{14}) --- \texttt{LINUX\_BOOT\_LOG\_VERBOSE},
+    Add additional debug log info about files encountered and autodetect options added while scanning for
     Linux boot entries.
-	  \item \texttt{0x00008000} (bit \texttt{15}) --- \texttt{LINUX\_BOOT\_ADD\_DEBUG\_INFO},
-	  Adds a human readable file system type, followed by the first eight characters of the
-	  partition's unique partition uuid, to each generated entry name. Can help with debugging
-	  the origin of entries generated by the driver when there are multiple Linux installs on
-	  one system.
+    \item \texttt{0x00008000} (bit \texttt{15}) --- \texttt{LINUX\_BOOT\_ADD\_DEBUG\_INFO},
+    Adds a human readable file system type, followed by the first eight characters of the
+    partition's unique partition uuid, to each generated entry name. Can help with debugging
+    the origin of entries generated by the driver when there are multiple Linux installs on
+    one system.
   \end{itemize} \medskip
 
-	Flag values can be specified in hexadecimal beginning with \texttt{0x} or in decimal,
+  Flag values can be specified in hexadecimal beginning with \texttt{0x} or in decimal,
   e.g. \texttt{flags=0x80} or \texttt{flags=128}. It is also possible to specify flags to
   add or remove, using syntax such as \texttt{flags+=0xC000} to add all debugging
   options or \texttt{flags-=0x400} to remove the \texttt{LINUX\_BOOT\_ADD\_RO} option. \medskip
 
-	\item \texttt{autoopts:\{PARTUUID\}[+]="\{options\}"} - Default: not set. \medskip
+  \item \texttt{autoopts:\{PARTUUID\}[+]="\{options\}"} - Default: not set. \medskip
 
   Allows manually specifying kernel options to use in autodetect mode for a given partition only.
   Replace the text \texttt{\{PARTUUID\}} with the specific partition UUID on which the kernels are stored
@@ -6935,7 +6966,7 @@ options for the driver may be specified in \texttt{UEFI/Drivers/Arguments}:
   Linux \texttt{mount} command, and then find out the partuuid of relevant mounted partitions by examining the
   output of \texttt{ls -l /dev/disk/by-partuuid}. \medskip
 
-	\item \texttt{autoopts[+]="\{options\}"} - Default: None specified. \medskip
+  \item \texttt{autoopts[+]="\{options\}"} - Default: None specified. \medskip
 
   Allows manually specifying kernel options to use in autodetect mode. The alternative format \texttt{autoopts:\{PARTUUID\}}
   is more suitable where there are multiple distros, but \texttt{autoopts} with no PARTUUID required may be more
@@ -7108,7 +7139,7 @@ the driver within the \texttt{UEFI/Drivers} section:
 
 \begin{itemize}
   \tightlist
-	\item \texttt{-{}-codec-setup-delay} - Integer value, default \texttt{0}. \medskip
+  \item \texttt{-{}-codec-setup-delay} - Integer value, default \texttt{0}. \medskip
 
   Amount of time in milliseconds to wait for all widgets to come fully on, applied per codec
   during driver connection phase. In most systems this should not be needed and a faster boot
@@ -7120,7 +7151,7 @@ the driver within the \texttt{UEFI/Drivers} section:
   Force use of an audio codec, this value should be equal to \texttt{Audio} section \texttt{AudioCodec}.
   Can result in faster boot especially when used in conjuction with \texttt{-{}-force-device}. \medskip
 
-	\item \texttt{-{}-force-device} - String value, no default. \medskip
+  \item \texttt{-{}-force-device} - String value, no default. \medskip
 
   When this option is present and has a value (e.g. \texttt{-{}-force-device=PciRoot(0x0)/Pci(0x1f,0x3)}), it
   forces AudioDxe to connect to the specified PCI device, even if the device does not report itself as
@@ -7139,7 +7170,7 @@ the driver within the \texttt{UEFI/Drivers} section:
   \item \texttt{-{}-gpio-setup} - Default value is \texttt{0} (GPIO setup disabled) if argument is not provided,
   or \texttt{7} (all GPIO setup stages stages enabled) if the argument is provided with no value. \medskip
 
