Clover General discussion

[Funky frank]

Yeah I used that installer, bro. And your provided aptiofix2.

[Cyberdevs]

First, no, lol. Second, macs don't have safe boot so you can run any EFI application, either through bootcamp or by making it think it's an installer with boot.efi... Once you are there you can pretty much carry out a ton of attacks on the OS. And I almost wrote it out anyway.... JEEEEEEEEEEEEEEZZZZZZZZZZZZ.

 

EDIT: Trying to trick me into giving you the goods to put porn on your boss' computer.

 

EDIT2: I guess technically any firmware not using safe boot can be attacked like this but only macOS doesn't support using it.

LOL    You got me

 

By "macs don't have safe boot" I assume you mean Secure Boot?! Right?

[apianti]

Yeah I used that installer, bro. And your provided aptiofix2.

 

I meant the AptioFix2 is also in that package. You don't need to use the one I uploaded in fact that one in the package is probably better optimized.

 

LOL    You got me

 

By "macs don't have safe boot" I assume you mean Secure Boot?! Right?

 

Yeah, stupid autocorrect. I was too lazy to walk four feet to my computer so I used my phone...

 

EDIT: I have now gone to my computer because my phone is the worst. Now back to bed since I made this edit and feel terrible.

[Cyberdevs]

My interest in the subject is because I have lots of clients with Mac computers and I would like to keep them as safe as I can.

 

I don't need to run a kernel attack on my bosses computer to put sth on his/her Mac I already have their passwords

 

and you're right about Apple lacking the secure boot feature but there are some rumors that apple is going to implement a security chip in their Macs to improve the security on their products.

[apianti]

My interest in the subject is because I have lots of clients with Mac computers and I would like to keep them as safe as I can.

 

I don't need to run a kernel attack on my bosses computer to put sth on his/her Mac I already have their passwords

 

and you're right about Apple lacking the secure boot feature but there are some rumors that apple is going to implement a security chip in their Macs to improve the security on their products.

 

Don't let people you don't know with USB keys get onto your macs, that's the only way to keep them safe. I think you can still boot from a USB if FV2 is enabled but you won't be able to access the disk without unlocking it. That does not mean that it still can't be defeated but that's definitely the best defense on a mac. And technically they already have a security chip, SMC, but it's defeatable. They used to have a TPM chip in the first models that used Intel, but TPM chips are also defeatable. Secure boot with a TPM is pretty much unbreakable, probably don't really need the TPM but it makes it a hardware solution so it can't be side-channeled, like all these recent exploits that have been coming out. TPMs can also be used to encrypt disks. However, that's irrelevant if you can run whatever code you want in EFI environment. You can reverse engineer any chip, we reverse engineer pretty much everything to get hackintoshs to work. That's probably all I need to say because I don't want to actually describe an exploit.

 

EDIT: I used to have everyone's password too, and an app that allowed me to change or force them to change it. If someone was pissing me off, I would be like, "I swear I will change your password if you make me mad." Always immediately nice.... Totally would get fired for that though.... They're dumb.

 

EDIT2: I have no idea why my mind is all Mojo Jojo all the sudden but I think you can defeat FV2 as well.... Does mac firmware support Driver#### NVRAM variables?

[mhaeuser]

First, no, lol. Second, macs don't have secure boot so you can run any EFI application, either through bootcamp or by making it think it's an installer with boot.efi... Once you are there you can pretty much carry out a ton of attacks on the OS. And I almost wrote it out anyway.... JEEEEEEEEEEEEEEZZZZZZZZZZZZ.

 

EDIT: Trying to trick me into giving you the goods to put porn on your boss' computer.

 

EDIT2: I guess technically any firmware not using secure boot can be attacked like this but only macOS doesn't support using it, and it doesn't exist in macs firmware at all. Making it more vulnerable. I guess hacks are too since we have to boot without secure boot, although we tried to get secure boot working. It might, I haven't tried in years lol. But it involves signing a bunch of EFI modules....

 

EDIT3: Meant secure not safe, added some more info to previous edit.

EDIT4: It autocorrect secure to safe in my addition. Screw my phone.

EDIT5: "It autocorrect" Man it is amazing at just changing words I already typed and moved onto the next into nonsense, and it's not even enabled. My phone is such a POS that it does not allow disabling autocorrect even if you disable it....

UEFI SB works in custom mode and the iMac Pro introduced Apple SB

[apianti]

UEFI SB works in custom mode and the iMac Pro introduced Apple SB

 

Yeah, that is cool too because it's way better than regular UEFI secure boot. It let's you lock down booting externally, and booting only to the currently active OS.

 

EDIT: You mean that secure boot with clover works?

 

EDIT2: Ewwww.... Although I didn't realize it stored your machines identification in the cloud and you need to connect to Apple in order to boot if you select locking to the currently active OS.... Yikes. Hope you don't lose internet.

