Add OpenCore utilities

OpenCore-0.7.8/Utilities/CreateVault/create_vault.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+
+#  create_vault.sh
+#
+#
+#  Created by Rodion Shingarev on 13.04.19.
+#
+OCPath="$1"
+
+if [ "${OCPath}" = "" ]; then
+  echo "Usage ./create_vault.sh path/to/EFI/OC"
+  exit 1
+fi
+
+if [ ! -d "${OCPath}" ]; then
+  echo "Path $OCPath is missing!"
+  exit 1
+fi
+
+if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then
+  echo "Unix environment is broken!"
+  exit 1
+fi
+
+if [ ! -x /usr/libexec/PlistBuddy ]; then
+  echo "PlistBuddy is missing!"
+  exit 1
+fi
+
+if [ ! -x /usr/bin/shasum ]; then
+  echo "shasum is missing!"
+  exit 1
+fi
+
+abort() {
+  /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
+  echo "Fatal error: ${1}!"
+  exit 1
+}
+
+echo "Chose ${OCPath} for hashing..."
+
+cd "${OCPath}" || abort "Failed to reach ${OCPath}"
+/bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
+/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
+
+echo "Hashing files in ${OCPath}..."
+
+/usr/bin/find . -not -path '*/\.*' -type f \
+  \( ! -iname ".*" \) \
+  \( ! -iname "vault.*" \) \
+  \( ! -iname "OpenCore.efi" \) | while read -r fname; do
+  fname="${fname#"./"}"
+  wname="${fname//\//\\\\}"
+  shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}"
+  sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
+  if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then
+    abort "Got invalid hash: ${sha}!"
+  fi
+
+  echo "${wname}: ${sha}"
+
+  echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
+  /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
+done
+
+/bin/rm -rf /tmp/vault_hash
+
+echo "All done!"
+exit 0

OpenCore-0.7.8/Utilities/CreateVault/sign.command

@@ -0,0 +1,88 @@
+#!/bin/sh
+
+abort() {
+  echo "Fatal error: ${1}!"
+  exit 1
+}
+
+cleanup() {
+  echo "Cleaning up keys"
+  rm -rf "${KeyPath}"
+}
+
+if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
+  abort "Unix environment is broken!"
+fi
+
+cd "$(/usr/bin/dirname "$0")" || abort "Failed to enter working directory!"
+
+OCPath="$1"
+
+if [ "$OCPath" = "" ]; then
+  OCPath=../../EFI/OC
+fi
+
+KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)"
+OCBin="${OCPath}/OpenCore.efi"
+RootCA="${KeyPath}/ca.pem"
+PrivKey="${KeyPath}/privatekey.cer"
+PubKey="${KeyPath}/vault.pub"
+
+if [ ! -d "${OCPath}" ]; then
+  abort "Path ${OCPath} is missing!"
+fi
+
+if [ ! -f "${OCBin}" ]; then
+  abort "OpenCore.efi is missing!"
+fi
+
+if [ ! -x ./RsaTool ] || [ ! -x ./create_vault.sh ]; then
+  if [ -f ./RsaTool ]; then
+    /bin/chmod a+x ./RsaTool || abort "Failed to set permission for RsaTool"
+  else
+    abort "Failed to find RsaTool!"
+  fi
+
+  if [ -f ./create_vault.sh ]; then
+    /bin/chmod a+x ./create_vault.sh || abort "Failed to set permission for create_vault.sh"
+  else
+    abort "Failed to find create_vault.sh!"
+  fi
+fi
+
+trap cleanup EXIT INT TERM
+
+if [ ! -d "${KeyPath}" ]; then
+  /bin/mkdir -p "${KeyPath}" || abort "Failed to create path ${KeyPath}"
+fi
+
+./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
+
+if [ ! -f "${RootCA}" ]; then
+  /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
+  if [ -f "${PrivKey}" ]; then
+    echo "WARNING: Private key exists without CA"
+  fi
+fi
+
+/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
+echo "Issuing a new private key..."
+/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
+
+/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
+echo "Getting public key based off private key..."
+./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
+
+echo "Signing ${OCBin}..."
+./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
+
+echo "Bin-patching ${OCBin}..."
+off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
+if [ "${off}" -le 16 ]; then
+  abort "${OCBin} is borked"
+fi
+
+/bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
+
+echo "All done!"
+exit 0