-	Available values, which may be combined by adding, are: \medskip
+  Available values, which may be combined by adding, are: \medskip
 
   \begin{itemize}
   \tightlist
@@ -7163,9 +7194,9 @@ the driver within the \texttt{UEFI/Drivers} section:
   sound (previous sounds are not allowed to finish before new sounds start) on a small number
   of other systems, hence this option is not enabled by default. \medskip
 
-	\item \texttt{-{}-gpio-pins} - Default: \texttt{0}, auto-detect. \medskip
+  \item \texttt{-{}-gpio-pins} - Default: \texttt{0}, auto-detect. \medskip
 
-	Specifies which GPIO pins should be operated on by \texttt{-{}-gpio-setup}. This is a bit mask,
+  Specifies which GPIO pins should be operated on by \texttt{-{}-gpio-setup}. This is a bit mask,
   with possible values from \texttt{0x0} to \texttt{0xFF}. The usable maximum depends on
   the number if available pins on the audio out function group of the codec in use, e.g. it is
   \texttt{0x3} (lowest two bits) if two GPIO pins are present, \texttt{0x7} if three pins are present,
@@ -7182,7 +7213,7 @@ the driver within the \texttt{UEFI/Drivers} section:
   Values for driver parameters can be specified in hexadecimal beginning with \texttt{0x} or
   in decimal, e.g. \texttt{-{}-gpio-pins=0x12} or \texttt{-{}-gpio-pins=18}. \medskip
 
-	\item \texttt{-{}-restore-nosnoop} - Boolean flag, enabled if present. \medskip
+  \item \texttt{-{}-restore-nosnoop} - Boolean flag, enabled if present. \medskip
 
   AudioDxe clears the Intel HDA No Snoop Enable (NSNPEN) bit. On some systems, this change must
   be reversed on exit in order to avoid breaking sound in Windows or Linux. If so, this flag should
@@ -7190,12 +7221,12 @@ the driver within the \texttt{UEFI/Drivers} section:
   Not enabled by default, since restoring the flag can prevent sound from working in macOS on
   some other systems. \medskip
 
-	\item \texttt{-{}-use-conn-none} - Boolean flag, enabled if present. \medskip
+  \item \texttt{-{}-use-conn-none} - Boolean flag, enabled if present. \medskip
 
   On some sound cards enabling this option will enable additional usable audio channels (e.g.
   the bass or treble speaker of a pair, where only one is found without it).
   \medskip
-  
+
   \emph{Note}: Enabling this option may increase the available channels, in which case any
   custom setting of \texttt{AudioOutMask} may need to be changed to match the new channel list.
   \medskip
@@ -8241,7 +8272,7 @@ for additional options.
   \texttt{Text} and \texttt{Graphics} specify the named mode. \texttt{Auto}
   uses the current mode of the system \texttt{ConsoleControl} protocol when
   one exists, defaulting to \texttt{Text} mode otherwise.
- 
+
   UEFI firmware typically supports \texttt{ConsoleControl} with two
   rendering modes: \texttt{Graphics} and \texttt{Text}. Some types of firmware
   do not provide a native \texttt{ConsoleControl} and rendering modes. OpenCore
@@ -9298,7 +9329,7 @@ requires several steps and careful configuration of certain settings as explaine
 
   \begin{itemize}
   \item MBR (Master Boot Record) installations are legacy and are only supported
-  with the OpenLegacyBoot driver.
+  with the OpenLegacyBoot driver on legacy systems.
   \item All the modifications applied (to ACPI, NVRAM, SMBIOS, etc.) are supposed
   to be operating system agnostic, i.e. apply equally regardless of the OS booted.
   This enables Boot Camp software experience on Windows.