[mhaeuser]

"Custom" mode works, i.e. it's the MSFT CA + file hash of Clover and boot.efi, I always had SB enabled

[apianti]

"Custom" mode works, i.e. it's the MSFT CA + file hash of Clover and boot.efi, I always had SB enabled

 

You mean your firmware's mode to add hashes of modules it will allow to load? I was referring to the actual secure boot mechanism in clover to enable it for firmware that don't have custom mode, only enabled/disabled and setup modes.

[mhaeuser]

You mean your firmware's mode to add hashes of modules it will allow to load? I was referring to the actual secure boot mechanism in clover to enable it for firmware that don't have custom mode, only enabled/disabled and setup modes.

Ahh, sorry, no, never tested

[Cyberdevs]

EDIT2: I have no idea why my mind is all Mojo Jojo all the sudden but I think you can defeat FV2 as well.... Does mac firmware support Driver#### NVRAM variables?

Honestly I don't know about that but I can run some tests to determine if it's supported or not and only if you point me in the right direction.

[apianti]

Ahh, sorry, no, never tested

 

Yeah it's cool I gave up on it a long time ago.... lol

 

Honestly I don't know about that but I can run some tests to determine if it's supported or not and only if you point me in the right direction.

 

I'm fairly positive that it does. It's not a big deal, I'm just having way too much time to think and on this medicine. I'm like seriously in evil super villain mode over here.....

[Cyberdevs]

I'm fairly positive that it does. It's not a big deal, I'm just having way too much time to think and on this medicine. I'm like seriously in evil super villain mode over here.....

I believe so either...

 

I'm also happy to hear that your are doing better on your new meds. I wish you get better and better.

[apianti]

I believe so either...

 

I'm also happy to hear that your are doing better on your new meds. I wish you get better and better.

 

Thanks. Yeah, I'm doing better, but I'm sick now so I'm on cold/flu medicine too. The combination is let's say strange, I have not slept much in the past few days..... Ideas, can't stop 'em.

 

EDIT: Actually I should go to sleep. I haven't slept in more than a day and only like two hours.

 

EDIT2: I'm gonna go but I'm gonna actually watch the Iron Man trilogy. HAHA. WTF

[Funky frank]

Question: How do I block AppleGraphicsPowerManagement.kext from loading, only using clover?  Do I have to add a plist patch, so the device-id is not matching anymore, or is there a more sophisticated way to do that?

[apianti]

Question: How do I block AppleGraphicsPowerManagement.kext from loading, only using clover?  Do I have to add a plist patch, so the device-id is not matching anymore, or is there a more sophisticated way to do that?

 

Yep, plist patch the id to something else. Why wouldn't you want AGPM though?

 

EDIT: Interrupting my Iron Man marathon.... How dare you! 

[Slice]

I was just curious to see if we can fully enable the SIP with the new AptioFixDrv or not.

Fully enable? On hackintosh??? Paranoia.

How did you propose to load unsigned kexts?

Question: How do I block AppleGraphicsPowerManagement.kext from loading, only using clover?  Do I have to add a plist patch, so the device-id is not matching anymore, or is there a more sophisticated way to do that?

Disabler.kext or NullCPUPM.

Or just Clover config.plist settings to not disable the kext but make it working as is.

[Cyberdevs]

Thanks. Yeah, I'm doing better, but I'm sick now so I'm on cold/flu medicine too. The combination is let's say strange, I have not slept much in the past few days..... Ideas, can't stop 'em.

 

EDIT: Actually I should go to sleep. I haven't slept in more than a day and only like two hours.

 

EDIT2: I'm gonna go but I'm gonna actually watch the Iron Man trilogy. HAHA. WTF

Sleep tight

 

Fully enable? On hackintosh??? Paranoia.

How did you propose to load unsigned kexts?

Sorry it was a wrong assumption on my part. None of the unassigned kexts were loaded by fully enabling the SIP.

 

@apianti @Slice

 

Here's what I did.

I installed macOS High Sierra 10.3.2 with SIP enabled using CsrConfig=0x0. I didn't install nVidia WebDrives yet but I have Audio, USB 3.0 are working and the only thing that it's not working is the GPU (because I haven't install the Web Drivers yet)

 

Here's the bootlog and the kextstat and csrutil status:

So I can see that with fully enabling the SIP the unsigned kexts are still getting loaded.

Bootlog.rtf

Kextstat.rtf

[Cyberdevs]

Important Update:

 

I just installed the web drivers and everything is working as it supposed to.

 

SIP is fully enabled and everything is back to normal.

The most important thing that I've learned is that in my previous attempt to enable the SIP, it was blocking the nVidia WebDriver to load so I got the black screen upon boot.

 

If anyone tries to enable the SIP after installing the web drivers I guess they will end up with the same problem unless the SIP is already enabled and it will prompt the user to allow access to the web driver to load.

[Funky frank]

Yep, plist patch the id to something else. Why wouldn't you want AGPM though?

 

EDIT: Interrupting my Iron Man marathon.... How dare you! 

 

It is for my old VAIO F11. Found out that the whole gt330m power management seems to work directly within the bios, and APGM just will cause problems. It is working better without AGPM.