OpenCore-0.7.8/Utilities/LogoutHook/LogoutHook.command

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#
+# Copyright © 2020 Rodion Shingarev. All rights reserved.
+# Slight optimizations by PMheart and vit9696.
+#
+
+if [ "$1" = "install" ]; then
+  SELFNAME=$(basename "$0")
+  SELFDIR=$(dirname "$0")
+  cd "$SELFDIR" || exit 1
+  sudo defaults write com.apple.loginwindow LogoutHook "$(pwd)/${SELFNAME}"
+  exit 0
+fi
+
+if [ ! -x /usr/bin/dirname ] || [ ! -x /usr/sbin/nvram ] || [ ! -x /bin/rm ] || [ ! -x /usr/sbin/diskutil ] || [ ! -x /bin/cp ]  ; then
+  abort "Unix environment is broken!"
+fi
+
+thisDir="$(/usr/bin/dirname "${0}")"
+cd "${thisDir}" || abort "Failed to enter working directory!"
+
+if [ ! -x ./nvramdump ]; then
+  abort "nvramdump is not found!"
+fi
+
+abort() {
+  echo "Fatal error: ${1}"
+# echo "Fatal error: ${1}" >> error.log
+  exit 1
+}
+
+rm -f /tmp/nvram.plist
+./nvramdump || abort "failed to save nvram.plist!"
+
+UUID="$(nvram 4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102:boot-path | /usr/bin/sed 's/.*GPT,\([^,]*\),.*/\1/')"
+if [ "$(printf '%s' "${UUID}" | /usr/bin/wc -c)" -eq 36 ] && [ -z "$(echo "${UUID}" | /usr/bin/sed 's/[-0-9A-F]//g')" ]; then
+  /usr/sbin/diskutil mount "${UUID}" || abort "Failed to mount ${UUID}!"
+  p="$(/usr/sbin/diskutil info "${UUID}" | /usr/bin/sed -n 's/.*Mount Point: *//p')"
+if ! cmp -s /tmp/nvram.plist "${p}/nvram.plist"
+then
+  /bin/cp /tmp/nvram.plist "${p}/nvram.plist" || abort "Failed to copy nvram.plist!"
+fi
+  /usr/sbin/diskutil unmount "${UUID}" || abort "Failed to unmount ${UUID}!"
+  exit 0
+else
+  abort "Illegal UUID or unknown loader!"
+fi

OpenCore-0.7.8/Utilities/LogoutHook/README.md

@@ -0,0 +1,9 @@
+LogoutHook
+==========
+
+## Installation
+```sudo defaults write com.apple.loginwindow LogoutHook /path/to/LogoutHook.command```
+
+or
+
+```/path/to/LogoutHook.command install```

