diff --git a/Docs/Configuration.tex b/Docs/Configuration.tex index 5f4d0fb4ea1..978c2c130c9 100755 --- a/Docs/Configuration.tex +++ b/Docs/Configuration.tex @@ -1620,22 +1620,20 @@ \subsection{Quirks Properties}\label{booterpropsquirks} \texttt{FixupAppleEfiImages}\\ \textbf{Type}: \texttt{plist\ boolean}\\ \textbf{Failsafe}: \texttt{false}\\ - \textbf{Description}: Fix errors in early Mac OS X boot.efi images. + \textbf{Description}: Fix permissions and section errors in macOS \texttt{boot.efi} images. - Modern secure PE loaders will refuse to load \texttt{boot.efi} images from - Mac OS X 10.4 to macOS 10.12 due to these files containing \texttt{W\^{}X} errors - (in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit - versions only). + Mac OS X \texttt{boot.efi} images contain \texttt{W\^{}X} permissions errors + (in all versions) and in very old versions additionally contain illegal overlapping sections + (affects 10.4 and 10.5 32-bit versions only). Modern secure PE loaders (including the OpenCore + loader in current releases of OpenDuet) will refuse to load these images + unless additional mitigations are applied. - This quirk detects these issues and pre-processes such images in memory, + This quirk detects these issues and pre-processes such images in memory so that a modern loader will accept them. - Pre-processing in memory is incompatible with secure boot, as the image loaded - is not the image on disk, so you cannot sign files which are loaded in this way - based on their original disk image contents. - Certain firmware will offer to register the hash of new, unknown images - this would - still work. On the other hand, it is not particularly realistic to want to - start these early, insecure images with secure boot anyway. + If on a system with such a secure loader, this quirk is required to load + Mac OS X 10.4 to macOS 10.12, and is required for all newer + macOS when \texttt{SecureBootModel} is set to \texttt{Disabled}. \emph{Note 1}: The quirk is never applied during the Apple secure boot path for newer macOS. The Apple secure boot path includes its own separate mitigations @@ -1652,11 +1650,13 @@ \subsection{Quirks Properties}\label{booterpropsquirks} within their filesystem. \end{itemize} - \emph{Note 3}: This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and - higher, if Apple secure boot is not enabled), but only when the firmware - itself includes a modern, more secure PE COFF image loader. This applies to - current builds of OpenDuet, and to OVMF if built from audk source code. - + \emph{Note 3}: Pre-processing in memory is incompatible with secure boot, as the image loaded + is not the image on disk, so you cannot sign files which are loaded in this way + based on their original disk image contents. + Certain firmware will offer to register the hash of new, unknown images - this would + still work. On the other hand, it is not particularly realistic to want to + start these early, insecure images with secure boot anyway. + \item \texttt{ForceBooterSignature}\\ \textbf{Type}: \texttt{plist\ boolean}\\