[GUIDE] ScanPolicy: choose device types and operating systems to be scanned by OpenCore

[miliuco]

ScanPolicy key (integer) goes within Misc / Security in config.plist.

It defines device type and operating system detection policy. In accordance with this value, we can define different file systems and devices that OC scans and can boot. It is calculated by adding hexadecimal values of systems and devices, chosen in the list of the OC configuration PDF, and converting the total sum to their decimal value, which must be noted in config.plist.

 

From OC configuration PDF, failsafe value is 0x10F0103 corresponding to:

OC_SCAN_FILE_SYSTEM_LOCK - 1
OC_SCAN_DEVICE_LOCK - 2
OC_SCAN_ALLOW_FS_APFS - 100
OC_SCAN_ALLOW_DEVICE_SATA - 10000
OC_SCAN_ALLOW_DEVICE_SASEX - 20000
OC_SCAN_ALLOW_DEVICE_SCSI - 40000
OC_SCAN_ALLOW_DEVICE_NVME - 80000
OC_SCAN_ALLOW_DEVICE_PCI - 1000000

1 + 2 + 100 + 1000 + 2000 + 4000 + 8000 + 1000000 = 0x10F0103 (17760515 in decimal).

 

Setting to 0 will allow all sources present to be bootable.

 

But we may want to customize this. For example, I want to select this items:

0x00000001 — OC_SCAN_FILE_SYSTEM_LOCK, restricts scanning to only known file systems defined as a part of this policy.
0x00000002 — OC_SCAN_DEVICE_LOCK, restricts scanning to only known device types defined as a part of this policy.
0x00000100 — OC_SCAN_ALLOW_FS_APFS, allows scanning of APFS file system.
0x00000200 — OC_SCAN_ALLOW_FS_HFS, allows scanning of HFS file system.
0x00000800 — OC_SCAN_ALLOW_FS_NTFS, allows scanning of NTFS (Msft Basic Data) file system.
0x00010000 — OC_SCAN_ALLOW_DEVICE_SATA, allow scanning SATA devices.
0x00080000 — OC_SCAN_ALLOW_DEVICE_NVME, allow scanning NVMe devices.
0x00200000 — OC_SCAN_ALLOW_DEVICE_USB, allow scanning USB devices

Corresponding to 0x290B03, that's 2689795 in decimal. This is the value I write in config.plist.

 

Note: if you check 0x00000400 — OC_SCAN_ALLOW_FS_ESP, allows scanning of EFI System Partition file system all EFI partitions will be visible which may not be desirable.

 

As always, in Dortania there is an excellent text about this.

Edited June 2, 2021 by miliuco
Info added.

[FrankPaulThe2nd]

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

[Anto65]

20 minutes ago, FrankPaulThe2nd said:

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

try with 2687747

[miliuco]

3 hours ago, FrankPaulThe2nd said:

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

 

The value 2687747 that @antuneddu proposes selects these items: APFS (macOS Big Sur), HFS (installation USB) and SATA - NVMe - USB devices.

If we look at the list of options and their hexadecimal values:
0x00000001 - OC_SCAN_FILE_SYSTEM_LOCK.
0x00000002 - OC_SCAN_DEVICE_LOCK.
0x00000100 - OC_SCAN_ALLOW_FS_APFS.
0x00000200 - OC_SCAN_ALLOW_FS_HFS.
0x00010000 - OC_SCAN_ALLOW_DEVICE_SATA.
0x00080000 - OC_SCAN_ALLOW_DEVICE_NVME.
0x00200000 - OC_SCAN_ALLOW_DEVICE_USB.

The hexadecimal values must be added: 1 + 2 + 100 + 200 + 10000 + 80000 + 200000 = 0x290303 hexadecimal (2687747 in decimal). With this value you get the BigSur volume, the recovery partition and the installation USB.

But you also want to see the Windows disk or partition that is NTFS so you have to look at the list again:
0x00000800 - OC_SCAN_ALLOW_FS_NTFS.
0x00000800 must be added to the previous value 0x290303 hexadecimal. The result is 0x290B03 which is equivalent to 2689795 in decimal. 2689795 is the value to write to config.plist.
Try and comment.

 

My dog thanks you the comment 

[Anto65]

20 minutes ago, miliuco said:

 

The value 2687747 that @antuneddu proposes selects these items: APFS (macOS Big Sur), HFS (installation USB) and SATA - NVMe - USB devices.

If we look at the list of options and their hexadecimal values:
0x00000001 - OC_SCAN_FILE_SYSTEM_LOCK.
0x00000002 - OC_SCAN_DEVICE_LOCK.
0x00000100 - OC_SCAN_ALLOW_FS_APFS.
0x00000200 - OC_SCAN_ALLOW_FS_HFS.
0x00010000 - OC_SCAN_ALLOW_DEVICE_SATA.
0x00080000 - OC_SCAN_ALLOW_DEVICE_NVME.
0x00200000 - OC_SCAN_ALLOW_DEVICE_USB.

