Jump to content

Clover General discussion

ErmaC

By ErmaC,
in Clover

 Share
30960 posts in this topic

Recommended Posts

apianti
apianti
Posted
Posted

"Custom" mode works, i.e. it's the MSFT CA + file hash of Clover and boot.efi, I always had SB enabled

 

You mean your firmware's mode to add hashes of modules it will allow to load? I was referring to the actual secure boot mechanism in clover to enable it for firmware that don't have custom mode, only enabled/disabled and setup modes.

mhaeuser
mhaeuser
Posted
Posted

You mean your firmware's mode to add hashes of modules it will allow to load? I was referring to the actual secure boot mechanism in clover to enable it for firmware that don't have custom mode, only enabled/disabled and setup modes.

Ahh, sorry, no, never tested
Cyberdevs
Cyberdevs
Posted
Posted

EDIT2: I have no idea why my mind is all Mojo Jojo all the sudden but I think you can defeat FV2 as well.... Does mac firmware support Driver#### NVRAM variables?

Honestly I don't know about that but I can run some tests to determine if it's supported or not and only if you point me in the right direction.

apianti
apianti
Posted
Posted

Ahh, sorry, no, never tested

 

Yeah it's cool I gave up on it a long time ago.... lol

 

Honestly I don't know about that but I can run some tests to determine if it's supported or not and only if you point me in the right direction.

 

I'm fairly positive that it does. It's not a big deal, I'm just having way too much time to think and on this medicine. I'm like seriously in evil super villain mode over here.....

  • Like 1
Cyberdevs
Cyberdevs
Posted
Posted

I'm fairly positive that it does. It's not a big deal, I'm just having way too much time to think and on this medicine. I'm like seriously in evil super villain mode over here.....

I believe so either...

 

I'm also happy to hear that your are doing better on your new meds. I wish you get better and better.

apianti
apianti
Posted
Posted

I believe so either...

 

I'm also happy to hear that your are doing better on your new meds. I wish you get better and better.

 

Thanks. Yeah, I'm doing better, but I'm sick now so I'm on cold/flu medicine too. The combination is let's say strange, I have not slept much in the past few days..... Ideas, can't stop 'em.

 

EDIT: Actually I should go to sleep. I haven't slept in more than a day and only like two hours.

 

EDIT2: I'm gonna go but I'm gonna actually watch the Iron Man trilogy. HAHA. WTF

  • Like 2
apianti
apianti
Posted
Posted

Question: How do I block AppleGraphicsPowerManagement.kext from loading, only using clover?  Do I have to add a plist patch, so the device-id is not matching anymore, or is there a more sophisticated way to do that?

 

Yep, plist patch the id to something else. Why wouldn't you want AGPM though?

 

EDIT: Interrupting my Iron Man marathon.... How dare you!  :rofl:

  • Like 1
Slice
Slice
Posted
Posted

I was just curious to see if we can fully enable the SIP with the new AptioFixDrv or not.

Fully enable? On hackintosh??? Paranoia.

How did you propose to load unsigned kexts?

Question: How do I block AppleGraphicsPowerManagement.kext from loading, only using clover?  Do I have to add a plist patch, so the device-id is not matching anymore, or is there a more sophisticated way to do that?

Disabler.kext or NullCPUPM.

Or just Clover config.plist settings to not disable the kext but make it working as is.

  • Like 1
Cyberdevs
Cyberdevs
Posted
Posted

Thanks. Yeah, I'm doing better, but I'm sick now so I'm on cold/flu medicine too. The combination is let's say strange, I have not slept much in the past few days..... Ideas, can't stop 'em.

 

EDIT: Actually I should go to sleep. I haven't slept in more than a day and only like two hours.

 

EDIT2: I'm gonna go but I'm gonna actually watch the Iron Man trilogy. HAHA. WTF

Sleep tight :)

 

Fully enable? On hackintosh??? Paranoia.

How did you propose to load unsigned kexts?

Sorry it was a wrong assumption on my part. None of the unassigned kexts were loaded by fully enabling the SIP.

 

@apianti @Slice

 

Here's what I did.

I installed macOS High Sierra 10.3.2 with SIP enabled using CsrConfig=0x0. I didn't install nVidia WebDrives yet but I have Audio, USB 3.0 are working and the only thing that it's not working is the GPU (because I haven't install the Web Drivers yet)

 

Here's the bootlog and the kextstat and csrutil status:

So I can see that with fully enabling the SIP the unsigned kexts are still getting loaded.

Bootlog.rtf

post-1011040-0-93445700-1515419758_thumb.png

Kextstat.rtf

Cyberdevs
Cyberdevs
Posted
Posted

Important Update:

 

I just installed the web drivers and everything is working as it supposed to.

 

SIP is fully enabled and everything is back to normal.

The most important thing that I've learned is that in my previous attempt to enable the SIP, it was blocking the nVidia WebDriver to load so I got the black screen upon boot.

