OC: Option for NVRAM persistence to enable boot-arg modification and SIP disable

[osy]

In the current implementation, we can add UEFI variables using the Add key under NVRAM. The way OcSetNvramVariable works is that it attempts to read the variable. If it's not found, then it will add it with the flags EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS. Block can be used to delete the variable first in order to always force the Add value instead.

I propose a third option. Either a new key Persist that operates like Add but creates the variable with EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS. Or a new option PersistAdd with a boolean value that will mask EFI_VARIABLE_NON_VOLATILE for Add variables.

Why is this useful? Consider the following use case: We need some base set of boot-args to boot up OSX. So we add them with Add. However, in the process of development/testing unrelated stuff, we wish to modify boot-args by appending some new string. Using sudo nvram boot-args="new value" fails because OSX will try to use the attribute EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS and it fails because in the EFI specs:

If a preexisting variable is rewritten with different attributes, SetVariable() shall not modify the variable and shall return EFI_INVALID_PARAMETER.

Okay, so what if we just don't put boot-args into the config.plist. Instead we just set sudo nvram boot-args="some value" initially. That works, except if we require certain boot-args to boot, then forgetting to append them will make the system unbootable (even more painful if the vault is used). So ideally, we can use OC's "erase nvram" option to wipe all the variables and then reset them with a clean default.

A second use case: csr-active-config is used for SIP. OSX does the checks to make sure csr-active-config is only modified in recovery OS. However, setting it in recovery OS still doesn't work if there is already an Add entry. But if we do not include csr-active-config in both Add then using OC's "erase nvram" option will always enable SIP.

An option to allow the NVRAM options in config.plist to act as a signed/verified golden default configuration but still allow modification to NVRAM through normal OSX techniques would be useful.

[vit9696]

Hi,

Firstly, regarding the concept.

• OpenCore NVRAM Add works mostly the way Mac firmwares work. It is meant to set the default variable values when they are missing due to previous NVRAM reset. This way you can get default user interface scaling (UIScale), enabled System Integrity Protection (csr-active-config), or many other variables like host name, backlight level, volume level, and so on.
• OpenCore and kext projects in Acidanthera are built around the way that boot arguments are a temporary way of configuration, allowing you to quickly set a parameter through UEFI Shell. We do not believe any machine should need any boot arguments to work, if it does need our boot arguments, these should have DeviceProperties aliases.
• OpenCore NVRAM Block concept is a hack or rather a security measure against the operating system. In certain cases we believe that the operating system cannot give enough protection for NVRAM variables. For example, Windows can modify csr-active-config at no issue in any mode. Currently FwRuntimeServices does not protect from that, and that is why we do provide an option to force some values.
• OpenCore uses volatile variables to avoid accidentally triggering some driver bug. Many NVRAM drivers in laptops fail to reclaim space after resetting or deleting variables, so we have to workaround. Nothing changes if we use non-volatile variables, however, if there is any sensible reason to, we could consider.

Secondly, about the expected workflow.

• The user has empty Block section (unless he wants that security I explained above part in), csr-active-config <00 00 00 00>, boot-args "-v".
• Before using OpenCore the user resets NVRAM. When using a new computer this is not needed, but there also are no macOS variables, when migrating from e.g. Clover this is essential, as it leaves tons of garbage variables.
• First start gives verbose mode and fully enabled SIP.
• Then the user reboots to recovery and uses csrutil disable. This makes csr-active-config non-volatile, and sets it to non-zero value, effectively disabling SIP.
• OpenCore no longer overrides csr-active-config at boot, but still provides -v for boot-args.
• The user sets new boot-args, "-v batman=0xff". The same thing as with csrutil disable happens. The variable becomes non-volatile, OpenCore no longer sets it at next boot.
• The user runs NVRAM cleaning with OpenCore. This removes all variables and effectively gives the user what he originally had. SIP is now fully on, and boot-args are back to -v. This is natural and matches Mac behaviour.

Given the above, I do not see an issue or the need to change anything. The logic looks perfectly natural to me.

[osy]

Let me do some more tests and I will get back to you on the override behaviour I observed.

Regarding "We do not believe any machine should need any boot arguments to work", is there a device injection option for shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2?

[vit9696]

Regarding "We do not believe any machine should need any boot arguments to work", is there a device injection option for shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2?

That's a good point, should really implement them as IGPU properties. Could you submit a bugreport please?

If a preexisting variable is rewritten with different attributes, SetVariable() shall not modify the variable and shall return EFI_INVALID_PARAMETER.

I believe macOS firstly deletes variables. Or my firmware is non-conformant, as we tested the behaviour above and it worked. We could consider some routes to fix this in case it causes problems. One of them is to make FwRuntimeServices.efi delete volatile variables on set failure. @Download-Fritz, what do you think about it?

[mhaeuser]

@vit9696 This is a tough question because in the end it's a bug in Apple's nvram utility if it really does not delete the variables first. If you "fix" it in FwRuntimeServices, it will explicitly violate the spec. On the other hand, I don't see a good point for the specified behaviour either except as some sort of request sanitizing, imo wait for what @osy86 has to report later.

[osy]

This is what I've tested

First boot:

$ sudo nvram boot-args
boot-args	alcid=11 shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2 -disablegfxfirmware
$ sudo nvram boot-args="alcid=11 shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2 -disablegfxfirmware test=test"
$ sudo nvram boot-args
boot-args	alcid=11 shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2 -disablegfxfirmware test=test

After rebooting:

$ sudo nvram boot-args
boot-args	alcid=11 shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2 -disablegfxfirmware

I've also reversed /System/Library/Extensions/AppleEFIRuntime.kext/Contents/PlugIns/AppleEFINVRAM.kext/Contents/MacOS/AppleEFINVRAM and looked into AppleEFINVRAM::setVariable (called by AppleEFINVRAM::setProperty) and could not find a delete before set. SetVariable is always called with EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS

[vit9696]

Thanks. In this case I do not mind ignoring the spec and incorporating the following change in SetVariable wrapper of FwRuntimeServices.efi.

1. If SetVariable returned EFI_INVALID_PARAMETER and passed Attributes are EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
2. Call GetVariable with NULL buffer, zero size, and obtain current Attributes.
3. If GetVariable returned EFI_BUFFER_TOO_SMALL and current Attributes are EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS
4. Call SetVariable with NULL buffer, zero size, and current Attributes.
5. Call SetVariable with passed buffer, size, and Attributes (forward return).

[vit9696]

Implemented in

[master 269e18a] FwRuntimeServices: Added workaround for V to NV variable upgrade
 3 files changed, 43 insertions(+), 1 deletion(-)

[vit9696]

@osy86 can we close this now?

[osy]

Sorry, will test tomorrow. Just got back tonight.

[osy]

On latest release of OC and AppleSupport:

$ sudo nvram boot-args
boot-args	alcid=11 shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2 -disablegfxfirmware brcmfx-country=#a
$ sudo nvram boot-args="alcid=11 shikigva=32 shiki-id=Mac-BE088AF8C5EB4FA2 -disablegfxfirmware test=test"
nvram: Error setting variable - 'boot-args': (iokit/common) not permitted

[vit9696]

Are you positive this is not caused by System Integrity Protection or alike?