[GUIDE] ScanPolicy: choose device types and operating systems to be scanned by OpenCore

[miliuco]

ScanPolicy key (integer) goes within Misc / Security in config.plist.

It defines device type and operating system detection policy. In accordance with this value, we can define different file systems and devices that OC scans and can boot. It is calculated by adding hexadecimal values of systems and devices, chosen in the list of the OC configuration PDF, and converting the total sum to their decimal value, which must be noted in config.plist.

 

From OC configuration PDF, failsafe value is 0x10F0103 corresponding to:

OC_SCAN_FILE_SYSTEM_LOCK - 1
OC_SCAN_DEVICE_LOCK - 2
OC_SCAN_ALLOW_FS_APFS - 100
OC_SCAN_ALLOW_DEVICE_SATA - 10000
OC_SCAN_ALLOW_DEVICE_SASEX - 20000
OC_SCAN_ALLOW_DEVICE_SCSI - 40000
OC_SCAN_ALLOW_DEVICE_NVME - 80000
OC_SCAN_ALLOW_DEVICE_PCI - 1000000

1 + 2 + 100 + 1000 + 2000 + 4000 + 8000 + 1000000 = 0x10F0103 (17760515 in decimal).

 

Setting to 0 will allow all sources present to be bootable.

 

But we may want to customize this. For example, I want to select this items:

0x00000001 — OC_SCAN_FILE_SYSTEM_LOCK, restricts scanning to only known file systems defined as a part of this policy.
0x00000002 — OC_SCAN_DEVICE_LOCK, restricts scanning to only known device types defined as a part of this policy.
0x00000100 — OC_SCAN_ALLOW_FS_APFS, allows scanning of APFS file system.
0x00000200 — OC_SCAN_ALLOW_FS_HFS, allows scanning of HFS file system.
0x00000800 — OC_SCAN_ALLOW_FS_NTFS, allows scanning of NTFS (Msft Basic Data) file system.
0x00010000 — OC_SCAN_ALLOW_DEVICE_SATA, allow scanning SATA devices.
0x00080000 — OC_SCAN_ALLOW_DEVICE_NVME, allow scanning NVMe devices.
0x00200000 — OC_SCAN_ALLOW_DEVICE_USB, allow scanning USB devices

Corresponding to 0x290B03, that's 2689795 in decimal. This is the value I write in config.plist.

 

Note: if you check 0x00000400 — OC_SCAN_ALLOW_FS_ESP, allows scanning of EFI System Partition file system all EFI partitions will be visible which may not be desirable.

 

As always, in Dortania there is an excellent text about this.

Edited June 2, 2021 by miliuco
Info added.

[FrankPaulThe2nd]

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

[Anto65]

20 minutes ago, FrankPaulThe2nd said:

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

try with 2687747

[miliuco]

3 hours ago, FrankPaulThe2nd said:

Hi Miliuco,

when I found this post I thought I found the solution. But it's too much for my brain... I can't understand how you calculate these numbers.

 

I'm trying to find the magic number to show just 2 SSD, the one where I have Big Sur and the one with Windows and nothing else.

Right now I have just Big Sur showing up (using 000F0903).

 

Could you help me? (Nice dog by the way).

 

The value 2687747 that @antuneddu proposes selects these items: APFS (macOS Big Sur), HFS (installation USB) and SATA - NVMe - USB devices.

If we look at the list of options and their hexadecimal values:
0x00000001 - OC_SCAN_FILE_SYSTEM_LOCK.
0x00000002 - OC_SCAN_DEVICE_LOCK.
0x00000100 - OC_SCAN_ALLOW_FS_APFS.
0x00000200 - OC_SCAN_ALLOW_FS_HFS.
0x00010000 - OC_SCAN_ALLOW_DEVICE_SATA.
0x00080000 - OC_SCAN_ALLOW_DEVICE_NVME.
0x00200000 - OC_SCAN_ALLOW_DEVICE_USB.

The hexadecimal values must be added: 1 + 2 + 100 + 200 + 10000 + 80000 + 200000 = 0x290303 hexadecimal (2687747 in decimal). With this value you get the BigSur volume, the recovery partition and the installation USB.