OpenCore-0.7.8/Utilities/ShimToCert/shim-to-cert.tool

@@ -0,0 +1,110 @@
+#!/bin/sh
+
+# shim-to-cert.tool - Extract OEM signing certificate public key (and full db, dbx if present) from GRUB shim file.
+#
+# Copyright (c) 2021, Michael Beaton. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-3-Clause
+#
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 {shimfile}"
+    exit 1
+fi
+
+# require binutils and openssl
+command -v objcopy >/dev/null 2>&1 || { echo >&2 "objcopy not found - please install binutils package."; exit 1; }
+command -v openssl >/dev/null 2>&1 || { echo >&2 "openssl not found - please install openssl package."; exit 1; }
+
+sectfile=$(mktemp) || exit 1
+
+# make certain we have output file name, as objcopy will trash input file without it
+if [ "x$sectfile" = "x" ]; then
+    echo >&2 "Error creating tempfile!"
+    exit 1
+fi
+
+# extract .vendor_cert section
+objcopy -O binary -j .vendor_cert "$1" "$sectfile" || exit 1
+
+if [ ! -s "$sectfile" ] ; then
+    echo >&2 "No .vendor_cert section in $1."
+    rm "$sectfile"
+    exit 1
+fi
+
+# xargs trims white space
+vendor_authorized_size=$(dd if="$sectfile" ibs=1 skip=0 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+vendor_deauthorized_size=$(dd if="$sectfile" ibs=1 skip=4 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+vendor_authorized_offset=$(dd if="$sectfile" ibs=1 skip=8 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+vendor_deauthorized_offset=$(dd if="$sectfile" ibs=1 skip=12 count=4 2>/dev/null | od -t u4 -An | xargs) || { rm "$sectfile"; exit 1; }
+
+# extract cert or db
+certfile=$(mktemp) || { rm "$sectfile"; exit 1; }
+
+dd if="$sectfile" ibs=1 skip="$vendor_authorized_offset" count="$vendor_authorized_size" 2>/dev/null > "$certfile" || { rm "$sectfile"; rm "$certfile"; exit 1; }
+
+# extract dbx
+if [ "$vendor_deauthorized_size" -ne "0" ]; then
+    dd if="$sectfile" ibs=1 skip="$vendor_deauthorized_offset" count="$vendor_deauthorized_size" 2>/dev/null > "vendor.dbx" || { rm "$sectfile"; rm "$certfile"; exit 1; }
+    echo "Secure Boot block list found and saved as vendor.dbx."
+fi
+
+rm "$sectfile"
+
+# valid as single cert?
+openssl x509 -noout -inform der -in "$certfile" 2>/dev/null
+
+if [ $? -ne 0 ]; then
+    # require efitools
+    command -v sig-list-to-certs >/dev/null 2>&1 || { echo >&2 "sig-list-to-certs not found - please install efitools package."; rm "$certfile"; exit 1; }
+
+    certsdir=$(mktemp -d) || { rm "$certfile"; exit 1; }
+
+    sig-list-to-certs "$certfile" "${certsdir}/vendor" 1>/dev/null
+
+    if [ $? -ne 0 ]; then
+        echo >&2 "ERROR: vendor_authorized contents cannot be processed as cert file or sig list."
+
+        rm -rf "$certsdir"
+        rm "$certfile"
+
+        exit 1
+    fi
+
+    cp "$certfile" vendor.db
+    echo "Secure Boot allow list found and saved as vendor.db - single cert may not be sufficient to start distro."
+
+    # fails when count .der files != 1
+    cp "$certsdir"/*.der "$certfile" 2>/dev/null
+
+    if [ $? -ne 0 ]; then
+        certcount=$(find "$certsdir" -maxdepth 1 -name "*.der" | wc -l)
+
+        if [ "$certcount" -ne "0" ]; then
+            cp "$certsdir"/*.der .
+
+            echo "Extracted multiple signing keys:"
+            pwd=$(pwd)
+            cd "$certsdir" || { rm -rf "$certsdir"; rm "$certfile"; exit 1; }
+            ls -1 ./*.der
+            cd "$pwd" || { rm -rf "$certsdir"; rm "$certfile"; exit 1; }
+        fi
+
+        rm -rf "$certsdir"
+        rm "$certfile"
+
+        exit 0
+    fi
+
+    rm -rf "$certsdir"
+fi
+
+# outfile name from cert CN
+certname=$(openssl x509 -noout -subject -inform der -in "$certfile" | sed 's/^subject=.*CN *=[ \"]*//' | sed 's/[,\/].*//' | sed 's/ *//g') || { rm "$certfile"; exit 1; }
+outfile="${certname}.pem"
+
+openssl x509 -inform der -in "$certfile" -out "$outfile" || { rm "$certfile"; exit 1; }
+
+rm "$certfile"
+
+echo "Certificate extracted as ${outfile}."