The hexadecimal values must be added: 1 + 2 + 100 + 200 + 10000 + 80000 + 200000 = 0x290303 hexadecimal (2687747 in decimal). With this value you get the BigSur volume, the recovery partition and the installation USB.

But you also want to see the Windows disk or partition that is NTFS so you have to look at the list again:
0x00000800 - OC_SCAN_ALLOW_FS_NTFS.
0x00000800 must be added to the previous value 0x290303 hexadecimal. The result is 0x290B03 which is equivalent to 2689795 in decimal. 2689795 is the value to write to config.plist.
Try and comment.

 

My dog thanks you the comment 

Yes to me it is fine with NVMe and USB devices. Well how do you explain so in detail I would have wanted you as a teacher at school.  Bau  

[Anto65]

48 minutes ago, eSaF said:

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed.

  Reveal hidden contents

 

 

You understood perfectly and your evaluation is very valid, it then depends on how everyone intends to customize the items to be displayed at boot, I personally like to have the screen with many icons at boot then with bootable volumes, Recovery and tools 

[miliuco]

57 minutes ago, eSaF said:

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed...

 

But 0 shows also EFI folders and I don't want to see them. 0 shows every device that OC can boot, sure you know this, and I don't like to see EFI folders as redundant with boot volumes. Example: to see Big Sur volume and Big Sur EFI volume, to see Windows partition and also Windows EFI partition.

I think Spacebar displays entries and tools marked as auxiliary. I think that this is a different aproach than ScanPolicy.

 

Edited April 13, 2021 by miliuco

[miliuco]

15 minutes ago, eSaF said:

@miliuco - Hi Bro this is my Boot Menu setup, featuring a combination of Scan Policy and Hidden Auxiliary in the config.plist that gives me the desired effect that works best for me (see attached)

This is not so on my system, it only shows what I want it to show.

 

Dear friend, I see. In your case 0 works to your satisfaction.
It may be that I am wrong. I always thought that 0 shows all possible devices, all the ones that OpenCore can read.

 

In Dortania you can read:

ScanPolicy
What this quirk allows to prevent scanning and booting from untrusted sources. Setting to 0 will allow all sources present to be bootable but calculating a specific ScanPolicy value will allow you a greater range of flexibility and security.

 

I'm going to try with 0 en comment.

[miliuco]

@eSaF

There is no way. If ScanPolicy is 0, I see EFI partitions in addition to macOS and Windows volumes. If I press Spacebar, recovery partitions and tools are added.

 

 

 

 

 

Edited April 13, 2021 by miliuco

[miliuco]

2 minutes ago, eSaF said:

@miliuco - Here is my config.plist minus personal data depicting my setup to give the desired Boot Menu...

 

Thanks, let me study your configuration and I will comment.

[miliuco]

@eSaF

 

These are the differences (we have almost the same settings), none of them seem to have anything to do with the devices shown in the picker but I'm going to do a test with your config.plist:

 

[Anto65]

1 minute ago, miliuco said:

@eSaF

 

These are the differences (we have almost the same settings), none of them seem to have anything to do with the devices shown in the picker but I'm going to do a test with your config.plist:

 

yes confirm ahahahha

[miliuco]

@eSaF @antuneddu

 

With the config.plist file from eSaF I see the EFI partition 

My system boots fine with that config.plist, it seems to work just as well as my usual one.

 

[Anto65]

16 minutes ago, miliuco said:

@eSaF @antuneddu

 

With the config.plist file from eSaF I see the EFI partition 

My system boots fine with that config.plist, it seems to work just as well as my usual one.

 

SecureBootModel It makes a difference I think

[miliuco]

7 minutes ago, eSaF said:

@miliuco - I still haven't figured out your EFI Partition appearing at the Boot Menu as well although I see you have two BS volumes - different BS versions perhaps, current and previous??!!

No, there are 2 different disks, one with the Big Sur for daily use and other as backup (plugged to have more icons in the picker while doing tests).

I am leaving this matter for today because I do not understand. 2 different behaviors and I don't know why.

6 minutes ago, antuneddu said:

SecureBootModel It makes a difference I think

But when I've tried the eSaF's config.plist it was with the same SecureBootModel as him.

 

Edited April 13, 2021 by miliuco

[Anto65]

evening of experiments  

with @eSaF configuration I get this, but SecureBootModel = Default

 

with my configuration I get this

[miliuco]

@FrankPaulThe2nd @eSaF @antuneddu

 

An user on the Reddit hackintosh forum has created an online tool to calculate the value of ScanPolicy. I have tried it and it seems to work fine. It is similar to the one included in OpenCore Configurator.