But you also want to see the Windows disk or partition that is NTFS so you have to look at the list again:
0x00000800 - OC_SCAN_ALLOW_FS_NTFS.
0x00000800 must be added to the previous value 0x290303 hexadecimal. The result is 0x290B03 which is equivalent to 2689795 in decimal. 2689795 is the value to write to config.plist.
Try and comment.

 

My dog thanks you the comment 

[Anto65]

20 minutes ago, miliuco said:

 

The value 2687747 that @antuneddu proposes selects these items: APFS (macOS Big Sur), HFS (installation USB) and SATA - NVMe - USB devices.

If we look at the list of options and their hexadecimal values:
0x00000001 - OC_SCAN_FILE_SYSTEM_LOCK.
0x00000002 - OC_SCAN_DEVICE_LOCK.
0x00000100 - OC_SCAN_ALLOW_FS_APFS.
0x00000200 - OC_SCAN_ALLOW_FS_HFS.
0x00010000 - OC_SCAN_ALLOW_DEVICE_SATA.
0x00080000 - OC_SCAN_ALLOW_DEVICE_NVME.
0x00200000 - OC_SCAN_ALLOW_DEVICE_USB.

The hexadecimal values must be added: 1 + 2 + 100 + 200 + 10000 + 80000 + 200000 = 0x290303 hexadecimal (2687747 in decimal). With this value you get the BigSur volume, the recovery partition and the installation USB.

But you also want to see the Windows disk or partition that is NTFS so you have to look at the list again:
0x00000800 - OC_SCAN_ALLOW_FS_NTFS.
0x00000800 must be added to the previous value 0x290303 hexadecimal. The result is 0x290B03 which is equivalent to 2689795 in decimal. 2689795 is the value to write to config.plist.
Try and comment.

 

My dog thanks you the comment 

Yes to me it is fine with NVMe and USB devices. Well how do you explain so in detail I would have wanted you as a teacher at school.  Bau  

[eSaF]

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed.

Spoiler

 

 

[Anto65]

48 minutes ago, eSaF said:

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed.

  Reveal hidden contents

 

 

You understood perfectly and your evaluation is very valid, it then depends on how everyone intends to customize the items to be displayed at boot, I personally like to have the screen with many icons at boot then with bootable volumes, Recovery and tools 

[miliuco]

57 minutes ago, eSaF said:

Surely the simplistic explanation to show both the BS and Windows Volumes would be Zero entered into the config.plist as 0. This is how it is in my config.plist and if I want the recovery volume or any hidden items to show, all I need to do is hit the Spacebar, unless I misunderstood the topic discussed...

 

But 0 shows also EFI folders and I don't want to see them. 0 shows every device that OC can boot, sure you know this, and I don't like to see EFI folders as redundant with boot volumes. Example: to see Big Sur volume and Big Sur EFI volume, to see Windows partition and also Windows EFI partition.

I think Spacebar displays entries and tools marked as auxiliary. I think that this is a different aproach than ScanPolicy.

 

Edited April 13, 2021 by miliuco

[eSaF]

@miliuco - Hi Bro this is my Boot Menu setup, featuring a combination of Scan Policy and Hidden Auxiliary in the config.plist that gives me the desired effect that works best for me (see attached)

Spoiler

. 

38 minutes ago, miliuco said:

0 shows every device that OC can boot

This is not so on my system, it only shows what I want it to show.

[miliuco]

15 minutes ago, eSaF said:

@miliuco - Hi Bro this is my Boot Menu setup, featuring a combination of Scan Policy and Hidden Auxiliary in the config.plist that gives me the desired effect that works best for me (see attached)

This is not so on my system, it only shows what I want it to show.

 

Dear friend, I see. In your case 0 works to your satisfaction.
It may be that I am wrong. I always thought that 0 shows all possible devices, all the ones that OpenCore can read.

 

In Dortania you can read:

ScanPolicy
What this quirk allows to prevent scanning and booting from untrusted sources. Setting to 0 will allow all sources present to be bootable but calculating a specific ScanPolicy value will allow you a greater range of flexibility and security.

 

I'm going to try with 0 en comment.

[miliuco]

@eSaF

There is no way. If ScanPolicy is 0, I see EFI partitions in addition to macOS and Windows volumes. If I press Spacebar, recovery partitions and tools are added.

