Security for OCLP (OpenCore Legacy Patcher)

[deeveedee]

All it takes is one bad actor to contribute code to OCLP that is accepted by the project.

You're in violent agreement with the whole purpose of this thread - welcome to the discussion. The majority of vulnerabilities exposed by projects like OCLP are those due to unintended design flaws and coding mistakes. And to inject root patches, we know that OCLP defeats macOS security features by partially disabling SIP, disabling Secure Boot Model and breaking the APFS seal, so an OCLP-patched Mac is inherently less secure than a fully supported Mac (one of the primary OCLP Developers admitted to this reduced security in this very thread).

In my opinion, the most alarming aspect of OCLP is the way that it was introduced as "Experience macOS just like before," "Built with Security in Mind" and "You're just as secure as a supported Mac" (the latter messages which have thankfully been abandoned by the OCLP Developers).

Like you, I have entertained the "bad actor" scenarios and for good reason - there are plenty of real-world examples. In this thread, I have chosen to give the OCLP Developers the benefit of the doubt and have made the requests documented here. OCLP Documentation and Messaging is still woefully deficient in warning about the downgraded security of an OCLP-patched Mac. I remain disappointed that the OCLP Developers have still not included crystal clear warnings in the OCLP GUI and Documentation.

EDIT: It is clear to me that the OCLP Developers know about the downgraded macOS security of an OCLP-patched Mac and that they consciously choose not to provide the requested security warnings. Willful negligence is intent.

 

[Subarctic5216]

deleted

 

[chrickers]

Hi all! What would you say is more secure/dangerous: Staying on Monterey (EOS) and OCLP with full SIP or to upgrade the machine to Sonoma but partially disabled SIP?

 

[bzgnyc2]

Hi all! What would you say is more secure/dangerous: Staying on Monterey (EOS) and OCLP with full SIP or to upgrade the machine to Sonoma but partially disabled SIP?

As they say it depends. When it comes to security you need to share the context of what you are trying to protect again whom and and how you use your computer.

The most competent security experts I've heard approach it in terms of risk mangement. There is no absolute security but we're trading off a number of factors most commonly cost and risk. The other component of their models is what are we trying to protect aginst whom and what is it worth to them? Then one can frame the issue in terms of how much effort that adversary would have to expend versus what it is worth to them.

If I had a billion dollar data asset, it might be worth it to someone to spend $500M on computing resources to break my encryption. Though likely there are alternate solutions:

Security

xkcd.com

The reason I detoured through the above is to emphasize the it depends. For my home computer I am absolutely not worried about someone with physical access breaking into my computer. If a malicious person is in my home that is the least of my concerns. On the other hand, those running open computer labs likely have different priorities.

My guess is the biggest risk for most people is getting infected with some sort of spyware/key logger that can then be used to initiate identity theft or similar, and infection is most likely through their browsers. In that context I think the most important precaution is a strong browser with an up-to-date content blocker. For example, I'd say most people are better off with a well-configured Orion or Firefox with uBlock Origin, etc browser running on Monterey (or even earlier) than Safari running on macOS 14.0.

 

[chrickers]

Thanks for your reply! Yes, an up-to-date browser is crucial in both scenarios! My browser of choice is Brave and when it comes to content filtering I use nextDNS. Personally, I decided to upgrade my MBP to Sonoma, when Monterey reached EOS. But my mom's iMac still is on Monterey, but she primarily uses it to work from Home via Citrix. Maybe it isn't a big deal either way.

 

[dimme]

Safari running on macOS 14.0.

Are you saying in your option that Safari is not a secure browser? My seat of the paints feeling is between the big 3 for Mac I trust Safari the most. Again this is just a gut feeling not backed up by research.

 

[bzgnyc2]

Are you saying in your option that Safari is not a secure browser? My seat of the paints feeling is between the big 3 for Mac I trust Safari the most. Again this is just a gut feeling not backed up by research.

No, I was saying I believe an updated browser with proper protections (e.g. content blockers) on an older macOS is safer than an older version of Safari (e.g. the one that came with Sonoma 14.0) even if on a newer macOS (e.g. Sonoma 14.0) for random browsing of the Internet. Again context matters -- the latter has known vulnerabilities and makes a bigger target. The former almost certainly has vulnerabilities too but they are less known. If the primary threat is bots and random attacks, I would put my money on the former. For targeted journalists, probably neither would be an acceptable risk.