Docs/Sample.plist

@@ -323,6 +323,8 @@
 			<true/>
 			<key>EnableWriteUnprotector</key>
 			<true/>
+			<key>FixupAppleEfiImages</key>
+			<false/>
 			<key>ForceBooterSignature</key>
 			<false/>
 			<key>ForceExitBootServices</key>
@@ -864,7 +866,7 @@
 			</dict>
 			<dict>
 				<key>Arch</key>
-				<string>x86_64</string>
+				<string>Any</string>
 				<key>Base</key>
 				<string>_disable_serial_output</string>
 				<key>Comment</key>
@@ -894,7 +896,7 @@
 			</dict>
 			<dict>
 				<key>Arch</key>
-				<string>x86_64</string>
+				<string>Any</string>
 				<key>Base</key>
 				<string>_vstart</string>
 				<key>Comment</key>
@@ -924,7 +926,7 @@
 			</dict>
 			<dict>
 				<key>Arch</key>
-				<string>x86_64</string>
+				<string>Any</string>
 				<key>Base</key>
 				<string>_vstart</string>
 				<key>Comment</key>

Docs/SampleCustom.plist

@@ -323,6 +323,8 @@
 			<true/>
 			<key>EnableWriteUnprotector</key>
 			<true/>
+			<key>FixupAppleEfiImages</key>
+			<false/>
 			<key>ForceBooterSignature</key>
 			<false/>
 			<key>ForceExitBootServices</key>
@@ -864,7 +866,7 @@
 			</dict>
 			<dict>
 				<key>Arch</key>
-				<string>x86_64</string>
+				<string>Any</string>
 				<key>Base</key>
 				<string>_disable_serial_output</string>
 				<key>Comment</key>
@@ -894,7 +896,7 @@
 			</dict>
 			<dict>
 				<key>Arch</key>
-				<string>x86_64</string>
+				<string>Any</string>
 				<key>Base</key>
 				<string>_vstart</string>
 				<key>Comment</key>
@@ -924,7 +926,7 @@
 			</dict>
 			<dict>
 				<key>Arch</key>
-				<string>x86_64</string>
+				<string>Any</string>
 				<key>Base</key>
 				<string>_vstart</string>
 				<key>Comment</key>

Include/Acidanthera/Library/OcBootManagementLib.h

@@ -1818,7 +1818,8 @@ OcRegisterBootstrapBootOption (
 **/
 VOID
 OcImageLoaderInit (
-  IN     CONST BOOLEAN  ProtectUefiServices
+  IN     CONST BOOLEAN  ProtectUefiServices,
+  IN     CONST BOOLEAN  FixupAppleEfiImages
   );
 
 /**

Include/Acidanthera/Library/OcConfigurationLib.h

@@ -144,6 +144,7 @@ OC_DECLARE (OC_BOOTER_PATCH_ARRAY)
   _(BOOLEAN                     , EnableForAll              ,     , FALSE  , ()) \
   _(BOOLEAN                     , EnableSafeModeSlide       ,     , FALSE  , ()) \
   _(BOOLEAN                     , EnableWriteUnprotector    ,     , FALSE  , ()) \
+  _(BOOLEAN                     , FixupAppleEfiImages       ,     , FALSE  , ()) \
   _(BOOLEAN                     , ForceBooterSignature      ,     , FALSE  , ()) \
   _(BOOLEAN                     , ForceExitBootServices     ,     , FALSE  , ()) \
   _(BOOLEAN                     , ProtectMemoryRegions      ,     , FALSE  , ()) \

Include/Acidanthera/Library/OcMainLib.h

@@ -30,7 +30,7 @@
   OpenCore version reported to log and NVRAM.
   OPEN_CORE_VERSION must follow X.Y.Z format, where X.Y.Z are single digits.
 **/
-#define OPEN_CORE_VERSION  "0.9.6"
+#define OPEN_CORE_VERSION  "0.9.7"
 
 /**
   OpenCore build type reported to log and NVRAM.

