Jump to content

[GUIDE] ScanPolicy: choose device types and operating systems to be scanned by OpenCore


miliuco
 Share

72 posts in this topic

Recommended Posts

ScanPolicy key (integer) goes within Misc / Security in config.plist.

It defines device type and operating system detection policy. In accordance with this value, we can define different file systems and devices that OC scans and can boot. It is calculated by adding hexadecimal values of systems and devices, chosen in the list of the OC configuration PDF, and converting the total sum to their decimal value, which must be noted in config.plist.

 

From OC configuration PDF, failsafe value is 0x10F0103 corresponding to:

OC_SCAN_FILE_SYSTEM_LOCK - 1
OC_SCAN_DEVICE_LOCK - 2
OC_SCAN_ALLOW_FS_APFS - 100
OC_SCAN_ALLOW_DEVICE_SATA - 10000
OC_SCAN_ALLOW_DEVICE_SASEX - 20000
OC_SCAN_ALLOW_DEVICE_SCSI - 40000
OC_SCAN_ALLOW_DEVICE_NVME - 80000
OC_SCAN_ALLOW_DEVICE_PCI - 1000000

1 + 2 + 100 + 1000 + 2000 + 4000 + 8000 + 1000000 = 0x10F0103 (17760515 in decimal).

 

Setting to 0 will allow all sources present to be bootable.

 

But we may want to customize this. For example, I want to select this items:

0x00000001 — OC_SCAN_FILE_SYSTEM_LOCK, restricts scanning to only known file systems defined as a part of this policy.
0x00000002 — OC_SCAN_DEVICE_LOCK, restricts scanning to only known device types defined as a part of this policy.
0x00000100 — OC_SCAN_ALLOW_FS_APFS, allows scanning of APFS file system.
0x00000200 — OC_SCAN_ALLOW_FS_HFS, allows scanning of HFS file system.
0x00000800 — OC_SCAN_ALLOW_FS_NTFS, allows scanning of NTFS (Msft Basic Data) file system.
0x00010000 — OC_SCAN_ALLOW_DEVICE_SATA, allow scanning SATA devices.
0x00080000 — OC_SCAN_ALLOW_DEVICE_NVME, allow scanning NVMe devices.
0x00200000 — OC_SCAN_ALLOW_DEVICE_USB, allow scanning USB devices

Corresponding to 0x290B03, that's 2689795 in decimal. This is the value I write in config.plist.

 

Note: if you check 0x00000400 — OC_SCAN_ALLOW_FS_ESP, allows scanning of EFI System Partition file system all EFI partitions will be visible which may not be desirable.

 

As always, in Dortania there is an excellent text about this.

Edited by miliuco
Info added.
  • Like 5
Link to comment
Share on other sites

  • 3 months later...

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

Link to comment
Share on other sites

20 minutes ago, FrankPaulThe2nd said:

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

try with 2687747

Schermata 2021-04-13 alle 18.37.46.png

  • Like 1
Link to comment
Share on other sites

3 hours ago, FrankPaulThe2nd said:

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

 

The value 2687747 that @antuneddu proposes selects these items: APFS (macOS Big Sur), HFS (installation USB) and SATA - NVMe - USB devices.


If we look at the list of options and their hexadecimal values:
0x00000001 - OC_SCAN_FILE_SYSTEM_LOCK.
0x00000002 - OC_SCAN_DEVICE_LOCK.
0x00000100 - OC_SCAN_ALLOW_FS_APFS.
0x00000200 - OC_SCAN_ALLOW_FS_HFS.
0x00010000 - OC_SCAN_ALLOW_DEVICE_SATA.
0x00080000 - OC_SCAN_ALLOW_DEVICE_NVME.
0x00200000 - OC_SCAN_ALLOW_DEVICE_USB.