 

 

 

 

 

Edited April 13, 2021 by miliuco

[eSaF]

@miliuco - Here is my config.plist minus personal data depicting my setup to give the desired Boot Menu.

Spoiler

config.plist

 

As you can see from the post before, I do not see EFI Partitions at the Boot Menu, I don't know if that is a fluke on my part or the way my system is configured.

[miliuco]

2 minutes ago, eSaF said:

@miliuco - Here is my config.plist minus personal data depicting my setup to give the desired Boot Menu...

 

Thanks, let me study your configuration and I will comment.

[miliuco]

@eSaF

 

These are the differences (we have almost the same settings), none of them seem to have anything to do with the devices shown in the picker but I'm going to do a test with your config.plist:

 

[Anto65]

1 minute ago, miliuco said:

@eSaF

 

These are the differences (we have almost the same settings), none of them seem to have anything to do with the devices shown in the picker but I'm going to do a test with your config.plist:

 

yes confirm ahahahha

[miliuco]

@eSaF @antuneddu

 

With the config.plist file from eSaF I see the EFI partition 

My system boots fine with that config.plist, it seems to work just as well as my usual one.

 

[eSaF]

@miliuco - I still haven't figured out your EFI Partition appearing at the Boot Menu as well although I see you have two BS volumes - different BS versions perhaps, current and previous??!!

[Anto65]

16 minutes ago, miliuco said:

@eSaF @antuneddu

 

With the config.plist file from eSaF I see the EFI partition 

My system boots fine with that config.plist, it seems to work just as well as my usual one.

 

SecureBootModel It makes a difference I think

[miliuco]

7 minutes ago, eSaF said:

@miliuco - I still haven't figured out your EFI Partition appearing at the Boot Menu as well although I see you have two BS volumes - different BS versions perhaps, current and previous??!!

No, there are 2 different disks, one with the Big Sur for daily use and other as backup (plugged to have more icons in the picker while doing tests).

I am leaving this matter for today because I do not understand. 2 different behaviors and I don't know why.

6 minutes ago, antuneddu said:

SecureBootModel It makes a difference I think

But when I've tried the eSaF's config.plist it was with the same SecureBootModel as him.

 

Edited April 13, 2021 by miliuco

[eSaF]

1 minute ago, miliuco said:

No, there are 2 different disks, one with the Big Sur for daily use and other as backup.

I am leaving this matter for today because I do not understand. 2 different behaviors and I don't know why.

Ok Bro no sweat I understand, BS can be quite taxing at times.

[Anto65]

evening of experiments  

with @eSaF configuration I get this, but SecureBootModel = Default

 

with my configuration I get this

[miliuco]

@FrankPaulThe2nd @eSaF @antuneddu

 

An user on the Reddit hackintosh forum has created an online tool to calculate the value of ScanPolicy. I have tried it and it seems to work fine. It is similar to the one included in OpenCore Configurator.

 

Edited April 14, 2021 by miliuco

[Anto65]

Thanks, but that's okay with me, anyway yesterday I tried again by setting the @eSaF configuration with 0 also to me it showed the EFI partitions like you ... mystery why not to him 

[miliuco]

25 minutes ago, antuneddu said:

Thanks, but that's okay with me, anyway yesterday I tried again by setting the @eSaF configuration with 0 also to me it showed the EFI partitions like you ... mystery why not to him 

 

Yes, it's strange, you and me see EFI partition/s when ScanPolicy=0 but @eSaF doesn't see that boot devices when using 0.

The only reference I can found about 0 value is in this Dortania text but in none of the OpenCore Configuration files I've reviewed a single word is said about that value.

 

Edited April 14, 2021 by miliuco

[eSaF]

4 minutes ago, miliuco said:

 

Yes, it's strange, you and me see EFI partition/s when ScanPolicy=0 but @eSaF doesn't see that boot devices when using 0.

The only reference I can found about 0 value is in this Dortania text but in none of the OpenCore Configuration files I've reviewed a single word is said about that value.

 

Not to dwell too much on this strange issue but I tried some of the values in that 'Scan Policy Generator' and got various errors i.e OC: Invalid Scan Policy, Halting on Critical error. The strange thing is the EFI Partition only shows up on the installer USB but I suspect that is for the installer not the main Drive (see attached). I have also seen various examples of similar Boot Screens to mine so go figure.

Spoiler