 

 

BTW:  My firefox video stopping issue was caused by a stupid defaults write I did, I set "forceNV = 1" for com.apple.AppleGVA, but my 1050Ti does not support videohardwaredecoding so I deleted that key now and the Intel HD4600 is used successfully (stated by VDADecoderChecker and MacX Video Converter Pro Info). But I have to use a connector-less ig-platform-id sadly. Then the OpenCL device for the HD4600 will disappear. 

 

If I use the connector-full ig-platform for the HD4600, OpenCL will work nicely, Firefox videos plays, but Final Cut Pro X will hard-crash, causing an instant reboot - Very sad!  Because you can see for some seconds how drastically the pre-render speed improves if the HD4600 openCL device is enabled, too. It's  seems to be a speedup like 5x.  

 

Disabler.kext or NullCPUPM.

Or just Clover config.plist settings to not disable the kext but make it working as is.

 

 

Thanks, so I just replace "AppleIntelCPUPowerManagement" with "AGPMEnabler" and "IOResources" with "IOPlatformPluginDevice" over > here < ?

[apianti]

Sleep tight

 

@apianti @Slice

 

Here's what I did.

I installed macOS High Sierra 10.3.2 with SIP enabled using CsrConfig=0x0. I didn't install nVidia WebDrives yet but I have Audio, USB 3.0 are working and the only thing that it's not working is the GPU (because I haven't install the Web Drivers yet)

 

Here's the bootlog and the kextstat and csrutil status:

So I can see that with fully enabling the SIP the unsigned kexts are still getting loaded.

 

Eh, no sleep, I have to sign for a package so I probably shouldn't have stayed up all night watching Iron Man.... And Star Trek Discovery.

 

You mean the unsigned kexts are injected. They won't be loaded with SIP enabled. If you install the web drivers and you get black screen then the problem is web drivers.

Important Update:

 

I just installed the web drivers and everything is working as it supposed to.

 

SIP is fully enabled and everything is back to normal.

The most important thing that I've learned is that in my previous attempt to enable the SIP, it was blocking the nVidia WebDriver to load so I got the black screen upon boot.

 

If anyone tries to enable the SIP after installing the web drivers I guess they will end up with the same problem unless the SIP is already enabled and it will prompt the user to allow access to the web driver to load.

 

Oh yeah this is an known issue. You need to remove the drivers, enable SIP, then reinstall them.

[Cyberdevs]

Eh, no sleep, I have to sign for a package so I probably shouldn't have stayed up all night watching Iron Man.... And Star Trek Discovery.

 

You mean the unsigned kexts are injected. They won't be loaded with SIP enabled. If you install the web drivers and you get black screen then the problem is web drivers.

As you can see in the logs I posted earlier, they are loaded and working. Either the SIP is enabled somehow even by using the CsrConfig=0, or I'm mistaking (which I doubt it) or something weird is happening here.   

[apianti]

It is for my old VAIO F11. Found out that the whole gt330m power management seems to work directly within the bios, and APGM just will cause problems. It is working better without AGPM.

 

Then it is better to just remove the driver altogether. Move it to somewhere else to back it up.

 

BTW:  My firefox video stopping issue was caused by a stupid defaults write I did, I set "forceNV = 1" for com.apple.AppleGVA, but my 1050Ti does not support videohardwaredecoding so I deleted that key now and the Intel HD4600 is used successfully (stated by VDADecoderChecker and MacX Video Converter Pro Info). But I have to use a connector-less ig-platform-id sadly. Then the OpenCL device for the HD4600 will disappear. 

 

If I use the connector-full ig-platform for the HD4600, OpenCL will work nicely, Firefox videos plays, but Final Cut Pro X will hard-crash, causing an instant reboot - Very sad!  Because you can see for some seconds how drastically the pre-render speed improves if the HD4600 openCL device is enabled, too. It's  seems to be a speedup like 5x.  

 

I think this is related to the reserved region. Still haven't fixed it in like the last day.... 

 

EDIT: Did you install the NVIDIA CUDA driver for OpenCL?

 

Thanks, so I just replace "AppleIntelCPUPowerManagement" with "AGPMEnabler" and "IOResources" with "IOPlatformPluginDevice" over > here < ?

 

No, just do what I said above. You are still able to boot with it right? It is just giving you slow graphics?

[Cyberdevs]

Oh yeah this is an known issue. You need to remove the drivers, enable SIP, then reinstall them.

Well I didn't know that, I had to find out the hard way

[apianti]

As you can see in the logs I posted earlier, they are loaded and working. Either the SIP is enabled somehow even by using the CsrConfig=0, or I'm mistaking (which I doubt it) or something weird is happening here.   

 

You are conflating injecting and loading, injecting is done by the bootloader, loading is done by the kernel. They are actually mutually exclusive but clover patches it so they are not. Injection into the kernel happens through the data hub and the device tree memory map, it is not validated because SIP does not apply to booter extensions. When it's loaded that's when it's validated by the kernel (or when the cache is created), this is where SIP would prevent an unsigned kext from loading. CsrActive=0 is SIP fully enabled, meaning you have all security protections.

Well I didn't know that, I had to find out the hard way

 

I should have realized, more my fault... I knew.