 

[deeveedee]

Hi all! What would you say is more secure/dangerous: Staying on Monterey (EOS) and OCLP with full SIP or to upgrade the machine to Sonoma but partially disabled SIP?

Is this question for the MBP 11,1 in your signature? Do you use your MBP outside of your home with Wi-Fi? If so and if your MBP does not need Wi-Fi root patches to run Ventura, you may wish to stick with Ventura (and Apple's native Wi-Fi framework) for now until Ventura is EOL.

Note that OCLP Devs extract an older Wi-Fi framework from Ventura to patch Wi-Fi in Sonoma and Sequoia. Also, one of the primary Devs has indicated in this very thread that keeping the Wi-Fi framework updated in Sonoma and beyond with the latest from Ventura is not their priority. When Ventura is EOL, OCLP Devs won't be able to update the Wi-Fi framework in Sonoma and Sequoia (even if they wanted to). Any vulnerabilities discovered in Ventura's Wi-Fi framework after Ventura is EOL are NOT going to be addressed in macOS versions after Ventura by OCLP Devs.

EDIT: Do not ignore the importance of security at OSI Layer 2.

EDIT2: While I have indicated that I am giving the OCLP Devs the benefit of the doubt and I am not questioning their intentions, I am not in anyway claiming that OCLP's Wi-Fi patching of Sonoma and Sequoia is secure (even if patched with the latest extracted Wi-Fi framework from Ventura). There is NO WAY to determine Wi-Fi security of OCLP-patched Sonoma and Sequoia without rigorous 3rd-party testing (and even that is not a guarantee, but much, much better than no certification testing). The simple fact is that the OCLP Devs have injected non-native code into the lowest layers of macOS Sonoma and Sequoia to enable unsupported Broadcom Wi-Fi. No matter how talented the Devs and no matter how clever the implementation (very clever indeed), without 3rd-party validation by an accredited organization (not an inexpensive certification), the Wi-Fi security of OCLP-patched Sonoma and Sequoia is not known. "It works, therefore it is secure" is not a sound security assessment.

 

[bogdanw]

For targeted journalists, probably neither would be an acceptable risk.

For targeted individuals, nothing matters. Fully updated Apple devices have been repeatedly hacked by spyware. And Apple recently dropped the case against NSO Group, so there are no repercussions for the companies that provide that kind of service.
https://therecord.media/apple-seeks-dismissal-of-nso-lawsuit-pegasus-spyware

User ignorance is one of the most important aspects of OCLP security.
https://forums.macrumors.com/thread...-items-rm-alien-software-help-please.2428577/

 

[chrickers]

Is this question for the MBP 11,1 in your signature? Do you use your MBP outside of your home with Wi-Fi? If so and if your MBP does not need Wi-Fi root patches to run Ventura, you may wish to stick with Ventura (and Apple's native Wi-Fi framework) for now until Ventura is EOL.

Note that OCLP Devs extract an older Wi-Fi framework from Ventura to patch Wi-Fi in Sonoma and Sequoia. Also, one of the primary Devs has indicated in this very thread that keeping the Wi-Fi framework updated in Sonoma and beyond with the latest from Ventura is not their priority. When Ventura is EOL, OCLP Devs won't be able to update the Wi-Fi framework in Sonoma and Sequoia (even if they wanted to). Any vulnerabilities discovered in Ventura's Wi-Fi framework after Ventura is EOL are NOT going to be addressed in macOS versions after Ventura by OCLP Devs.

EDIT: Do not ignore the importance of security at OSI Layer 2.

Nope, I am asking for an old iMac that my mom uses to work from home. It's only connected to our private WiFi in a suburbian area. And she hardly stores anything else on that thing…

I recently updated my MBP (the one in my signature)f rom Monterey to Sonoma. It's also almost always connected to my private WiFi with WPA3. I know that there is no such thing as 100% security and as you guys mentioned it's a matter of what you're willing to trade off. But yes, that also included a custom SIP-config. I'm planning to replace that book when there's a good Deal for an M4 model

But when it comes to security related software that I'm using it's Brave for browsing, NextDNS, Bitwarden as PW manager, 2FA where possible, FileVault, iCloud with full encryption and all my sensitive Data goes into an encrypted Disk Image that is only mounted when I need it.

