How do I "clean install" or otherwise verify an Opencore Mac isn't "rooted?" Can I?

[AppleDrank]

Please excuse:
1. My possible paranoia
2. Likely posting in the wrong forum

I broke the screen on my 2014 MacBook Pro 15". I picked up another one (same model/year) off of Offerup today for a good price. I learned it has Opencore + Sonoma.

The seller seems trustworthy, and it looks to be a clean install but, in the old days, I would do my own clean install before creating my own user account, signing into my wifi network, signing into iCloud, etc.

I don't know how to do this with Opencore, and I am concerned that the implication of Opencore being installed is that the Mac is technically already "rooted." Is this accurate?

What should I do to protect my data (and client data) from possible exposure? A few ideas I had that may or may not work:
1. Screen swap -- just move this screen to my old one.
2. SSD swap -- move my old SSD to this Mac
3. Create a new admin user, reset super user password, delete old administrator profile and risk it (concerning because OpenCore Legacy Patcher 1.4.3 (installed) has the following settings: ALLOW_UNTRUSTED_KEXTS, ALLOW_UNRESTRICTED_FS, ALLOW_UNAUTHENTICATED_ROOT
4. Install and run some sort of "virus scan?"
5. ???

Help!

 

[sfalatko]

Someone with a bit more knowledge will have to chime in but some thoughts....

1. OpenCore is a boot loader - it does not change the OS in any way.
2. You would have to do a bit of research on when OS support stopped for the MacBook Pro you purchased was. For my previous Mac Pro 5,1 support stopped at Mojave and it did not support AVX/AVX2 instructions. This required root patches for the video kexts. Up to Monterey the cMP did not require any root patches. Yours may or may not but since ALLOW_UNTRUSTED_KEXTS is selected my guess is it does require root patches.
3. OCLP is open source so somewhat less problematic.

If you are very concerned you could download OCLP from GitHub and reinstall it then remove and reapply root patches. You would then at least know the source for the modified drivers.

 

[AppleDrank]

Someone with a bit more knowledge will have to chime in but some thoughts....

1. OpenCore is a boot loader - it does not change the OS in any way.
2. You would have to do a bit of research on when OS support stopped for the MacBook Pro you purchased was. For my previous Mac Pro 5,1 support stopped at Mojave and it did not support AVX/AVX2 instructions. This required root patches for the video kexts. Up to Monterey the cMP did not require any root patches. Yours may or may not but since ALLOW_UNTRUSTED_KEXTS is selected my guess is it does require root patches.
3. OCLP is open source so somewhat less problematic.

If you are very concerned you could download OCLP from GitHub and reinstall it then remove and reapply root patches. You would then at least know the source for the modified drivers.

This is helpful, thanks! I'm not sure how to do it but at least I know there is a path.

 

[haralds]

OC does break the macOS security. If you want to be absolutely safe:

• Download the last supported installer for your machine. I think, it's Catalina.​
• Create a USB Installer.​
• Boot from the USB. Use Disk Utility to wipe the disk and do a fresh install.​
• If you want to get back to a newer macOS, download OCLP and install it and use it to install the unsupported version of macOS.​

BTW, this is the Mac Pro thread, not MacBook Pro.

 

[JustAnExpat]

What should I do to protect my data (and client data) from possible exposure?

Honestly, if you're using this for business purposes, I suggest leaving it disconnected from the internet if at all possible. I know if I was one of your clients, and I gave you something confidential to work on, I would be very upset if I discovered your system wasn't up to date.

 

[sfalatko]

OC does break the macOS security. If you want to be absolutely safe:

• Download the last supported installer for your machine. I think, it's Catalina.​
• Create a USB Installer.​
• Boot from the USB. Use Disk Utility to wipe the disk and do a fresh install.​
• If you want to get back to a newer macOS, download OCLP and install it and use it to install the unsupported version of macOS.​

BTW, this is the Mac Pro thread, not MacBook Pro.