The hexadecimal values must be added: 1 + 2 + 100 + 200 + 10000 + 80000 + 200000 = 0x290303 hexadecimal (2687747 in decimal). With this value you get the BigSur volume, the recovery partition and the installation USB.


But you also want to see the Windows disk or partition that is NTFS so you have to look at the list again:
0x00000800 - OC_SCAN_ALLOW_FS_NTFS.
0x00000800 must be added to the previous value 0x290303 hexadecimal. The result is 0x290B03 which is equivalent to 2689795 in decimal. 2689795 is the value to write to config.plist.
Try and comment.

 

My dog thanks you the comment :D

  • Like 3
Link to comment
Share on other sites

20 minutes ago, miliuco said:

 

The value 2687747 that @antuneddu proposes selects these items: APFS (macOS Big Sur), HFS (installation USB) and SATA - NVMe - USB devices.


If we look at the list of options and their hexadecimal values:
0x00000001 - OC_SCAN_FILE_SYSTEM_LOCK.
0x00000002 - OC_SCAN_DEVICE_LOCK.
0x00000100 - OC_SCAN_ALLOW_FS_APFS.
0x00000200 - OC_SCAN_ALLOW_FS_HFS.
0x00010000 - OC_SCAN_ALLOW_DEVICE_SATA.
0x00080000 - OC_SCAN_ALLOW_DEVICE_NVME.
0x00200000 - OC_SCAN_ALLOW_DEVICE_USB.


The hexadecimal values must be added: 1 + 2 + 100 + 200 + 10000 + 80000 + 200000 = 0x290303 hexadecimal (2687747 in decimal). With this value you get the BigSur volume, the recovery partition and the installation USB.


But you also want to see the Windows disk or partition that is NTFS so you have to look at the list again:
0x00000800 - OC_SCAN_ALLOW_FS_NTFS.
0x00000800 must be added to the previous value 0x290303 hexadecimal. The result is 0x290B03 which is equivalent to 2689795 in decimal. 2689795 is the value to write to config.plist.
Try and comment.

 

My dog thanks you the comment :D

Yes to me it is fine with NVMe and USB devices. Well how do you explain so in detail I would have wanted you as a teacher at school.  Bau :D 

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed.

Spoiler

 

 

Screenshot 2021-04-13 at 20.45.40.png

  • Like 3
Link to comment
Share on other sites

48 minutes ago, eSaF said:

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed.

  Reveal hidden contents

 

 

Screenshot 2021-04-13 at 20.45.40.png

You understood perfectly and your evaluation is very valid, it then depends on how everyone intends to customize the items to be displayed at boot, I personally like to have the screen with many icons at boot then with bootable volumes, Recovery and tools :)

  • Like 2
Link to comment
Share on other sites

57 minutes ago, eSaF said:

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed...

 

But 0 shows also EFI folders and I don't want to see them. 0 shows every device that OC can boot, sure you know this, and I don't like to see EFI folders as redundant with boot volumes. Example: to see Big Sur volume and Big Sur EFI volume, to see Windows partition and also Windows EFI partition.

I think Spacebar displays entries and tools marked as auxiliary. I think that this is a different aproach than ScanPolicy.

 

Edited by miliuco
  • Like 3
Link to comment
Share on other sites

@miliuco - Hi Bro this is my Boot Menu setup, featuring a combination of Scan Policy and Hidden Auxiliary in the config.plist that gives me the desired effect that works best for me (see attached)

Spoiler

13210912.thumb.png.638b084ffeda0170c87cabce20a0e6cc.png13210925.thumb.png.7c76d4812e9d0bd57daf9e94f44a63d2.png

:thumbsup_anim:

38 minutes ago, miliuco said:

0 shows every device that OC can boot

This is not so on my system, it only shows what I want it to show.

  • Like 2
Link to comment
Share on other sites

15 minutes ago, eSaF said:

@miliuco - Hi Bro this is my Boot Menu setup, featuring a combination of Scan Policy and Hidden Auxiliary in the config.plist that gives me the desired effect that works best for me (see attached)

This is not so on my system, it only shows what I want it to show.