 

[RK78]

Already posted this question yesterday at https://forums.macrumors.com/thread...unsupported-macs-thread.2346881/post-33486251

Thinking now that this forum might be more appropriate, so re-posting:

Can someone please tell me, re. Library Validation (not talking about Patcher Settings with option to disable): what should be the default, disabled or enabled? (Long story: ran sudo nvram boot-args=amfi_get_out_of_my_way=0x1, which appears to have disabled Library Validation, and which I have tried reversing so far with no luck).

Wondering if Library Validation disabled is needed to run OCLP? If not, then not happy running Library Validation wide open, and if possible would like the proper command to reverse* (Note, checked a CCC Clone from before I ran that command and com.apple.security.libraryvalidation.plist can not be found at all - doesn't exist there. So clearly, running that command created that .plist).

*Already tried: sudo nvram boot-args=""; sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true


Seeing com.apple.security.libraryvalidation.plist set to disabled in /Library/Preferences:

 

[deeveedee]

@RK78 Not a suitable topic for this thread. The "main" Ventura thread is more appropriate.

 

[DanR16]

Hi 👋 There's clearly a knowledgable community here and I hope you can educate me. My 2015 iMac now runs the latest OS with OCLP beautifully, it's like a new Mac! I'm concerned with exposing my data through doing this, I'm technical enough to install OCLP but I can't code. A lot of knowledgable individuals seem to dismissive of people like me using OCLP or say doing so leaves me with no security whatsoever. I'd appreciate people who know more than I, sharing their views and, crucially, rational - am I wide open using OCLP or simply need to be aware of specific vulnerabilities? I gather that I am gaining the latest OS level/ browser security responses but also opening my system up to malware accessing the deepest parts of my system. I worry specifically about my Mac being used as a gateway to my iCloud Drive where I store confidential work files or my Mac being hijacked remotely. Not concerned about physical access attacks. My 2015 iMac is not my work machine but shares an Apple ID and I use it for non sensitive tasks. I'd like your help deciding whether to throw away my perfectly functional 5k iMac and spend money on what I see is a less good modern offering from Apple or is the risk level tolerable (e.g. by taking particular precautions) Thanks for any help - Dan

 

[dimme]

Hi 👋 There's clearly a knowledgable community here and I hope you can educate me. My 2015 iMac now runs the latest OS with OCLP beautifully, it's like a new Mac! I'm concerned with exposing my data through doing this, I'm technical enough to install OCLP but I can't code. A lot of knowledgable individuals seem to dismissive of people like me using OCLP or say doing so leaves me with no security whatsoever. I'd appreciate people who know more than I, sharing their views and, crucially, rational - am I wide open using OCLP or simply need to be aware of specific vulnerabilities? I gather that I am gaining the latest OS level/ browser security responses but also opening my system up to malware accessing the deepest parts of my system. I worry specifically about my Mac being used as a gateway to my iCloud Drive where I store confidential work files or my Mac being hijacked remotely. Not concerned about physical access attacks. My 2015 iMac is not my work machine but shares an Apple ID and I use it for non sensitive tasks. I'd like your help deciding whether to throw away my perfectly functional 5k iMac and spend money on what I see is a less good modern offering from Apple or is the risk level tolerable (e.g. by taking particular precautions) Thanks for any help - Dan

I’m not a security expert but I do use OCLP on my of my machines, but not my primary one. For me I feel safe watching YouTube and suc. I don’t use it for banking or emaI’ll. If you worried about your iCloud Driv, may I suggest a second iCloud Accor just log out of I cloud

 

[bzgnyc2]

Hi 👋 There's clearly a knowledgable community here and I hope you can educate me. My 2015 iMac now runs the latest OS with OCLP beautifully, it's like a new Mac! I'm concerned with exposing my data through doing this, I'm technical enough to install OCLP but I can't code. A lot of knowledgable individuals seem to dismissive of people like me using OCLP or say doing so leaves me with no security whatsoever. I'd appreciate people who know more than I, sharing their views and, crucially, rational - am I wide open using OCLP or simply need to be aware of specific vulnerabilities? I gather that I am gaining the latest OS level/ browser security responses but also opening my system up to malware accessing the deepest parts of my system. I worry specifically about my Mac being used as a gateway to my iCloud Drive where I store confidential work files or my Mac being hijacked remotely. Not concerned about physical access attacks. My 2015 iMac is not my work machine but shares an Apple ID and I use it for non sensitive tasks. I'd like your help deciding whether to throw away my perfectly functional 5k iMac and spend money on what I see is a less good modern offering from Apple or is the risk level tolerable (e.g. by taking particular precautions) Thanks for any help - Dan

"Money isn't as valuable to our organization as knowing who to trust." -Casino Royale (granted that also came from a bad guy).