To be clear - OpenCore DOES NOT break macOS security. It is only a boot loader.

OCLP - to run unsupported versions of macOS - in some cases needs to root patch macOS to install drivers/kexts from earlier versions of macOS to run. This is part of its creating a package to install OpenCore and patch the system to run the target macOS version on the unsupported hardware.

As an example on a cMP5,1 - because the processor does not support AVX/AVX2 instructions that are required in video drivers for Ventura and Sonoma - patches/installs Monterey versions of the drivers so that the OS will run. One of the "requirements" to make this work is lowered security to allow macOS to boot with the modified drivers.

If you want to reinstall OCLP then take a look here -

OpenCore Legacy Patcher

Experience macOS just like before

dortania.github.io

If you want to be even more careful you could reformat the drive and reinstall everything. Personally, I don't think that's worth the effort.

Regards,
sfalatko

 

[Bigwaff]

To be clear - OpenCore DOES NOT break macOS security. It is only a boot loader.

OC does require lower or disabled SIP (depending on target hardware) and OCLP docs recommend just leave SIP lower or disabled for post install patching.

Post-Installation | OpenCore Legacy Patcher

 

[sfalatko]

OC does require lower or disabled SIP (depending on target hardware) and OCLP docs recommend just leave SIP lower or disabled for post install patching.

Post-Installation | OpenCore Legacy Patcher

Again - OpenCore DOES NOT require SIP to be lowered. Running macOS on unsupported hardware may require lowering SIP. I ran Monterey on a 2010 Mac Pro 5,1 with full SIP enabled because no patching of macOS was required - the system was essentially spoofing a 2019 Mac Pro to run Monterey. I also did not use OCLP - I did a manual install of OpenCore to run Monterey. There is also Martin Lo's method in addition to OCLP

If you want to run macOS on unsupported hardware you MAY need to use OCLP with patched macOS and that definitely REQUIRES reducing SIP - and yes the OCLP developers are right to advise keeping as it as tight as possible. This all depends on the hardware you have.

I chimed in because there is a lot of misunderstanding or loose terminology around OpenCore and Open Core Legacy Patcher (OCLP). OCLP is built on OpenCore but goes well beyond to simplify configuration (even when patching is totally unnecessary) to enable running macOS on unsupported systems. The developers have truly done amazing work and are enabling old systems to continue to limp into the future.

Security is important and clearly understanding risks and deciding what level of risk you are personally willing to tolerate is critical. You need to understand the underlying technology or you won't be able to accurately asses the risk.

Regards,
tfalatko

 

[Bigwaff]

I broke the screen on my 2014 MacBook Pro 15". I picked up another one (same model/year) off of Offerup today for a good price. I learned it has Opencore + Sonoma.

Again - OpenCore DOES NOT require SIP to be lowered. Running macOS on unsupported hardware may require lowering SIP.

Which is what original post is about (2014 MBP + Sonoma) . Perhaps we are talking past each other. I understand OCLP is configuration/installer for OC. In the context of the original post, OCLP would lower/disable SIP. User have to explicitly enable SIP, which is not recommended in OCLP docs. But user can do what user want. This is important information for OP to understand.

 

[cdf]

OpenCore | ˈōp(ə)n kôr | noun Computing a boot loader rootkit (mostly attributed to computer science researchers vit9696 and mhaeuser) that injects data into memory to expand the hardware compatibility of macOS.​ OpenCore Legacy Patcher | ˈōp(ə)n kôr ˈleɡəsē ˈpaCHər | noun Computing a macOS application (mostly attributed to khronokernel and dhinakg) that installs and configures OpenCore for legacy Macs and provides post-installation root-patching for the most resistant cases of unsupported hardware.​ ​

@sfalatko is right. It is the root-patching done by OCLP that requires lowering security. On the other hand, OC can be used with full macOS security from Catalina to Monterey on MacPro5,1.