Include/Acidanthera/Library/OcPeCoffExtLib.h

@@ -43,4 +43,19 @@ PeCoffGetApfsDriverVersion (
   OUT APFS_DRIVER_VERSION  **DriverVersionPtr
   );
 
+/**
+  Detect and patch W^X and section overlap errors in legacy boot.efi.
+  Expected to make changes in 10.4 and 10.5 only.
+
+  @param[in]  DriverBuffer      Image buffer.
+  @param[in]  DriverSize        Size of the image.
+
+  @retval EFI_SUCCESS on success.
+**/
+EFI_STATUS
+OcPatchLegacyEfi (
+  IN  VOID    *DriverBuffer,
+  IN  UINT32  DriverSize
+  );
+
 #endif // OC_PE_COFF_EXT_LIB_H

Library/OcBootManagementLib/ImageLoader.c

@@ -36,6 +36,7 @@
 #include <Library/OcFileLib.h>
 #include <Library/OcMachoLib.h>
 #include <Library/OcMiscLib.h>
+#include <Library/OcPeCoffExtLib.h>
 #include <Library/OcStringLib.h>
 #include <Library/UefiImageLib.h>
 #include <Library/UefiBootServicesTableLib.h>
@@ -82,6 +83,7 @@ STATIC EFI_HANDLE                 mImageLoaderCapsHandle;
 STATIC BOOLEAN                    mImageLoaderEnabled;
 
 STATIC BOOLEAN  mProtectUefiServices;
+STATIC BOOLEAN  mFixupAppleEfiImages;
 
 STATIC EFI_IMAGE_LOAD          mPreservedLoadImage;
 STATIC EFI_IMAGE_START         mPreservedStartImage;
@@ -783,9 +785,12 @@ InternalEfiLoadImage (
   )
 {
   EFI_STATUS  SecureBootStatus;
+  EFI_STATUS  FilterStatus;
   EFI_STATUS  Status;
   VOID        *AllocatedBuffer;
   UINT32      RealSize;
+  UINT32      SignedFileSize;
+  BOOLEAN     IsFat;
 
   mImageLoaderCapsHandle = NULL;
 
@@ -855,17 +860,61 @@ InternalEfiLoadImage (
   if (SourceBuffer != NULL) {
     RealSize = (UINT32)SourceSize;
  #ifdef MDE_CPU_IA32
-    Status = FatFilterArchitecture32 ((UINT8 **)&SourceBuffer, &RealSize);
+    FilterStatus = FatFilterArchitecture32 ((UINT8 **)&SourceBuffer, &RealSize);
  #else
-    Status = FatFilterArchitecture64 ((UINT8 **)&SourceBuffer, &RealSize);
+    FilterStatus = FatFilterArchitecture64 ((UINT8 **)&SourceBuffer, &RealSize);
  #endif
 
+    IsFat = !EFI_ERROR (FilterStatus) && (RealSize != SourceSize) && (RealSize >= EFI_PAGE_SIZE);
+
+    if (IsFat) {
+      mImageLoaderCaps = DetectCapabilities (SourceBuffer, RealSize);
+    }
+
     //
-    // This is FAT image.
-    // Determine its capabilities.
+    // Use mImageLoaderConfigure != NULL as a proxy for loaded kernel support,
+    // and only apply FixupAppleEfiImages while this is set.
     //
-    if (!EFI_ERROR (Status) && (RealSize != SourceSize) && (RealSize >= EFI_PAGE_SIZE)) {
-      mImageLoaderCaps = DetectCapabilities (SourceBuffer, RealSize);
+    if (mFixupAppleEfiImages && (mImageLoaderConfigure != NULL)) {
+      if (SecureBootStatus == EFI_SUCCESS) {
+        DEBUG ((DEBUG_INFO, "OCB: Secure boot, fixup efi ignored\n"));
+        Status = EFI_SUCCESS;
+      } else if (IsFat) {
+        DEBUG ((DEBUG_INFO, "OCB: Fat binary, fixup efi...\n"));
+        Status = OcPatchLegacyEfi (SourceBuffer, RealSize);
+      } else {
+        //
+        // Overlapping sections not expected outside of fat binaries (and even then
+        // only in 32-bit slices), so verify signature allowing for W^X errors only.
+        //
+        SignedFileSize = RealSize;
+        Status         = PeCoffVerifyAppleSignature (SourceBuffer, &SignedFileSize);
+        if (!EFI_ERROR (Status)) {
+          DEBUG ((
+            DEBUG_INFO,
+            "OCB: Apple signed binary %u->%u, fixup efi...\n",
+            RealSize,
+            SignedFileSize
+            ));
+          RealSize = SignedFileSize;
+          Status   = OcPatchLegacyEfi (SourceBuffer, RealSize);
+        } else {
+          DEBUG ((DEBUG_INFO, "OCB: Not Apple signed binary, fixup efi ignored\n"));
+          Status = EFI_SUCCESS;
+        }
+      }
+
+      //
+      // Error can mean incompletely patched image, so we should fail.
+      // Any error not the result of incomplete patching would in general not load anyway.
+      //
+      if (EFI_ERROR (Status)) {
+        if (AllocatedBuffer != NULL) {
+          FreePool (AllocatedBuffer);
+        }
+
+        return Status;
+      }
     }
 
