Skip to content

Commit

Permalink
OcVariableRuntimeDxe: Minor updates to comment lines and docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@mikebeaton
mikebeaton committed Jul 30, 2022
1 parent 2bf83a1 commit c9ba16f
Show file tree
Hide file tree
Showing 8 changed files with 20 additions and 15 deletions.
2 changes: 1 addition & 1 deletion Docs/Configuration.md5
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
099da6a2cb197e5be23a304b2fdb0af5
b69e893d885e6cd6904e007721e87592
Binary file modified Docs/Configuration.pdf
View file
Binary file not shown.
13 changes: 8 additions & 5 deletions Docs/Configuration.tex
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7064,11 +7064,14 @@ \subsection{OpenVariableRuntimeDxe}\label{emunvram}
\item 7C436110-AB2A-4BBB-A880-FE41995C9F82
\item 8BE4DF61-93CA-11D2-AA0D-00E098032B8C
\end{itemize}
This enables all variables saved by \texttt{Launchd.command}, and additionally all arbitrary user
test variables (e.g. as set by \texttt{sudo nvram foo="bar"}), to be saved to \texttt{nvram.plist}.
However, once set up, only allowing strictly required variables (as shown in OpenCore's sample
\texttt{.plist} files) is considerably more secure, and please note the following warning about the
overall security of loading nvram variables from a non-vaulted file.
This enables all variables saved by \texttt{Launchd.command} to be saved to \texttt{nvram.plist},
therefore it allows all arbitrary user test variables (e.g. as set by \texttt{sudo nvram foo=bar})
to be saved. Using this permissive policy is also future-proof against any changes in the variables
which need to be passed from macOS update setup to the \texttt{macOS Installer} stage, in order for
it to succeed.
Nevertheless, once emulated NVRAM is set up, only allowing known strictly required variables
(as shown in OpenCore's sample \texttt{.plist} files) is considerably more secure. See also the
following warning about the overall security of loading NVRAM variables from a non-vaulted file.

\textbf{Warning}: The ability to load NVRAM from a file on disk can be dangerous, as it
passes unprotected data to firmware variable services. Only use when no hardware NVRAM
Expand Down
Binary file modified Docs/Differences/Differences.pdf
View file
Binary file not shown.
15 changes: 9 additions & 6 deletions Docs/Differences/Differences.tex
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
\documentclass[]{article}
%DIF LATEXDIFF DIFFERENCE FILE
%DIF DEL PreviousConfiguration.tex Wed Jul 27 21:20:07 2022
%DIF ADD ../Configuration.tex Thu Jul 28 23:20:08 2022
%DIF ADD ../Configuration.tex Sat Jul 30 08:47:48 2022

\usepackage{lmodern}
\usepackage{amssymb,amsmath}
Expand Down Expand Up @@ -7328,11 +7328,14 @@ \subsubsection{Configuration}
}\item \DIFadd{7C436110-AB2A-4BBB-A880-FE41995C9F82
}\item \DIFadd{8BE4DF61-93CA-11D2-AA0D-00E098032B8C
}\end{itemize}
\DIFadd{This enables all variables saved by }\texttt{\DIFadd{Launchd.command}}\DIFadd{, and additionally all arbitrary user
test variables (e.g. as set by }\texttt{\DIFadd{sudo nvram foo="bar"}}\DIFadd{), to be saved to }\texttt{\DIFadd{nvram.plist}}\DIFadd{.
However, once set up, only allowing strictly required variables (as shown in OpenCore's sample
}\texttt{\DIFadd{.plist}} \DIFadd{files) is considerably more secure, and please note the following warning about the
overall security of loading nvram variables from a non-vaulted file.
\DIFadd{This enables all variables saved by }\texttt{\DIFadd{Launchd.command}} \DIFadd{to be saved to }\texttt{\DIFadd{nvram.plist}}\DIFadd{,
therefore it allows all arbitrary user test variables (e.g. as set by }\texttt{\DIFadd{sudo nvram foo=bar}}\DIFadd{)
to be saved. Using this permissive policy is also future-proof against any changes in the variables
which need to be passed from macOS update setup to the }\texttt{\DIFadd{macOS Installer}} \DIFadd{stage, in order for
it to succeed.
Nevertheless, once emulated NVRAM is set up, only allowing known strictly required variables
(as shown in OpenCore's sample }\texttt{\DIFadd{.plist}} \DIFadd{files) is considerably more secure. See also the
following warning about the overall security of loading NVRAM variables from a non-vaulted file.
}

\textbf{\DIFadd{Warning}}\DIFadd{: The ability to load NVRAM from a file on disk can be dangerous, as it
Expand Down
Binary file modified Docs/Errata/Errata.pdf
View file
Binary file not shown.
3 changes: 1 addition & 2 deletions Include/Acidanthera/Library/OcBootManagementLib.h
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
/** @file
Copyright (C) 2019, vit9696. All rights reserved.<BR>
Copyright (C) 2021, Mike Beaton. All rights reserved.<BR>
Copyright (C) 2019-2022, vit9696, mikebeaton. All rights reserved.<BR>
SPDX-License-Identifier: BSD-3-Clause
**/

Expand Down
2 changes: 1 addition & 1 deletion Library/OcVariableLib/Sip.c
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
/** @file
Manage Apple SIP variable csr-active-config.
Copyright (C) 2022, mikebeaton. All rights reserved.<BR>
Copyright (C) 2021-2022, Mike Beaton. All rights reserved.<BR>
SPDX-License-Identifier: BSD-3-Clause
**/

Expand Down

0 comments on commit c9ba16f

Please sign in to comment.