FileVault 2

[Slice]

 

I see this :

->LocateHandleBuffer(ByProtocol, gEfiFirmwareVolumeProtocolGuid, 0, 1, BE872018) = Success

->HandleProtocol(BD8EBA18, 7AA35A69-506C-444F-A7AF-694BF56F71C8, 0) = Unsupported

->LocateHandleBuffer(ByProtocol, gEfiFirmwareVolumeProtocolGuid, 0, 1, BE872018) = Success

->HandleProtocol(BD8EBA18, 7AA35A69-506C-444F-A7AF-694BF56F71C8, 0) = Unsupported

 

full log : https://pastebin.com/DZZ64rBs

 

I never encounter this before

/*
Abstract:

  Firmware Volume Dispatch protocol as defined in the Tiano Firmware Volume
  specification.

  Presence of this protocol tells the dispatch to dispatch from this Firmware 
  Volume
*/

#define EFI_FIRMWARE_VOLUME_DISPATCH_PROTOCOL_GUID \
  { 0x7aa35a69, 0x506c, 0x444f, {0xa7, 0xaf, 0x69, 0x4b, 0xf5, 0x6f, 0x71, 0xc8} }

Additional investigation needed.

[Jief_Machak]

I'm wondering : can this be because Clover is on a usb stick, so not the same volume as the root encrypted one ?

[Slice]

I'm wondering : can this be because Clover is on a usb stick, so not the same volume as the root encrypted one ?

No. Clover should be in EFI System Partition which is not encrypted.

The problem is rather because of Yosemite. I have no experience with it.

[Jief_Machak]

I never put Clover on EFI partition. I create a FAT32 partition for Clover.

 

Currently, my config is Clover on USB stick and Yosemite on SATA HDD. My hard drive has a Clover 1GB Fat32 partition prepared, but empty for now. Do you think it should work, or it can be a mixup in volumes/partitions. Just asking because I see "Firmware Volume".

 

If the setup is ok, should I try el capitan ?

[Slice]

I never put Clover on EFI partition. I create a FAT32 partition for Clover.

 

Currently, my config is Clover on USB stick and Yosemite on SATA HDD. My hard drive has a Clover 1GB Fat32 partition prepared, but empty for now. Do you think it should work, or it can be a mixup in volumes/partitions. Just asking because I see "Firmware Volume".

 

If the setup is ok, should I try el capitan ?

Yes, ElCapitan will be better. It is my favorite system.

But FileFault2 will not work with bad formatted HDD.

It must be pure GPT with EFI partition having signature EF00 and with Recovery partition where FileVault will place additional info.

About FirmwareVolume I think it was Yosemite only problem.

[Jief_Machak]

My hdd is well formatted. Pure GPT with EFI partition (empty I guess). There's also a recovery partition, because Clover proposed "Mac OS from recovery HD" and "Recovery from Recovery HD". The only thing is just that currently Clover is on a USB stick. USB stick also pure gpt formatted.

 

If you confirm that Clover on a USB stick should work, I'll try el capitan.

[smolderas]

My hdd is well formatted. Pure GPT with EFI partition (empty I guess). There's also a recovery partition, because Clover proposed "Mac OS from recovery HD" and "Recovery from Recovery HD". The only thing is just that currently Clover is on a USB stick. USB stick also pure gpt formatted.

 

If you confirm that Clover on a USB stick should work, I'll try el capitan.

I can confirm the second part.

I'm using the FileVault 2 since 10.11 (I guess), so on 10.12 with jHFS+ and on 10.13 with apfs. I installed clover on the EFI partition of my boot disk and can also boot from USB-Stick, if I need to revert to a previously clover revisions.

[Jief_Machak]

El capitan 10.11.6 seems to works. I have the login screen when I select "Boot Mac OS From Recovery HD".

 

But my internal keyboard is PS/2 and I don't find any driver. It's a dell m4300, same as d630. It's a BIOS (non-UEFI).

The strange thing is : even with no driver (no AptiInputFix or UsbKbDxe) I can still plug a USB keyboard and enter a password.

[Slice]

El capitan 10.11.6 seems to works. I have the login screen when I select "Boot Mac OS From Recovery HD".

 

But my internal keyboard is PS/2 and I don't find any driver. It's a dell m4300, same as d630. It's a BIOS (non-UEFI).

The strange thing is : even with no driver (no AptiInputFix or UsbKbDxe) I can still plug a USB keyboard and enter a password.

USB keyboard driver with FileVault2 support is already included in legacy Clover.

No developer to modify PS2 keyboard driver for the same purpose.

[Jief_Machak]

I'm a developer (I found the png bug a while ago). I have a Clover folder that compiles. So maybe I can do it. Could you point me in the direction ? What should I modify ?

 

Other question : is it possible to completely bypass the graphic page that ask the password ? I mean : let's imagine that Clover ask for the password in it's own GUI and then load the right efi providing the password ?

[smolderas]

I'm a developer (I found the png bug a while ago). I have a Clover folder that compiles. So maybe I can do it. Could you point me in the direction ? What should I modify ?

 

Other question : is it possible to completely bypass the graphic page that ask the password ? I mean : let's imagine that Clover ask for the password in it's own GUI and then load the right efi providing the password ?

Why would you use FileVault 2 then, if you giveaway your passwords happily?

[mhaeuser]

Other question : is it possible to completely bypass the graphic page that ask the password ? I mean : let's imagine that Clover ask for the password in it's own GUI and then load the right efi providing the password ?

