Docs: Update FixupAppleEfiImages wording

acidanthera · Sep 29, 2024 · 9273be6 · 9273be6
1 parent 94ec1dc
commit 9273be6
Showing 1 changed file with 17 additions and 17 deletions.
diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex
@@ -1620,22 +1620,20 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
  \texttt{FixupAppleEfiImages}\\
  \textbf{Type}: \texttt{plist\ boolean}\\
  \textbf{Failsafe}: \texttt{false}\\
- \textbf{Description}: Fix errors in early Mac OS X boot.efi images.
+ \textbf{Description}: Fix permissions and section errors in macOS \texttt{boot.efi} images.
 
- Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
- Mac OS X 10.4 to macOS 10.12 due to these files containing \texttt{W\^{}X} errors
- (in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit
- versions only).
+ Mac OS X \texttt{boot.efi} images contain \texttt{W\^{}X} permissions errors
+ (in all versions) and in very old versions additionally contain illegal overlapping sections
+ (affects 10.4 and 10.5 32-bit versions only). Modern secure PE loaders (including the OpenCore
+ loader in current releases of OpenDuet) will refuse to load these images
+ unless additional mitigations are applied.
 
- This quirk detects these issues and pre-processes such images in memory,
+ This quirk detects these issues and pre-processes such images in memory
  so that a modern loader will accept them.
 
- Pre-processing in memory is incompatible with secure boot, as the image loaded
- is not the image on disk, so you cannot sign files which are loaded in this way
- based on their original disk image contents.
- Certain firmware will offer to register the hash of new, unknown images - this would
- still work. On the other hand, it is not particularly realistic to want to
- start these early, insecure images with secure boot anyway.
+ If on a system with such a secure loader, this quirk is required to load
+ Mac OS X 10.4 to macOS 10.12, and is required for all newer
+ macOS when \texttt{SecureBootModel} is set to \texttt{Disabled}.
 
  \emph{Note 1}: The quirk is never applied during the Apple secure boot path for
  newer macOS. The Apple secure boot path includes its own separate mitigations
@@ -1652,11 +1650,13 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
  within their filesystem.
  \end{itemize}
 
- \emph{Note 3}: This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
- higher, if Apple secure boot is not enabled), but only when the firmware
- itself includes a modern, more secure PE COFF image loader. This applies to
- current builds of OpenDuet, and to OVMF if built from audk source code.
-
+ \emph{Note 3}: Pre-processing in memory is incompatible with secure boot, as the image loaded
+ is not the image on disk, so you cannot sign files which are loaded in this way
+ based on their original disk image contents.
+ Certain firmware will offer to register the hash of new, unknown images - this would
+ still work. On the other hand, it is not particularly realistic to want to
+ start these early, insecure images with secure boot anyway.
+
 \item
  \texttt{ForceBooterSignature}\\
  \textbf{Type}: \texttt{plist\ boolean}\\