     DEBUG ((
@@ -876,10 +925,10 @@ InternalEfiLoadImage (
       SourceBuffer,
       RealSize,
       mImageLoaderCaps,
-      Status
+      FilterStatus
       ));
 
-    if (!EFI_ERROR (Status)) {
+    if (!EFI_ERROR (FilterStatus)) {
       SourceSize = RealSize;
     } else if (AllocatedBuffer != NULL) {
       SourceBuffer = NULL;
@@ -1087,10 +1136,12 @@ InternalEfiExit (
 
 VOID
 OcImageLoaderInit (
-  IN     CONST BOOLEAN  ProtectUefiServices
+  IN     CONST BOOLEAN  ProtectUefiServices,
+  IN     CONST BOOLEAN  FixupAppleEfiImages
   )
 {
   mProtectUefiServices = ProtectUefiServices;
+  mFixupAppleEfiImages = FixupAppleEfiImages;
 
   mOriginalEfiLoadImage   = gBS->LoadImage;
   mOriginalEfiStartImage  = gBS->StartImage;

Library/OcBootManagementLib/OcBootManagementLib.inf

@@ -110,6 +110,7 @@
   OcFlexArrayLib
   OcMachoLib
   OcMiscLib
+  OcPeCoffExtLib
   OcRtcLib
   OcTypingLib
   OcVariableLib

Library/OcConfigurationLib/OcConfigurationLib.c

@@ -191,6 +191,7 @@ OC_SCHEMA
   OC_SCHEMA_BOOLEAN_IN ("EnableForAll",           OC_GLOBAL_CONFIG, Booter.Quirks.EnableForAll),
   OC_SCHEMA_BOOLEAN_IN ("EnableSafeModeSlide",    OC_GLOBAL_CONFIG, Booter.Quirks.EnableSafeModeSlide),
   OC_SCHEMA_BOOLEAN_IN ("EnableWriteUnprotector", OC_GLOBAL_CONFIG, Booter.Quirks.EnableWriteUnprotector),
+  OC_SCHEMA_BOOLEAN_IN ("FixupAppleEfiImages",    OC_GLOBAL_CONFIG, Booter.Quirks.FixupAppleEfiImages),
   OC_SCHEMA_BOOLEAN_IN ("ForceBooterSignature",   OC_GLOBAL_CONFIG, Booter.Quirks.ForceBooterSignature),
   OC_SCHEMA_BOOLEAN_IN ("ForceExitBootServices",  OC_GLOBAL_CONFIG, Booter.Quirks.ForceExitBootServices),
   OC_SCHEMA_BOOLEAN_IN ("ProtectMemoryRegions",   OC_GLOBAL_CONFIG, Booter.Quirks.ProtectMemoryRegions),

Library/OcMainLib/OpenCoreUefi.c

@@ -899,7 +899,7 @@ OcLoadUefiSupport (
 
   OcReinstallProtocols (Config);
 