 

If anyone tries to enable the SIP after installing the web drivers I guess they will end up with the same problem unless the SIP is already enabled and it will prompt the user to allow access to the web driver to load.

post-1011040-0-08511500-1515420857_thumb.png

  • Like 1
Funky frank
Funky frank
Posted
Posted

Yep, plist patch the id to something else. Why wouldn't you want AGPM though?

 

EDIT: Interrupting my Iron Man marathon.... How dare you!  :rofl:

 

It is for my old VAIO F11. Found out that the whole gt330m power management seems to work directly within the bios, and APGM just will cause problems. It is working better without AGPM.

 

 

BTW:  My firefox video stopping issue was caused by a stupid defaults write I did, I set "forceNV = 1" for com.apple.AppleGVA, but my 1050Ti does not support videohardwaredecoding so I deleted that key now and the Intel HD4600 is used successfully (stated by VDADecoderChecker and MacX Video Converter Pro Info). But I have to use a connector-less ig-platform-id sadly. Then the OpenCL device for the HD4600 will disappear. 

 

If I use the connector-full ig-platform for the HD4600, OpenCL will work nicely, Firefox videos plays, but Final Cut Pro X will hard-crash, causing an instant reboot - Very sad!  Because you can see for some seconds how drastically the pre-render speed improves if the HD4600 openCL device is enabled, too. It's  seems to be a speedup like 5x.   :(

 

Disabler.kext or NullCPUPM.

Or just Clover config.plist settings to not disable the kext but make it working as is.

 

 

Thanks, so I just replace "AppleIntelCPUPowerManagement" with "AGPMEnabler" and "IOResources" with "IOPlatformPluginDevice" over > here < ?

apianti
apianti
Posted
Posted

Sleep tight :)

 

@apianti @Slice

 

Here's what I did.

I installed macOS High Sierra 10.3.2 with SIP enabled using CsrConfig=0x0. I didn't install nVidia WebDrives yet but I have Audio, USB 3.0 are working and the only thing that it's not working is the GPU (because I haven't install the Web Drivers yet)

 

Here's the bootlog and the kextstat and csrutil status:

So I can see that with fully enabling the SIP the unsigned kexts are still getting loaded.

 

Eh, no sleep, I have to sign for a package so I probably shouldn't have stayed up all night watching Iron Man.... And Star Trek Discovery.

 

You mean the unsigned kexts are injected. They won't be loaded with SIP enabled. If you install the web drivers and you get black screen then the problem is web drivers.

Important Update:

 

I just installed the web drivers and everything is working as it supposed to.

 

SIP is fully enabled and everything is back to normal.

The most important thing that I've learned is that in my previous attempt to enable the SIP, it was blocking the nVidia WebDriver to load so I got the black screen upon boot.

 

If anyone tries to enable the SIP after installing the web drivers I guess they will end up with the same problem unless the SIP is already enabled and it will prompt the user to allow access to the web driver to load.

 

Oh yeah this is an known issue. You need to remove the drivers, enable SIP, then reinstall them.

  • Like 1
Cyberdevs
Cyberdevs
Posted
Posted

Eh, no sleep, I have to sign for a package so I probably shouldn't have stayed up all night watching Iron Man.... And Star Trek Discovery.

 

You mean the unsigned kexts are injected. They won't be loaded with SIP enabled. If you install the web drivers and you get black screen then the problem is web drivers.

As you can see in the logs I posted earlier, they are loaded and working. Either the SIP is enabled somehow even by using the CsrConfig=0, or I'm mistaking (which I doubt it) or something weird is happening here.  :rofl:  :rofl:

  • Like 1
apianti
apianti
Posted
Posted

It is for my old VAIO F11. Found out that the whole gt330m power management seems to work directly within the bios, and APGM just will cause problems. It is working better without AGPM.

 

Then it is better to just remove the driver altogether. Move it to somewhere else to back it up.

 

BTW:  My firefox video stopping issue was caused by a stupid defaults write I did, I set "forceNV = 1" for com.apple.AppleGVA, but my 1050Ti does not support videohardwaredecoding so I deleted that key now and the Intel HD4600 is used successfully (stated by VDADecoderChecker and MacX Video Converter Pro Info). But I have to use a connector-less ig-platform-id sadly. Then the OpenCL device for the HD4600 will disappear. 

 

If I use the connector-full ig-platform for the HD4600, OpenCL will work nicely, Firefox videos plays, but Final Cut Pro X will hard-crash, causing an instant reboot - Very sad!  Because you can see for some seconds how drastically the pre-render speed improves if the HD4600 openCL device is enabled, too. It's  seems to be a speedup like 5x.   :(

 

I think this is related to the reserved region. Still haven't fixed it in like the last day....  ^_^

 

EDIT: Did you install the NVIDIA CUDA driver for OpenCL?

 

Thanks, so I just replace "AppleIntelCPUPowerManagement" with "AGPMEnabler" and "IOResources" with "IOPlatformPluginDevice" over > here < ?