In the end there isn't really absolute security and not only that you're always trusting someone else (or if you build everything from sand up yourself but also not humanly possible as far as modern computers).

With a new computer running a new OS, you're trusting Apple (and to a lesser extent various intermediaries). In the OCLP setup, you are trusting Apple + the OCLP people. If you trust them as much as any other non-sandboxed software running on your computer then it's fine.

As far as access to your work cloud, I would defer to your work's security policies. If they let unmanaged computers connect to their cloud then this should be no worse. If this effectively violates their security policies then I would not do it. Not judging their policies one way or the other and just assuming they are appropriate to the situation. One can always add more restrictions and controls but unless its considered in its totality, it's like locking a convertible with the windows down.

 

[deeveedee]

@DanR16 Your question has been asked and answered multiple times in this thread. If you are concerned enough to ask then I believe you have reason to patiently read this entire thread.

 

[Continuo]

Hi, thanks to deeveedee the security issue seems to be quite clear now. However, what if I use an old Mac + OCLP, have nothing important on it, but want to install some official third party software? Probably I would have to send some personal data, use password etc. in order to download it (I am not talking about payment as this can be done on another, safer computer). Does a software owner use his own encryption protocol so that my data can not be intercepted by a hacker?

 

[JonaM]

Hi, thanks to deeveedee the security issue seems to be quite clear now. However, what if I use an old Mac + OCLP, have nothing important on it, but want to install some official third party software? Probably I would have to send some personal data, use password etc. in order to download it (I am not talking about payment as this can be done on another, safer computer). Does a software owner use his own encryption protocol so that my data can not be intercepted by a hacker?

Unfortunately this is a question that cannot be answered as it would be down to the software company in question and many other variables as to how they look after their data security. I would say that you should be absolutely fine for most use cases. If you are concerned then avoid using it for banking/payments. There's been no publicly documented breaches of OCLP so these are all potential risks.

 

[deeveedee]

There's been no publicly documented breaches of OCLP so these are all potential risks.

Fortunately for us, those who exploit vulnerabilities always publicize the exploit

EDIT: Kidding aside, JonaM's answer is good. In my opinion, if it absolutely cannot be compromised, don't do it on an OCLP-patched Mac. Many of the servers that I maintain must remain compliant with one security standard or another (e.g., PCI compliance). I apply many required security patches with "no known exploits" or "no known compromises" simply because of the potential vulnerability.

Only you can decide when it is worth the risk.

EDIT2: With the increased use of single sign-on (multiple applications and websites that are accessible with a single set of credentials), the risk assessment may not be simple. For example, you may decide that accessing Facebook from your OCLP-patched Mac is safe, because you don't post private info on Facebook. However, if you have granted permission to other sites or applications with your Facebook account ...

 

[Subarctic5216]

Great insight JonaM and deeveedee. Thanks!

 

[BillyJoeJimBob]

It is interesting that it is technically possible for many "outdated" macs can run Sequoia using OpenCore and OCLP. –Even if one has to give up WiFi for Ethernet. It would seem that it would also be possible to run full SIP, if only Apple would allow it.

 

[bogdanw]

“Mykola Grymalyuk – Project lead of OpenCore Legacy Patcher”
"Apple's Not So Rapid Security Response"

 

[deeveedee]

@bogdanw Thanks for posting that. Interesting.

 

[dimme]

“Mykola Grymalyuk – Project lead of OpenCore Legacy Patcher”
"Apple's Not So Rapid Security Response"

After watching this very interesting video, I feel a bit better about using OCLP on my older Mac. I still won't use it for banking or online shopping, but I would not do that or windows either.

 

[deeveedee]

@dimme For me, the security of an OCLP-patched Mac has never been about whether I like the Devs (although the video does make me like and respect Mykola Grymalyuk even more than I did before). For me, it's always been about what OCLP has to do to an unsupported Mac to make it run the latest versions of MacOS. The video didn't change that.