-  OcImageLoaderInit (Config->Booter.Quirks.ProtectUefiServices);
+  OcImageLoaderInit (Config->Booter.Quirks.ProtectUefiServices, Config->Booter.Quirks.FixupAppleEfiImages);
 
   OcLoadAppleSecureBoot (Config, CpuInfo);
 

Library/OcPeCoffExtLib/BasePeCoffLib2Internals.h

+/** @file
+  Provides shared private definitions across this library.
+
+  Copyright (c) 2020 - 2021, Marvin Häuser. All rights reserved.<BR>
+  Copyright (c) 2020, Vitaly Cheptsov. All rights reserved.<BR>
+  Copyright (c) 2020, ISP RAS. All rights reserved.<BR>
+
+  SPDX-License-Identifier: BSD-3-Clause
+**/
+
+#ifndef BASE_PE_COFF_LIB2_INTERNALS_H_
+#define BASE_PE_COFF_LIB2_INTERNALS_H_
+
+//
+// PcdImageLoaderRelocTypePolicy bits.
+//
+
+///
+/// If set, ARM Thumb Image relocations are supported.
+///
+#define PCD_RELOC_TYPE_POLICY_ARM  BIT0
+
+///
+/// Denotes the alignment requirement for Image certificate sizes.
+///
+#define IMAGE_CERTIFICATE_ALIGN  8U
+
+//
+// The PE/COFF specification guarantees an 8 Byte alignment for certificate
+// sizes. This is larger than the alignment requirement for WIN_CERTIFICATE
+// implied by the UEFI ABI. ASSERT this holds.
+//
+STATIC_ASSERT (
+  ALIGNOF (WIN_CERTIFICATE) <= IMAGE_CERTIFICATE_ALIGN,
+  "The PE/COFF specification guarantee does not suffice."
+  );
+
+//
+// The 4 Byte alignment guaranteed by the PE/COFF specification has been
+// replaced with ALIGNOF (EFI_IMAGE_BASE_RELOCATION_BLOCK) for proof simplicity.
+// This obviously was the original intention of the specification. ASSERT in
+// case the equality is not given.
+//
+STATIC_ASSERT (
+  sizeof (UINT32) == ALIGNOF (EFI_IMAGE_BASE_RELOCATION_BLOCK),
+  "The current model violates the PE/COFF specification"
+  );
+
+// FIXME:
+RETURN_STATUS
+PeCoffLoadImageInplaceNoBase (
+  IN OUT PE_COFF_LOADER_IMAGE_CONTEXT  *Context
+  );
+
+#endif // BASE_PE_COFF_LIB_INTERNALS_H_

Library/OcPeCoffExtLib/OcPeCoffExtInternal.h

@@ -29,4 +29,31 @@ typedef struct APPLE_SIGNATURE_CONTEXT_ {
   UINT8                Signature[256];
 } APPLE_SIGNATURE_CONTEXT;
 
+/**
+  Fix W^X and section overlap issues in loaded TE, PE32, or PE32+ Image in
+  memory while initialising Context.
+
+  Closely based on PeCoffInitializeContext from PeCoffLib2.
+
+  The approach of modifying the image in memory is basically incompatible
+  with secure boot, athough:
+    a) Certain firmware may allow optionally registering the hash of any
+       image which does not load, which would still work.
+    b) It is fairly crazy anyway to want to apply secure boot to the old,
+       insecure .efi files which need these fixups.
+
+  @param[out] Context     The context describing the Image.
+  @param[in]  FileBuffer  The file data to parse as PE Image.
+  @param[in]  FileSize    The size, in Bytes, of FileBuffer.
+
+  @retval RETURN_SUCCESS  The Image context has been initialised successfully.
+  @retval other           The file data is malformed.
+**/
+RETURN_STATUS
+InternalPeCoffFixup (
+  OUT PE_COFF_LOADER_IMAGE_CONTEXT  *Context,
+  IN  CONST VOID                    *FileBuffer,
+  IN  UINT32                        FileSize
+  );
+
 #endif // OC_PE_COFF_EXT_INTERNAL_H