 

Pretty? No. Semi-ugly? Wait till the GUI has init and then simulate key presses. But why do you want that?

[Slice]

I'm a developer (I found the png bug a while ago). I have a Clover folder that compiles. So maybe I can do it. Could you point me in the direction ? What should I modify ?

 

Other question : is it possible to completely bypass the graphic page that ask the password ? I mean : let's imagine that Clover ask for the password in it's own GUI and then load the right efi providing the password ?

It will be nice if you do this. I will help with my knowledge.

Compare folders

Clover/Drivers/UsbKbDxe

edk2/MdeModulePkg/Bus/Usb/UsbKbDxe

Main difference is a presence of new protocol (Clover/Protocols/AppleKeyAggregator) which is used by Apple's boot.efi to catch password input.

But it is hard to do the same with  Clover/LegacyBios/KeyboardDxe.. I partially did this but it is not working.

because Usb driver get a buffer of scan codes while Bios driver get symbol.

May be the better to rewrite  edk2/MdeModulePkg/Bus/Isa/Ps2KeyboardDxe knowing VoodooPS2Keyboard.cpp, I did not try.

Think about this!

 

I think it is possible to override Keyboard buffer to bypass passwork check but thinking required.

[Jief_Machak]

Sorry, I don't understand your answers. I'll try to make myself clearer. 

 

I don't giveaway my password, I just want to avoid launching Apple GUI. That would be another way of solving PS/2 keyboard that doesn't work in Apple GUI.

 

@smolderas : entering my password in Clover or in AppleGUI doesn't mean I'm giving it away. Maybe I sounded that stupid, but, of course, I won't put my password in config.plist. I just want Clover to ask for the password at each boot in it's own GUI instead of booting the AppleGUI.

Another way of asking is : why Clover chose to boot AppleGUI instead of asking the password in its own GUI. I guess it was easier ?

 

@Download-Fritz : "why do you want that?". You're right, I don't.

 

@Slice : what do you mean "bypass passwork check" ? I'll have a look in Dxe you told me. Thanks.

[vit9696]

It is pretty obvious why this code is not put to Clover. Password input is a security criticial code, which requires several actions to be made to take a good care of the entered data and not leaking it somewhere further to the OS (effectively defeating the overall point of the encryption). Leaving this to Apple reduces the attack area and lowers the risk of a mistake. It should be noted that keyboard driver and key map protocols still may leave some entered keys in memory, but from what I can tell even Apple currently does not try to protect from it, unlike boot.efi password input code.

[Slice]

If we enter password in Clover GUI then we can send this password to boot.efi, or not?

[smolderas]

If we enter password in Clover GUI then we can send this password to boot.efi, or not?

You could, but please don't. It is not the task of the bootloader.

One should try to fix the main problem, instead creating ways around it.

[Jief_Machak]

I'm not sure to see that as "not the task of a bootloader". Can be seen as : the partition is password protected, so the bootloader ask for the password to boot it.

But I understand your point. Now almost all the work is done and Apple pre-boot works, it makes sense to continue that way.

Too bad for me, it works except for PS2 keyboard. I take my hackintosh laptop on a long trip in 3 weeks and I wanted to protect it. I probably won't have time to understand the ps2 keyboard driver and improve it because I don't master the efi environment.

Hey, I'm not complaining : I have MacOS, thanks to Colver. So thanks to everyone who made it !

 

PS : if it's simpler to make Clover ask for password and pass it to boot.efi, than fixing the ps2 keyboard, I'm still up for it (better than nothing) ! :-)

[smolderas]

I'm not sure to see that as "not the task of a bootloader". Can be seen as : the partition is password protected, so the bootloader ask for the password to boot it.

But I understand your point. Now almost all the work is done and Apple pre-boot works, it makes sense to continue that way.

Too bad for me, it works except for PS2 keyboard. I take my hackintosh laptop on a long trip in 3 weeks and I wanted to protect it. I probably won't have time to understand the ps2 keyboard driver and improve it because I don't master the efi environment.

Hey, I'm not complaining : I have MacOS, thanks to Colver. So thanks to everyone who made it !

 

PS : if it's simpler to make Clover ask for password and pass it to boot.efi, than fixing the ps2 keyboard, I'm still up for it (better than nothing) ! :-)

If you (really) want to protect your data, you could still enable FileVault 1 (as in encrypt only the home folder). There were posts about it, need to search a bit.

[Slice]

You could, but please don't. It is not the task of the bootloader.

One should try to fix the main problem, instead creating ways around it.

Because you are not using Clover?

[Jief_Machak]

I know. I'm already with FileVault1. I would have preferred FileVault2.

[mhaeuser]

Because you are not using Clover?

 

Or because he actually appreciates good design lol

[Slice]

I prefer bugless solutions.

[mhaeuser]

Yes, converting text to keycodes will be way less buggy when done in Bloatver as opposed to the PS2 kb driver... In reality we just fear we won't get this amazing implementation as non-Clover users rofl

 

Slice, I like competetive teasing in a humorous way, but doing that with a potentially horrible workaround which is a spit away from a somewhat proper solution is humorous on a whole different level.

[Jief_Machak]

Just because you see things in a way, doesn't mean that it's "horrible workaround which is a spit away from a somewhat proper solution". At least, it's worth thinking about it. Even if it's for to conclude that you're right.

Explain your reasons instead of just saying that the others are wrong. I still don't get why Clover asking for a password is such an horrible thing. A bootloader that need a password to boot a partition : why is it bad design ?