 

Edited April 14, 2021 by miliuco

[Anto65]

Thanks, but that's okay with me, anyway yesterday I tried again by setting the @eSaF configuration with 0 also to me it showed the EFI partitions like you ... mystery why not to him 

[miliuco]

25 minutes ago, antuneddu said:

Thanks, but that's okay with me, anyway yesterday I tried again by setting the @eSaF configuration with 0 also to me it showed the EFI partitions like you ... mystery why not to him 

 

Yes, it's strange, you and me see EFI partition/s when ScanPolicy=0 but @eSaF doesn't see that boot devices when using 0.

The only reference I can found about 0 value is in this Dortania text but in none of the OpenCore Configuration files I've reviewed a single word is said about that value.

 

Edited April 14, 2021 by miliuco

[odemolay]

question @eSaF your EFI partitions drive, are they empty (except the drive who boot OC)
question @miliuco did you put one EFI fields in each EFI drive partition?

it's should be the reason why some of you have some EFI entries visible or not

Edited April 18, 2021 by odemolay

[miliuco]

2 hours ago, odemolay said:

question @eSaF your EFI partitions drive, are they empty (except the drive who boot OC)
question @miliuco did you put one EFI fields in each EFI drive partition?

it's should be the reason why some of you have some EFI entries visible or not

Each EFI partition (BS disk, BS backup disk, Windows disk) has its own EFI folder, in macOS each EFI folder has its own OpenCore and in Windows the EFI folder is the one created by Windows at installation. No EFI partition is empty. That is, each EFI partition has one (only one) EFI folder.

[odemolay]

11 minutes ago, miliuco said:

Each EFI partition (BS disk, BS backup disk, Windows disk) has its own EFI folder, in macOS each EFI folder has its own OpenCore and in Windows the EFI folder is the one created by Windows at installation. No EFI partition is empty. That is, each EFI partition has one (only one) EFI folder.

it's the reason why you see EFI, try to let empty the EFI partition, except the drive wiche  one you boot. You wont have anymore EFI at the boot picker.

[miliuco]

Yes, sure it´s true and it's probably what happens to @eSaF but remember there is an option in ScanPolicy that says

 OC_SCAN_ALLOW_FS_ESP, allows scanning of EFI System Partition file system

so in OpenCore there is an option to show or not the EFI partitions.

[miliuco]

1 hour ago, eSaF said:

Guys something may be off on my system but then again Download Fritz said that function Show/Hide option was removed from OC some releases ago. I just this option OC_SCAN_ALLOW_FS_ESP and it threw up this error - OC: Invalid ScanPolicy 400 Halting on critical error...

and I couldn't reach the Boot Menu. As I said previously, I prefer the cleaner look of my Boot Menu where I don't have to contend with an EFI Partition that won't be used or called upon on a day to day basis. See the attached hopefully explaining what I am saying.

 

Download Fritz has commented about removing the OC_SCAN_ALLOW_FS_ESP option? I do not know if I understood you correctly.
In the Dortania documentation for the current beta version of OpenCore, when talking about ScanPolicy, this option is still there. With the value 1024 as in your example. And I also get ocvalidate error if ScanPolicy=1024.

Here's something that doesn't seem logical to me. The first option on the list is
OC_SCAN_FILE_SYSTEM_LOCK, restricts scanning to only known file systems defined as a part of this policy
For me this means that, if this option is NOT selected, OpenCore does not restrict the scan to file systems defined in ScanPolicy but will scan any file systems present.

But, as you have said, when checking OC_SCAN_ALLOW_FS_ESP, leaving OC_SCAN_FILE_SYSTEM_LOCK blank, ocvalidate warns of the error:
Misc-> Security-> ScanPolicy requests scanning filesystem, but OC_SCAN_FILE_SYSTEM_LOCK (bit 0) is not set!

I have selecting another file system (APFS, NTFS, HFS ...) leaving blank the first option OC_SCAN_FILE_SYSTEM_LOCK and ocvalidate warns of the same error.
The error is not for selecting only EFI partitions but for selecting any file system when the first option is unchecked.
The only way that ocvalidate passes ok with the first option unchecked is when ScanPolicy=0, which is equal to not selecting any option.

 

I can say the same about the second option
OC_SCAN_DEVICE_LOCK, restricts scanning to only known device types defined as a part of this policy
Any device type checked when this second option is unchecked > ocvalidate gives also error.

 

It seems that it's mandatory to check options 1 and 2 except when none is checked (ScanPolicy=0).

 

Edited April 18, 2021 by miliuco

[miliuco]

33 minutes ago, eSaF said:

Bro at this moment I don't know what to think, which is right or wrong so I am going to put the subject to bed for the time being. 

27 minutes ago, 5T33Z0 said:

Fun fact: When using scan policy 0, if you have more than one hdd with a macOS installation, BootPicker will show an extra entry for each additional EFIs on other drives. I for example have 3 macOS versions installed one on 3 separate disks, so I see 2 extra entries for EFI partitions in the Bootpicker.

Yes, it's the same to me with ScanPolicy 0. EFI partitions are shown. But @eSaF doesn't see EFI partitions with that value, except the one in the install USB.