Library/OcPeCoffExtLib/OcPeCoffExtLib.c

@@ -33,6 +33,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 #include <Library/UefiLib.h>
 #include <Library/OcCryptoLib.h>
 #include <Library/OcAppleKeysLib.h>
+#include <Library/OcStringLib.h>
 #include <Guid/AppleCertificate.h>
 
 #include "OcPeCoffExtInternal.h"
@@ -493,7 +494,7 @@ PeCoffGetApfsDriverVersion (
      || (ImageContext.ImageType != PeCoffLoaderTypePe32Plus)
      || (ImageContext.Subsystem != EFI_IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER))
   {
-    DEBUG ((DEBUG_INFO, "OCPE: PeCoff unsupported image\n"));
+    DEBUG ((DEBUG_INFO, "OCPE: PeCoff apfs unsupported image\n"));
     return EFI_UNSUPPORTED;
   }
 
@@ -541,3 +542,25 @@ PeCoffGetApfsDriverVersion (
   *DriverVersionPtr = DriverVersion;
   return EFI_SUCCESS;
 }
+
+EFI_STATUS
+OcPatchLegacyEfi (
+  IN  VOID    *DriverBuffer,
+  IN  UINT32  DriverSize
+  )
+{
+  EFI_STATUS                    ImageStatus;
+  PE_COFF_LOADER_IMAGE_CONTEXT  ImageContext;
+
+  ImageStatus = InternalPeCoffFixup (
+                  &ImageContext,
+                  DriverBuffer,
+                  DriverSize
+                  );
+  if (EFI_ERROR (ImageStatus)) {
+    DEBUG ((DEBUG_WARN, "OCPE: PeCoff legacy patch failure - %r\n", ImageStatus));
+    return EFI_UNSUPPORTED;
+  }
+
+  return EFI_SUCCESS;
+}

Library/OcPeCoffExtLib/OcPeCoffExtLib.inf

@@ -25,12 +25,13 @@
 
 
 #
-#  VALID_ARCHITECTURES           = X64
+#  VALID_ARCHITECTURES           = IA32 X64
 #
 
 [Sources]
   OcPeCoffExtInternal.h
   OcPeCoffExtLib.c
+  OcPeCoffFixup.c
 
 [Packages]
   MdePkg/MdePkg.dec
@@ -48,7 +49,13 @@
   DebugLib
   OcAppleKeysLib
   OcCryptoLib
+  OcStringLib
 
 [Guids]
   gAppleEfiCertificateGuid
   gEfiCertTypeRsa2048Sha256Guid
+
+[FixedPcd]
+  gEfiMdePkgTokenSpaceGuid.PcdImageLoaderAlignmentPolicy
+  gEfiMdePkgTokenSpaceGuid.PcdImageLoaderAllowMisalignedOffset
+  gEfiMdePkgTokenSpaceGuid.PcdDebugRaisePropertyMask

OpenDuetPkg.dsc

@@ -259,7 +259,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdFixedDebugPrintErrorLevel|0x0
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x0
   gOpenCorePkgTokenSpaceGuid.PcdCanaryAllowRdtscFallback|TRUE
-  gEfiMdePkgTokenSpaceGuid.PcdImageLoaderRemoveXForWX|TRUE
 
 [BuildOptions]
   MSFT:NOOPT_*_*_CC_FLAGS    = -D OC_TARGET_RELEASE=1 /FAcs -Dinline=__inline  /GS /kernel

README.md

 <img src="/Docs/Logos/OpenCore_with_text_Small.png" width="200" height="48"/>
 
-[![Build Status](https://github.com/acidanthera/OpenCorePkg/workflows/CI/badge.svg?branch=master)](https://github.com/acidanthera/OpenCorePkg/actions) [![Scan Status](https://scan.coverity.com/projects/18169/badge.svg?flat=1)](https://scan.coverity.com/projects/18169)
+[![Build Status](https://github.com/acidanthera/OpenCorePkg/actions/workflows/build.yml/badge.svg?branch=master)](https://github.com/acidanthera/OpenCorePkg/actions) [![Scan Status](https://scan.coverity.com/projects/18169/badge.svg?flat=1)](https://scan.coverity.com/projects/18169)
 -----
 
 OpenCore bootloader with development SDK.

