No OTA updates available for some SMBIOS, T2 related, server side, also for all SMBIOS with VMM flag

[82ghost82]

Hello,
I'm testing monterey and I noticed no ota update available from beta 5 to beta 6.
I thought about an error on my end, even if I verified multiple times, then I upgraded from a full installer.
Today I noticed this, opened by @khronokernel and well explained:
dortania/OpenCore-Legacy-Patcher#471

I know you don't support betas, but my feeling is that this won't change with next versions.

[vit9696]

We heard about this issue, but do not have the resources to investigate it in the nearest future. Help is wanted to provide us with the solution.

[82ghost82]

I was sure you were informed about this, I opened this just to keep track of the issue.
It's not a stopper, workarounds exist, so this has not to be fixed anytime soon.
Hopefully someone else too will join the development.

[Lorys89]

have you tried setting securebootmodel to default?
in my hacks with recent smbios I solved so

[82ghost82]

No, but default now falls back to x86legacy instead of that of imacpro, so there shouldn't be any difference.
Which oc version are you referring?

Edit/update: sorry, it was always set to Default

[Lorys89]

No, but default now falls back to x86legacy instead of that of imacpro, so there shouldn't be any difference.
Which oc version are you referring?

oc 0.7.2 ota update from beta 5 to beta 6, found by setting securebootmodel to default in my hacks with smbios macmini 8.1 and imac 20.1 and macbook pro 16.2

[vit9696]

I think there are two separate issues here:

1. Updating with x86legacy as a secure boot model on non-T2 mac model (e.g. iMac19,1) and having an update failure.
2. Requesting an update with x86legacy on a T2 mac model (e.g. iMacPro1,1) and not getting anything.

I explored boot.efi from macOS 12 and provided an update in acidanthera/OpenCorePkg@239c1a5. Please check the following scenarios with AppleSecureBootModel = Default and ApECID = 0:

1. Whether issue (1) is present. I hope to have addressed it.
2. Whether issue (2) is present. There is a chance it got fixed, though I doubt it.
3. Whether macOS 11 boots fine. There should be no change here.
4. Whether macOS 12 boots fine. There should be no change here.

[82ghost82]

Thank you very much, I need some time to download the install assistant of beta 5 (I have only b4 and b6 full installers); I will clean install b4, upgrade to b5 with the install assistant and try the ota to b6 (or make a full installer from the b5 install assistant and try the ota to b6).

In the meantime:
3. Whether macOS 11 boots fine. There should be no change here.
No issues here (11.5.2), SMBIOS: imacpro1,1, SecureBootModel=Default, ApECID=0

Will be back in a few hours.

[82ghost82]

Tested this (2):
Requesting an update with x86legacy on a T2 mac model (e.g. iMacPro1,1) and not getting anything.

SecureBootModel=Default
ApECID=0
SMBIOS: iMacPro1,1

2. Whether issue (2) is present. There is a chance it got fixed, though I doubt it.
Issue not solved

3. Whether macOS 11 boots fine. There should be no change here.
As written above no issue with 11.5.2

4. Whether macOS 12 boots fine. There should be no change here.
Monterey beta 5 installs and boots fine with latest commit

[vit9696]

Need to test 1. This is important as a first step.

[1alessandro1]

I'd like to also address the fact that with configurations such as:

• SMBIOS: iMac19,1 (non-T2)
• macOS version: 11.x
• SecureBootModel: Default (now equal to x86legacy since OC 0.7.2, otherwise there's no possibility to install updates on monterey and newer)
• ApECID different from 0 (64 bit integer)

There's no way to bless the disk or install from webrecovery (hence boot macOS) as described in the past (April), in this post on AppleLife where the error "Unable to verify macOS" appears when finishing a download from webrecovery (note: these tests were made on Big Sur, not on Catalina, which requires a hack from the terminal - and it's something which should not happen on > 10.15, since the configuration.pdf says only on 10.15 and below)

This means that since the only way to update from Softwareupdate on macOS 12 and newer is to use x86legacy, for now ApECID cannot be nonzero on any configuration.

On Big Sur, one could boot with SecureBootModel = j185 and a custom ApECID, installing from webrecovery. But this won't work on macOS 12 currently

But for now, yes, it's better to test x86legacy and ApECID = 0 configs, since those are the most likely to boot

[82ghost82]

Tested this (1):
Updating with x86legacy as a secure boot model on non-T2 mac model (e.g. iMac19,1) and having an update failure.

SecureBootModel=Default
ApECID=0
SMBIOS: iMac19,1

1. Whether issue (1) is present. I hope to have addressed it.
Sorry, no update available from beta 5

[vit9696]

Are you sure? This has never been an issue. Maybe needs pressing CMD+R.

[82ghost82]

Yes, quite sure, I checked SIP and authenticated root were enabled (no apple internal), I resetted nvram, I checked the system is iMac19,1, I checked my internet connection worked, I rebooted several times after each try, I refreshed the system preference panel, but no update is showing.

Can share config with smbios data, it's only for testing
config.txt

[vit9696]

Does the update show with AppleSecureBoot set to Disabled? (no need to update). Also please provide the DEBUG log from OC. @khronokernel this does not line with your comments, what can you say on that?

[telepati]

Issue 1 is not correct. I have never got an update failure with 19,1 which I always used this SMBIOS.

SIP: Default
SecureBootModel: Default
ApECID: Default

[vit9696]

With Default AppleSecureBootModel?

[mbarbierato]

@vit9696 i have some friend with z390 with smbios imac19,1 and SecureBootModel set to Disabled and the update is show with Default isn't show

[vit9696]

Are you sure these people updated to acidanthera/OpenCorePkg@239c1a5 however?

[telepati]

@vit9696 i have some friend with z390 with smbios imac19,1 and SecureBootModel set to Disabled and the update is show with Default isn't show

This is weird. I am using TUF Z390, 9900K, UHD 630 with 19,1, and SecureBootModel Disabled or Default always worked for me. And I didn't early update my OC this month. I am still using the Release version of OC 0.7.2.

My last update of macOS, yesterday night was with public beta 5 SecureBootModel: Default.

[82ghost82]

Disabled or Default doesn't make any difference for me on iMac19,1 smbios, no update is shown.
This log is for:
SecureBootModel=Default
ApECID=0
SMBIOS: iMac19,1

opencore-2021-09-03-150403.txt

[telepati]

@82ghost82 could you please share your "diskutil apfs list" Maybe your seal is broken?

Also try this;
#1769 (comment)

[82ghost82]

disk-list.txt

Volume is sealed, and unfortunately I already tried what you wrote, except downgrading opencore, which I'm running with this commit (d2ba13b).

[vit9696]

Retest with build from https://github.com/acidanthera/OpenCorePkg/runs/3511625931

[82ghost82]

Thanks
Test on monterey b5, imac 19,1 smbios:

SecureBootModel=Default
No update available :(
Monterey-b5-iMac191-SecBootMod-Default.txt

SecureBootModel=Disabled
Assert [OpenCore] String.c (630) : String != ((void *) 0)
Halting on critical error
Monterey-b5-iMac191-SecBootMod-Disabled-Assert.txt

[Core-i99]

I must say that I had beta 6 not showing. So I used SWUSwitcher. I switched to the "Regular Updates" and then back to the "Developer Program Members". And then the update was showing for me. Some friends of me got it working this way too.

But this can probably not really help you...

Edit:
my smbios is imac19,1
And specs are i5 9400, asrock b365 pro4, gt710

According to apple's website this smbios doesn't have a t2 chip. I heard from a friend that has some i9 9900k and uses imac20,1 that he was needed to do a clean install from an usb disk. SWUSwitcher didn't work for him. So I can confirm this issue

[82ghost82]

Thank you for your contribution.
I don't know about SWUSwitcher, but from your description I think it simply unenroll/enroll in the DeveloperSeed program with the seedutil utility , which I tried (unenroll and enroll again) from the terminal without any luck.

But which version of oc?Tomorrow I will try to downgrade opencore (I will try 0.7.2 release, as it seems some are reporting to get the ota delta update?) to see if I can find the culprit..may be also related to virtualization environment, not paid access to developer program or other..

As reported by others, the fact that the update doesn't show for imac 20,1 is not a surprise, strange thing is that it's not showing with imac 19,1, which doesn't have T2.
My starting point was super clean, clean installation of beta 5 on empty disk.

[Core-i99]

I use oc 0.7.2 but I downloaded that before the release. So I have an older commit of 0.7.2
I think my friend has 0.7.3 so can be that that is the problem.

[82ghost82]

Tried also 0.7.2 release with iMac19,1 smbios, SecureBootModel Default/Disabled/x86legacy, clear nvram at each change, unenroll/enroll DeveloperSeed, tried the public beta utility once logged in with apple id, tried the developer seed utility downloaded elsewhere, deleted/not deleted csr-active-config entry in config.plist (in both cases sip enabled - not apple internal): nothing, no luck, that damn update is not showing...and since I trust you all there should be something new introduced, or can be my error (possible, yes, but trust me I checked and rechecked a lot of times, and since now I always updated with delta ota, so I know what to check, it's not the first time).
Tried with logged in/not logged in into my apple id, I'm running qemu with ovmf code/vars (stable 202108), a virtual hd (raw image file 160 GB), a virtio ethernet bridged to the host, a usb wifi, and my cpus are passed through (2x 2687w v1, with 14 cores + hyperthreading, so not all cores are active).
This hardware/configuration was never an issue, but I don't know what changed, so everything matters.

Can I ask you if it's normal the red dot in the following picture? You can access that window from system preference panel --> software update --> advanced; I cannot select neither Train/profile and show preliminary updates.

[antoniomcr96]

A possible workaround that allowed me to update my laptop with a T2 SMBIOS (MacBookPro15,2) consists of:

• using a T2 SecureBootModel string ("j132" in my case);
• in this way the update should be shown in system preferences;
• download&install the update and reset SecureBootModel to "Default" in config.plist before the reboot.

I know that this isn't a solution, but I'm writing for who's interested in updating and doesn't find a way to do it without changing the SMBIOS or using the full installer.

Can I ask you if it's normal the red dot in the following picture? You can access that window from system preference panel --> software update --> advanced; I cannot select neither Train/profile and show preliminary updates.

I can't see that window, maybe because I'm enrolled only in public betas program

[82ghost82]

I can't see that window, maybe because I'm enrolled only in public betas program

Yes, that's because it's public beta and not developer seed.

Here also the system softwareupdated log when trigging the software update with cmd+r

softwareupdated-log.txt

[82ghost82]

是你的问题，我的正常收到B6

useless comment, if the team thought it was a user error they had already closed the issue.
And please, write in a universal language.

[82ghost82]

Even worse, I reinstalled beta 4, from which in the past I updated via delta ota and the update doesn't show even there..oc release 0.7.2, iMac19,1, SecureBootModel Disabled or Default.

[khronokernel]

For those with T2 based SMBIOS, can you please test the below PR with OpenCorePkg 0.7.3:

• Implement patch to trick Pallas FeatureUnlock#2

Follow the directions closely, and verify whether Beta 6 in Software Update installs correctly on your machine in the following scenarios:

• SecureBootModel set to Disabled
• SecureBootModel set to x86legacy

I have confirmed myself that the update shows on an iMacPro1,1 SMBIOS in Beta 5, however installation needs to be verified.

Please note, this is not a permanent fix, instead a temporary one to give Dhinak, myself and other developers a bit more time to research a proper fix. Ideally we'd like to have T2 model IDs work in Monterey so none of this userspace patching is required.

[82ghost82]

Thank you very much @khronokernel and to all who contributed and are contributing.

Is this specific for beta 5 --> 6?

Yesterday I tested from beta 4, and I just changed the smbios to imacpro1,1, compiled the kext you indicated, injected, booted with nvram reset and tested.

Nothing, in my case the update doesn't show (SecureBootModel=Disabled/x86legacy)..But my system runs on qemu (as described above), so this could be the difference (?)..
Other than the things I listed in the previous replies I don't think I have to check anything else for the update to show:
- SIP/authenticated root
- sealed volume
- unenroll/enroll again in DeveloperSeed
- nvram reset at each change
- check correct smbios information

Update: I noticed you have additional nvram variables which I don't have (with SecureBootModel=x86legacy)..Do I have to add them manually to config.plist?That seems a bit strange they're not in the list?

Update2: sorry, retesting, I just read instructions!!

[82ghost82]

It works for me with imacpro1,1 under qemu with securebootmodel=x86legacy! Starting from beta 4, before nothing was shown.

Trying to install from delta ota.
UPDATE 1: installation went fine from beta 4 to beta 6 (SecureBootModel=Default, which fallback to x86legacy, iMacPro1,1)

UPDATE 3: testing now installation with imacpro1,1 under qemu with securebootmodel=Disabled (khronokernel kext applied), from beta 5; the update is showing also in this case and the installation is fine also in this case.

Need to retest also with imac19,1 because I noticed that I had some issue with imacpro1,1 to apply the modifications, which were solved by replacing ovmf files with fresh ones, will try again by replacing these and report back.

UPDATE 2: I confirm no update is showing for iMac19,1 (with no khronokernel solution applied), from beta 5: most probably related to this comment:
dortania/OpenCore-Legacy-Patcher#471 (comment)

This explains why for some (the majority) the update is showing whilst for others, like me, is not showing, because, yes, I have the VMM flag; until Big Sur (11.4?) it was possible to simply patch with OC, by renaming VMM to XXX or something else, now that simple patch doesn't work anymore (at least to enable cache content on vm). Need to try that patch (next test), not sure it's enough that the VMM flag is not in Cpuid features, will report back.

I tested also imac19,1 with securebootmodel Default, no khronokernel kext, patch (rename) VMM to XXX, and in this case update is not showing (from beta 5).

Moreover, from @parrotgeek1
Amusingly, there is also an explicit check for the opencore-version nvram variable as well, to force the Mac platform to be unknown rather than legacy. It's in ___BIDeviceInfoGetMacPlatform_block_invoke.

They should focus on fixing their bugs instead of thinking at how to block opencore....

[khronokernel]

Unfortunately after further research we've found that Pallas has multiple T2 model checks. The above PR only patches the initial T2 model check to report OS updates, afterwards there's an additional check for the actual installation of the delta update.

Where this additional T2 check is completely unknown, further research needed.

[82ghost82]

@khronokernel
This means that for your Mac Pro smbios you see the update but you're not able to install?
That's different from my case, with iMac Pro 1,1 I was able to get the update to show and installation was fine too both with SecureBootModel Default and Disabled (see above, as I'm constantly edit my message by hand handing with tests); last test I'm doing is patching the VMM flag to XXX for iMac19,1 to see if the update shows, and if it shows if it's able to install.
If you need further testing I'm available to test all you want (if I'm able :)).

[wy414012]

• Seeing this interesting test, I participated and used the default security model without any problems.
• Use SMBIOS: iMac Pro1,1 my EFI
• OpenCore ver:0.7.3

@khronokernel

[vit9696]

I suggest to calm down for the time being. Given that VMM updates are obviously broken, I believe Apple is making heavy changes in the subsystem. I would speculate that if this is true, we should be able to observe these changes in 2-3 seeds from now. Even if the issue does not get fixed by itself, it will be much easier for us to investigate a more polished code.

As a workaround you should be able to update by downloading a complete installer with the Default Apple Secure Boot model and a non-T2 Mac model. This does sound good enough to me for a beta build. We will return to the issue later this autumn.