 

Dear friend, I see. In your case 0 works to your satisfaction.
It may be that I am wrong. I always thought that 0 shows all possible devices, all the ones that OpenCore can read.

 

In Dortania you can read:

ScanPolicy
What this quirk allows to prevent scanning and booting from untrusted sources. Setting to 0 will allow all sources present to be bootable but calculating a specific ScanPolicy value will allow you a greater range of flexibility and security.

 

I'm going to try with 0 en comment.

  • Thanks 1
Link to comment
Share on other sites

@eSaF

There is no way. If ScanPolicy is 0, I see EFI partitions in addition to macOS and Windows volumes. If I press Spacebar, recovery partitions and tools are added.

 

 

scanpolicy0a.thumb.png.848ec9733131ce7e63d2628bd498078f.png

 

scanpolicy0b.thumb.png.d71ffa044343ade8364a2511f63a819d.png

 

 

Edited by miliuco
  • Like 1
  • Confused 1
Link to comment
Share on other sites

@miliuco - Here is my config.plist minus personal data depicting my setup to give the desired Boot Menu.

Spoiler

 

As you can see from the post before, I do not see EFI Partitions at the Boot Menu, I don't know if that is a fluke on my part or the way my system is configured.

Link to comment
Share on other sites

7 minutes ago, eSaF said:

@miliuco - I still haven't figured out your EFI Partition appearing at the Boot Menu as well although I see you have two BS volumes - different BS versions perhaps, current and previous??!!

No, there are 2 different disks, one with the Big Sur for daily use and other as backup (plugged to have more icons in the picker while doing tests).

I am leaving this matter for today because I do not understand. 2 different behaviors and I don't know why.

6 minutes ago, antuneddu said:

SecureBootModel It makes a difference I think

But when I've tried the eSaF's config.plist it was with the same SecureBootModel as him.

 

Edited by miliuco
  • Like 1
  • Confused 1
Link to comment
Share on other sites

1 minute ago, miliuco said:

No, there are 2 different disks, one with the Big Sur for daily use and other as backup.

I am leaving this matter for today because I do not understand. 2 different behaviors and I don't know why.

Ok Bro no sweat I understand, BS can be quite taxing at times.

  • Like 1
Link to comment
Share on other sites

25 minutes ago, antuneddu said:

Thanks, but that's okay with me, anyway yesterday I tried again by setting the @eSaF configuration with 0 also to me it showed the EFI partitions like you ... mystery why not to him :rolleyes:

 

Yes, it's strange, you and me see EFI partition/s when ScanPolicy=0 but @eSaF doesn't see that boot devices when using 0.

The only reference I can found about 0 value is in this Dortania text but in none of the OpenCore Configuration files I've reviewed a single word is said about that value.

 

Edited by miliuco
  • Like 1
Link to comment
Share on other sites

4 minutes ago, miliuco said:

 

Yes, it's strange, you and me see EFI partition/s when ScanPolicy=0 but @eSaF doesn't see that boot devices when using 0.

The only reference I can found about 0 value is in this Dortania text but in none of the OpenCore Configuration files I've reviewed a single word is said about that value.

 

Not to dwell too much on this strange issue but I tried some of the values in that 'Scan Policy Generator' and got various errors i.e OC: Invalid Scan Policy, Halting on Critical error. The strange thing is the EFI Partition only shows up on the installer USB but I suspect that is for the installer not the main Drive (see attached). I have also seen various examples of similar Boot Screens to mine so go figure.

Spoiler

14183601.thumb.png.3d4e34cf2bce942259fedecb0455428f.png14183627.thumb.png.3bfa9f6c4cc127dd19255f95291e64fb.png

 

  • Like 2
Link to comment
Share on other sites

 Share

×
×
  • Create New...