 

No, just do what I said above. You are still able to boot with it right? It is just giving you slow graphics?

apianti
apianti
Posted
Posted

As you can see in the logs I posted earlier, they are loaded and working. Either the SIP is enabled somehow even by using the CsrConfig=0, or I'm mistaking (which I doubt it) or something weird is happening here.  :rofl:  :rofl:

 

You are conflating injecting and loading, injecting is done by the bootloader, loading is done by the kernel. They are actually mutually exclusive but clover patches it so they are not. Injection into the kernel happens through the data hub and the device tree memory map, it is not validated because SIP does not apply to booter extensions. When it's loaded that's when it's validated by the kernel (or when the cache is created), this is where SIP would prevent an unsigned kext from loading. CsrActive=0 is SIP fully enabled, meaning you have all security protections.

Well I didn't know that, I had to find out the hard way :D

 

I should have realized, more my fault... I knew.

  • Like 1
Cyberdevs
Cyberdevs
Posted
Posted

 

 

You are conflating injecting and loading, injecting is done by the bootloader, loading is done by the kernel. They are actually mutually exclusive but clover patches it so they are not. Injection into the kernel happens through the data hub and the device tree memory map, it is not validated because SIP does not apply to booter extensions. When it's loaded that's when it's validated by the kernel (or when the cache is created), this is where SIP would prevent an unsigned kext from loading. CsrActive=0 is SIP fully enabled, meaning you have all security protections.

 

I should have realized, more my fault... I knew.

Thanks for the explanation.

 

Thanks for the link.

  • Like 1
apianti
apianti
Posted
Posted

 

It's actually not that clear... Even I'm not sure exactly what that's doing. Where is it patching SIP? For the booter extensions or for loading?

 

EDIT: If for loading then why? Shouldn't just set CsrActive=0x1? If for booter extensions that makes sense.

 

EDIT2: Damn there need to be some more comments and they should be more descriptive when something is not completely obvious.

  • Like 1
PMheart
PMheart
Posted
Posted

It's actually not that clear... Even I'm not sure exactly what that's doing. Where is it patching SIP? For the booter extensions or for loading?

 

EDIT: If for loading then why? Shouldn't just set CsrActive=0x1? If for booter extensions that makes sense.

Well, we've started patching com.apple.rootless.kext-management since 10.11 as it should be.

Yes. KBE*SIP is the patch for loading. Csr=0x1 will have something to do with kextd/kextcache/etc that deal with kexts, yet IOUserClient::copyClientEntitlement check is bypassed by KBE*SIP.

 

 

 

EDIT2: Damn there need to be some more comments and they should be more descriptive when something is not completely obvious.

Of course you could check the disasm by yourself and add more info for further convenience :)

apianti
apianti
Posted
Posted

Well, we've started patching com.apple.rootless.kext-management since 10.11 as it should be.

Yes. KBE*SIP is the patch for loading. Csr=0x1 will have something to do with kextd/kextcache/etc that deal with kexts, yet IOUserClient::copyClientEntitlement check is bypassed by KBE*SIP.

 

Of course you could check the disasm by yourself and add more info for further convenience :)

 

I mean something more like that, like what is actually happening. That's a much more useful comment than what's in the code. I certainly don't want to check the disassembly to figure out what's going on. It is 100% the responsibility of the writer of the code to comment well enough that others can understand without having to completely redo the entire process. There's a reason there's so much dead and unnecessary code..... Because some of it we don't know if it's safe to remove and some of it just lingers because it works but no one wants to change it for fear that it won't work.

 

EDIT: Seriously, I would fire anyone who wrote code that wasn't sufficiently commented before someone who just wasn't as good at coding but commented well.

  • Like 2
PMheart
PMheart
Posted
Posted

I mean something more like that, like what is actually happening. That's a much more useful comment than what's in the code. I certainly don't want to check the disassembly to figure out what's going on. It is 100% the responsibility of the writer of the code to comment well enough that others can understand without having to completely redo the entire process. There's a reason there's so much dead and unnecessary code..... Because some of it we don't know if it's safe to remove and some of it just lingers because it works but no one wants to change it for fear that it won't work.

Actually I'm also not the original author of these patches, and sure it took me some time to figure out how they were done.

I could share some docs written by myself, on how to find these patches out.

 

(Sorry for my bad English though)

kernel_patch_EN.txt

 

(And also in zh-TW, which is the original one)

kernel_patch_zh_TW.txt

  • Like 2
apianti
apianti
Posted
Posted

Actually I'm also not the original author of these patches, and sure it took me some time to figure out how they were done.

I could share some docs written by myself, on how to find these patches out.

 

That wasn't directed at you, it was just a general statement. The code base for clover is becoming massive, can't remember every tiny detail of everything done years ago. It needs comments, that's why they exist. And that is slightly more detail than needed, lol. But a summarized version of that without all the actual data (because we are looking for more abstract stuff) would be the correct way to comment. Something like "patching this method for this reason at this place with any relevant notes," like you said above.

 

EDIT: Also it's very important to write when you are unsure of some code or that it might have a side effect. Oh god is that important.

  • Like 1
 Share
Go to topic listing
×
×
  • Create New...