 

[Bigwaff]

@sfalatko is right. It is the root-patching done by OCLP that requires lowering security. On the other hand, OC can be used with full macOS security from Catalina to Monterey on MacPro5,1.

No doubt the distinction is generally important, but original thread post is about Sonoma installed on 2014 MBP using OCLP.

 

[Dayo]

It is the root-patching done by OCLP that requires lowering security. On the other hand, OC can be used with full macOS security from Catalina to Monterey on MacPro5,1.

Great stuff with the dictionary entries. However, the explanation of the issue (which is otherwise spot on) appears to imply that the OCLP would always apply root-patching, and reduce security, on the MP51 when otherwise not needed.

I was under the impression that the OCLP can, and would, also implement OpenCore on units such as the the MP51 without root-patching under the same conditions where OpenCore is so implemented using alternative means.

Must say I don't use the OCLP myself and do not know for certain.
That is, does it actually apply patches willy nilly as stated below?

even when patching is totally unnecessary

Would be quite bad (and senseless) if it does.

 

[Boyd01]

Please excuse:
2. Likely posting in the wrong forum

Moderator note: thread moved to MacBook Pro forum (was originally posted in Mac Pro forum but user is asking about a MacBook Pro).

 

[Jazzzny]

even when patching is totally unnecessary

No, this is incorrect.

Root patches are only presented and used when required. On Big Sur and Monterey, OCLP will present you with a "No patches required" screen if you try to patch on any system that already has native support for all the hardware you have installed (i.e. Mac Pro with Metal GPU and upgraded WiFi card [Monterey], or stock WiFi card [Big Sur]).

 

[cdf]

The complete quote:

OCLP is built on OpenCore but goes well beyond to simplify configuration (even when patching is totally unnecessary) to enable running macOS on unsupported systems.

I don’t think this says that root-patching is applied even when unnecessary, but rather that OCLP is useful even when root-patching is unnecessary. Indeed, OCLP will not only configure OC but it also installs OC and offers an easy way of obtaining macOS installers…

@Jazzzny any hope of adding the OC vs OCLP distinction to the OCLP documentation? We had discussed this last year here:

Manually Configured OpenCore on the Mac Pro

Great. I appreciate the openness. Here are some suggestions: The OCLP documentation starts off with a very brief subsection “What is OpenCore?”, but it lacks the obvious follow-up section “What is OpenCore Legacy Patcher?”. Consequently, people may not grasp the distinction. To describe OCLP, I...

forums.macrumors.com

 

[Dayo]

I don’t think this says that root-patching is applied even when unnecessary, but rather that OCLP is useful even when root-patching is unnecessary.

Makes sense in context of the explanation of how it works vis-a-vis patching.
I blame "totally unnecessary", which carries connotations, for the (mis)interpretation!

 

[gilby101]

My possible paranoia

You don't need to get Paranoid. But you do have to make compromises with old hardware.

Your choice would seem to be:

1) Do a clean install with Big Sur (the most recent macOS supported on your MBP 2014). That is then as Apple intends for your MBP, but you will not be getting the recent or future security fixes for macOS. It has known vulnerabilities.

2) Do a clean install with OCLP + Sonoma. You will then get security fixes for another three years, but will have to accept that OCLP will require some small compromise regarding booting. If it only has 8GB RAM, you may also be making compromises regarding performance.

3) Buy a newer Mac. The boot process, disk encryption, etc. is significantly more secure than anything you can achieve with an old Mac.

If security is your main concern then those choices are in ascending preference. A Mac with M1, M2 or M3 processor required if you want the best security Apple has to offer.

I would most definitely not use the MBP as is. For a second hand Mac I would always start again by erasing the disk and reinstalling macOS. You just don't know the state of the operating system.

1. Screen swap -- just move this screen to my old one.
2. SSD swap -- move my old SSD to this Mac

Possible - yes. But is doing either in your skill set and risk profile? How to do its are here: https://www.ifixit.com/Device/MacBook_Pro_13"_Retina_Display_Mid_2014 (but double check the right model).