Just came across this, looks to have a very short "exclude" list and then very long list of kexts that are OK to load without a valid signature. The allowed list has some kext that come from the Install OSX app, 3rd party and every Hackintosh kext I know of, even see my own name in this list too! My guess would be Apple just added dump of every kext they have could find any reference to without reviewing their function, then from here on they can just remove ones from the list that are a problem, causing much less work down the road and less upset average users. Also if there is a size check on file, adding new entries to it would cause much more work than simply removing existing entries.
If signed drivers would mean this list doesn't matter, the second Apple blocks kexts with no valid signature like FakeSMC, we could rebuild them and sign them with an Apple developer certificate (like I have, as I'm a paying dev).
Only a theory though...
I think kexts with no valid dev certificate only are passed through this list.
We need further testing on this.
EDIT: Oh yeah? size check.... probably checksum that verifies the file wasn't modified, which is probably far worse than a size check if it's a custom checksum...
I notice significant change in the new sources. Understand.
Old call is aes_decrypt_cbc from kernel.
New call is DSMOS_BF_cbc_encrypt from BLOWFISH DECRYPT from OpenSSL.
Are you sure it is the same and more portable?
I'll recommend to exclude IOLog from page_transform and from compare_setup.
I also think there is not needed check for PPC. There are no PPC Hackintosh.
I am interesting to use AppleDecrypt together with FakeSMC. Results will be after long testing.
Yes, the encrypt parameter has a value indicating encryption and decryption.
Apple silently switched from a double AES decryption to a single Blowfish decryption (with OSK0 and OSK1 concatenated to a single key) but still disguising it as AES in the Dont steal Mac OS X.kext binary.
It's true the PPC code can be excluded as there never was any encryption on PPC mac anyway and these days there also is no more PPC macs with 10.6 or better as it is all Intel.
The decryption handler in action was used in verbose mode to check it handled the decryption.
True this was only used for debugging check and can be excluded too