-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rapid Security Response with legacy Macs #1019
Comments
RSRs with Haswell+ Macs and KDK Installs
As initially suspected, now validated, Apple desyncs the Kernel Collections present in macOS when an RSR is installed. Due to this, machines will no longer boot due to their mismatched kernel caches. Affected MacsCurrently the only affected Macs in OCLP are those with AMD Graphics Patches, as we need to downgrade the AMD Graphics Stack to support the older hardware. Models include:
Prefix: Kernel Collection Understanding and why RSRs break macOSIn macOS there are 3 types of Kernel Collections, each used at a different stage of the boot process that loads the kernel and kernel extensions required by macOS:
The distinction of these 3 caches location is important as it plays to how Apple implemented the RSR system. On Macs with broken APFS Seals, the Software Update framework will request APFS.kext to revert the APFS snapshot to the last sealed variant. However contrary to the logic used by Apple's own When this happens, the UUIDs of the Kernel Collections will become mismatched and result in a kernel panic within XNU's For systems relying on KDK-less usage, macOS is able to easily recover since the 2 essential caches, Boot and System, are still in-sync. However for systems using the KDK approach, we see that the custom BootKC and stock SysKC are in use.
Recovering from an RSR update on a Haswell+ Mac using KDKsTo recover a broken installation, users will need to boot into Single User Mode and repair the Preboot volume manually. To enter Single User Mode, hold Cmd + S before entering macOS Ventura in OpenCore's Picker. Once loaded into Single User Mode, you'll be presented with a basic terminal allowing you to run basic commands. For this you'll need to run the following: # Get the APFS Preboot UUID
ls /System/Volumes/Preboot
# This will list a number of folders, look for those matching this format:
# 00000000-0000-0000-0000-000000000000
# If you only have Ventura installed, 1 UUID will be present
# Check each UUID folder to see which is Ventura
cat ls /System/Volumes/Preboot/4E1B280E-8AB5-48DD-94A1-414505E6D576/System/Library/CoreServices/SystemVersion.plist
# Look for ProductVersion string
# <key>ProductVersion</key>
# <string>13.2</string>
# Once correct UUID found, remove bad KC:
mv /System/Volumes/Preboot/4E1B280E-8AB5-48DD-94A1-414505E6D576/boot/System/Library/KernelCollections/BootKernelExtensions.kc /System/Volumes/Preboot/4E1B280E-8AB5-48DD-94A1-414505E6D576/boot/System/Library/KernelCollections/BootKernelExtensions.kc.BAD
# Install good KC:
cp /System/Library/KernelCollections/BootKernelExtensions.kc /System/Volumes/Preboot/4E1B280E-8AB5-48DD-94A1-414505E6D576/boot/System/Library/KernelCollections/ Potential SolutionsCurrently still being investigated, however most ideal solution would be to implement either a kernel function or boot script to validate KC UUIDs and fix when required. No time frame can be given to if/when this can be properly developed. Additionally this issue has been filed to Apple as this affects genuine macOS developers using Kernel Debug Kits:
However unknown whether Apple will leave this as an edge case and ignore. |
macOS 13.3.1 (a) Installation Issues
Due to a bug in the Haswell graphics stack, OpenCore Legacy Patcher 0.6.5 resolves this. Work-aroundProper Fix: Root patch with OCLP 0.6.5Work-around for pre-0.6.5 systems:One can simply disable the problematic kexts from loading by booting in Safe Mode (Cmd+X in the boot menu). Once booted, repatch macOS with OpenCore Legacy Patcher and the issue will be resolved. |
With the initial beta of macOS 13.2 (22D5027d), Apple has seeded a test update using the new Rapid Security Response System, generally abbreviated as RSR.
RSR relies on the Cryptex system, where core userspace binaries are stored in the Preboot volume, including the DYLD Shared Cache. when macOS performs an RSR-based update, it applies a diff onto the os.dmg and app.dmg. Once applied, a relaunch of the affected application will work however full OS reboot is required for dyld and framework updates.
With legacy Macs running OpenCore Legacy Patcher, the main issues we see are:
Root Patched Macs via KDK approach will result in a crash on updateCause: Rapid Security Response with legacy Macs #1019 (comment)x86_64h
RSRsKDKless installs result in WindowServer crashing after RSR installsAt this time, we'd advise users with either pre-Haswell CPUs to hold off on installing macOS 13.2's Rapid Security Response Update until more information is known.
The text was updated successfully, but these errors were encountered: