overdue-scratch

Author Topic: [Resolved] Firewire security mode problem and IODeviceTree  (Read 35265 times)

0 Members and 1 Guest are viewing this topic.

chris789

  • Guest
[Resolved] Firewire security mode problem and IODeviceTree
« on: April 19, 2009, 06:55:26 PM »
There is a problem with Firewire:
kernel[0]: ERROR: FireWire unable to determine security-mode; defaulting to full-secure.

which is a problem because this disables DMA for Firewire and that means slow transfer and high CPU load.

From the source IOFireWireFamily, IOFireWireController.cpp
Code: [Select]
/
// assume security mode is normal
//

IOFWSecurityMode mode = kIOFWSecurityModeNormal;

//
// check OpenFirmware security mode
//

{
char matchPath[32]; // IODeviceTree:/:options
OSDictionary * optionsMatchDictionary = IOOFPathMatching( "/options", matchPath, 32 ); // need to release

mach_timespec_t t = { 10, 0 }; //wait 10 secs
IOService * options = IOService::waitForService( optionsMatchDictionary, &t ); // consumes dict ref, don't release options

if( options != NULL )
{
OSString * securityModeProperty = OSDynamicCast( OSString, options->getProperty("security-mode") );

if( securityModeProperty != NULL && strncmp( "none", securityModeProperty->getCStringNoCopy(), 5 ) != 0 )
{
// set security mode to secure/permanent
mode = kIOFWSecurityModeSecurePermanent;
}
}
else
{
ErrorLog("FireWire unable to determine security-mode; defaulting to full-secure.\n");
// turn security on because we can't determine security-mode
mode = kIOFWSecurityModeSecurePermanent;
}
}

I think this means that "IODeviceTree:/options" is not available within 10s.
If anybody could enlighten me if this can be resolved from Chameleon or anything else I would be happy about any hints.

Superhai

  • VoodooLabs
  • Posts: 102
Re: Firewire security mode problem and IODeviceTree
« Reply #1 on: April 19, 2009, 10:29:27 PM »
I realized that Chameleon 2.0 will defeat this. You can try this http://www.superhai.com/files/deprecated/SMBIOSResolver.kext.zip but you will need an old version of chameleon, as the new one in its endless wisdom is creating the /options node. The Firewire kext is waiting for it to be created, and as chameleon creates it during boot before kernel (on a real mac the /options node is created after kernel starts up by the efinvram kext) it will time out and use permanent security instead of normal.


savestheday

  • Observer
  • Posts: 11
Re: Firewire security mode problem and IODeviceTree
« Reply #2 on: April 20, 2009, 05:59:57 PM »
This could definitely explain my slow firewire transfers, I get the same message.  SuperHAI, what would prevent me from loading the SMBIOSResolver instead of smbios.plist?  I think I can override using smbios.plist in my boot.plist.  Also, according to this post, Andy V has incorporated your fixes into this own AppleSMBios.kext

http://www.insanelymac.com/forum/index.php?showtopic=129930

Would you recommend that kext now? 

Chameleon team - do you guys plan on changing this to superhai's suggestion?  I *do* have very slow firewire transfer rates but thought it came with the territory of hackintosh.  If this could be fixed, I'd be very, very happy!
« Last Edit: April 20, 2009, 06:05:21 PM by savestheday »

Superhai

  • VoodooLabs
  • Posts: 102
Re: Firewire security mode problem and IODeviceTree
« Reply #3 on: April 20, 2009, 08:57:20 PM »
I don't know what AnV has changed, you must ask him. But the one I posted here was modified to add securtiy-mode to the options node. It has nothing to do with smbios at all. You will have to try and see if it works

lebidou

  • Resident
  • Posts: 133
Re: Firewire security mode problem and IODeviceTree
« Reply #4 on: April 20, 2009, 09:04:58 PM »
I just tried SMBIOSResolver in combination with Chameleon 1.0 with smbios patching, and it gives panic at boot. I haven't a photograph of the panic but it says it is SMBIOSResolver related.

If you need a picture I'll take one.

Any idea about that ?

savestheday

  • Observer
  • Posts: 11
Re: Firewire security mode problem and IODeviceTree
« Reply #5 on: April 20, 2009, 09:30:57 PM »
I don't know what AnV has changed, you must ask him. But the one I posted here was modified to add securtiy-mode to the options node. It has nothing to do with smbios at all. You will have to try and see if it works

So I couldn't bypass smbios.plist (in my boot.plist) and load your kext with Chameleon 2.0?

Superhai

  • VoodooLabs
  • Posts: 102
Re: Firewire security mode problem and IODeviceTree
« Reply #6 on: April 20, 2009, 10:33:17 PM »
If you need a picture I'll take one. Any idea about that ?

It would help alot with the panic, or I would have nothing...

lebidou

  • Resident
  • Posts: 133
Re: Firewire security mode problem and IODeviceTree
« Reply #7 on: April 20, 2009, 11:23:16 PM »
humm… A very strange thing hapenned, I reinstalled SMBIOSResolver exactly the same way as before (ie. with Kext Helper) and now it boots normally :o

Sorry for the disturbance, I'm a bit confused…

chris789

  • Guest
Re: Firewire security mode problem and IODeviceTree
« Reply #8 on: April 21, 2009, 11:31:10 AM »
I realized that Chameleon 2.0 will defeat this. You can try this http://www.superhai.com/files/deprecated/SMBIOSResolver.kext.zip but you will need an old version of chameleon, as the new one in its endless wisdom is creating the /options node. The Firewire kext is waiting for it to be created, and as chameleon creates it during boot before kernel (on a real mac the /options node is created after kernel starts up by the efinvram kext) it will time out and use permanent security instead of normal.

Sorry, I am not sure I understand the situation. Why would the Firewire kext not find an existing /options node immediate? Does this mean it's a precondition for success  that before the waitForService starts the node does not exist?

From xnu, IOService.cpp:
Code: [Select]
IOService * IOService::waitForService( OSDictionary * matching,
mach_timespec_t * timeout )
{
    IONotifier * notify = 0;
    // priority doesn't help us much since we need a thread wakeup
    SInt32 priority = 0;
    SyncNotifyVars state;
    kern_return_t err = kIOReturnBadArgument;

    if( !matching)
        return( 0 );

    state.waitHere = 0;
    state.result = 0;

    LOCKWRITENOTIFY();

    do {

        state.result = (IOService *) getExistingServices( matching,
                            kIOServiceMatchedState, kIONotifyOnce );
if( state.result)
    continue;

        err = semaphore_create( kernel_task, &state.waitHere,
                                    SYNC_POLICY_FIFO, 0 );
        if( KERN_SUCCESS != err)
            continue;

        notify = IOService::setNotification( gIOMatchedNotification, matching,
                    &IOService::syncNotificationHandler, (void *) 0,
                    (void *) &state, priority );

    } while( false );

    UNLOCKNOTIFY();

     if( notify) {
        if( timeout)
            err = semaphore_timedwait( state.waitHere, *timeout );
        else
            err = semaphore_wait( state.waitHere );
    }

    if( notify)
        notify->remove(); // dequeues
    else
        matching->release();
    if( state.waitHere)
        semaphore_destroy( kernel_task, state.waitHere );

    return( state.result );
}

It looks like the kernel checks existing nodes (getExistingServices) first, or is it the kernel doesn't even know about the already existing /options node?

Superhai

  • VoodooLabs
  • Posts: 102
Re: Firewire security mode problem and IODeviceTree
« Reply #9 on: April 21, 2009, 12:38:37 PM »
Sorry, I am not sure I understand the situation. Why would the Firewire kext not find an existing /options node immediate? Does this mean it's a precondition for success  that before the waitForService starts the node does not exist?
It looks like the kernel checks existing nodes (getExistingServices) first, or is it the kernel doesn't even know about the already existing /options node?

I didn't check the kernel source for getExistingServices, just tried it in the kext, and if it is created immediatelt (before the IOFirewire is run) it will fail, waiting till it is doing the watForService method then it will success.

chris789

  • Guest
Re: Firewire security mode problem and IODeviceTree
« Reply #10 on: April 24, 2009, 07:16:43 PM »
I did a few new tests with your SMBIOSResolver v1.0.8. Thansk for that!

Unfortunately I had an older version (v1.0.7) until now which appears not to include the security-mode fix.

This is what I saw:

1) Chameleon2 with SMBIOSResolver.

Two options nodes exist in the device tree. Very strange, how is this possible? Firewire error eccurs.

ioreg -p IODeviceTree -l says (only relevant info shown):

Code: [Select]
+-o Root  <class IORegistryEntry, retain 17>
  +-o /  <class IOPlatformExpertDevice, registered, matched, active, busy 0, retain 27>
    +-o options  <class IOService, !registered, !matched, active, busy 0, retain 4>
    |   {
    |     "name" = <"options">
    |     "IOPlatformUUID" = <0000000000001000800000508d9f42f0>
    |   }
    +-o options  <class IOService, !registered, !matched, active, busy 0, retain 4>
        {
          "resolver" = ""
          "security-mode" = "none"
        }
2) Installed munky's efi_boot v6.1 with SMBIOSResolver. munky's source is available and I checked that it does not touch the options node.

The node exists as expected but the firewire error is not fixed. I also checked disk transfer to firewire drive and it's slow with high CPU load.

Code: [Select]
+-o Root  <class IORegistryEntry, retain 17>
  +-o /  <class IOPlatformExpertDevice, registered, matched, active, busy 0, retain 26>
    +-o options  <class IOService, !registered, !matched, active, busy 0, retain 4>
        {
          "resolver" = ""
          "security-mode" = "none"
        }
       
I can't really make sense of this.

Superhai

  • VoodooLabs
  • Posts: 102
Re: Firewire security mode problem and IODeviceTree
« Reply #11 on: April 25, 2009, 08:03:44 AM »
Have you disabled or removed the kext for efinvram?

chris789

  • Guest
Re: Firewire security mode problem and IODeviceTree
« Reply #12 on: April 25, 2009, 11:05:22 AM »
Have you disabled or removed the kext for efinvram?
Yes, I use Disabler.kext, which has the following in it's plist.
Code: [Select]
<key>IOKitPersonalities</key>
<dict>
<key>EFINVRAMDisabler</key>
<dict>
<key>CFBundleIdentifier</key>
<string>net.osrom.kext.Disabler</string>
<key>IOClass</key>
<string>Disabler</string>
<key>IOMatchCategory</key>
<string>AppleEFINVRAM</string>
<key>IOProbeScore</key>
<integer>1000</integer>
<key>IOProviderClass</key>
<string>AppleEFIRuntime</string>
<key>IOResourceMatch</key>
<string>efi-runtime</string>
</dict>
<key>EFIRuntimeDisabler</key>
<dict>
<key>CFBundleIdentifier</key>
<string>net.osrom.kext.Disabler</string>
<key>IOClass</key>
<string>Disabler</string>
<key>IOMatchCategory</key>
<string>AppleEFIRuntime</string>
<key>IOProbeScore</key>
<integer>1000</integer>
<key>IOProviderClass</key>
<string>AppleACPIPlatformExpert</string>
<key>IOResourceMatch</key>
<string>ACPI</string>
</dict>
<key>IntelCPUPMDisabler</key>
<dict>
<key>CFBundleIdentifier</key>
<string>net.osrom.kext.Disabler</string>
<key>IOClass</key>
<string>Disabler</string>
<key>IOMatchCategory</key>
<string>AppleIntelCPUPowerManagement</string>
<key>IOProbeScore</key>
<integer>1000</integer>
<key>IOProviderClass</key>
<string>IOResources</string>
<key>IOResourceMatch</key>
<string>IOKit</string>
</dict>
<key>SMCPlatformPluginDisabler</key>
<dict>
<key>CFBundleIdentifier</key>
<string>net.osrom.kext.Disabler</string>
<key>IOClass</key>
<string>Disabler</string>
<key>IOMatchCategory</key>
<string>ACPI_SMC_PlatformPlugin</string>
<key>IOProbeScore</key>
<integer>2000</integer>
<key>IOProviderClass</key>
<string>AppleACPICPU</string>
<key>IOResourceMatch</key>
<string>ACPI</string>
</dict>
</dict>

Superhai

  • VoodooLabs
  • Posts: 102
Re: Firewire security mode problem and IODeviceTree
« Reply #13 on: April 25, 2009, 01:41:05 PM »
I never used it, can you try without disabling applevinvram?

chris789

  • Guest
Re: Firewire security mode problem and IODeviceTree
« Reply #14 on: April 25, 2009, 02:38:53 PM »
I never used it, can you try without disabling applevinvram?

I try. Removed the entry for EFINVRAMDisabler in the Disabler plist.
I see no difference. In both case (before and after) I get:
Code: [Select]
u2c:~ chris$ kextstat -l | grep NVRAM
    8    1 0x0        0x0        0x0        com.apple.iokit.IONVRAMFamily (9.6.0)

Firewire error persists.