User/Library/UserPcd.c

@@ -12,7 +12,7 @@
   DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED \
   | DEBUG_PROPERTY_DEBUG_PRINT_ENABLED \
   | DEBUG_PROPERTY_ASSERT_BREAKPOINT_ENABLED )
-#define _PCD_VALUE_PcdDebugRaisePropertyMask            DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED
+#define _PCD_VALUE_PcdDebugRaisePropertyMask            0U ///< Can use e.g. DEBUG_PROPERTY_DEBUG_ASSERT_ENABLED
 #define _PCD_VALUE_PcdDebugClearMemoryValue             0xAFU
 #define _PCD_VALUE_PcdFixedDebugPrintErrorLevel         0x80000002U
 #define _PCD_VALUE_PcdDebugPrintErrorLevel              0x80000002U
@@ -42,7 +42,7 @@ BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderHashProhibitOverlap        = TRUE;
 BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderLoadHeader                 = TRUE;
 BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderDebugSupport               = TRUE;
 BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderAllowMisalignedOffset      = FALSE;
-BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderRemoveXForWX               = FALSE;
+BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderRemoveXForWX               = TRUE;
 BOOLEAN  _gPcd_FixedAtBuild_PcdImageLoaderWXorX                      = TRUE;
 UINT32   _gPcd_FixedAtBuild_PcdImageLoaderAlignmentPolicy            = 0xFFFFFFFF;
 UINT32   _gPcd_FixedAtBuild_PcdImageLoaderRelocTypePolicy            = 0x00;

Utilities/AppleEfiSignTool/Makefile

@@ -13,7 +13,8 @@ OBJS    = $(PROJECT).o \
 	PeCoffInit.o \
 	PeCoffLoad.o \
 	PeCoffRelocate.o \
-	OcPeCoffExtLib.o
+	OcPeCoffExtLib.o \
+	OcPeCoffFixup.o
 VPATH   = $(UDK_PATH)/MdePkg/Library/BasePeCoffLib2:$\
           ../../Library/OcPeCoffExtLib:$\
 

Utilities/macrecovery/recovery_urls.txt

@@ -34,15 +34,18 @@ Big Sur
 Monterey
 ./macrecovery.py -b Mac-E43C1C25D4880AD6 -m 00000000000000000
 
+Ventura
+./macrecovery.py -b Mac-B4831CEBD52A0C4C -m 00000000000000000
+
 Diagnostics
-./macrecovery.py -b Mac-E43C1C25D4880AD6 -m 00000000000000000 -diag
-./macrecovery.py -b Mac-E43C1C25D4880AD6 -m 00000000000GDVQ00 -diag
-./macrecovery.py -b Mac-E43C1C25D4880AD6 <real MLB> -diag
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 -m 00000000000000000 -diag
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 -m 00000000000JG3600 -diag
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 <real MLB> -diag
 
 Default version
-./macrecovery.py -b Mac-E43C1C25D4880AD6 -m 00000000000GDVQ00       (oldest)
-./macrecovery.py -b Mac-E43C1C25D4880AD6 -m <real MLB> -os default  (newer)
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 -m 00000000000JG3600       (oldest)
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 -m <real MLB> -os default  (newer)
 
 Latest version
-./macrecovery.py -b Mac-B4831CEBD52A0C4C -m 00000000000000000 -os latest
-./macrecovery.py -b Mac-B4831CEBD52A0C4C -m <real MLB> -os latest
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 -m 00000000000000000 -os latest
+./macrecovery.py -b Mac-7BA5B2D9E42DDD94 -m <real MLB> -os latest