sys_patch: Implement RSR handling for root patched Macs

Ref: #1019

CHANGELOG.md

@@ -35,6 +35,10 @@
   - Improved menubar blur
 - Add Nvidia Kepler GOP Driver injection
   - Primarily for GPUs lacking GOPs and can't have a newer VBIOS flashed
+- Resolve Rapid Security Response support for Haswell Macs requiring KDKs
+  - Implemented via:
+    - Userspace: RSRRepair at `/etc/rc.server` (2b1c9e3)
+    - Kernelspace: RSRHelper.kext (cbe1be9)
 - Increment Binaries:
   - OpenCorePkg 0.8.8 - release
   - PatcherSupportPkg 0.8.0 - release

payloads/Config/config.plist

@@ -1545,6 +1545,24 @@
 				<key>PlistPath</key>
 				<string>Contents/Info.plist</string>
 			</dict>
+			<dict>
+				<key>Arch</key>
+				<string>x86_64</string>
+				<key>BundlePath</key>
+				<string>RSRHelper.kext</string>
+				<key>Comment</key>
+				<string>RSRHelper</string>
+				<key>Enabled</key>
+				<false/>
+				<key>ExecutablePath</key>
+				<string>Contents/MacOS/RSRHelper</string>
+				<key>MaxKernel</key>
+				<string></string>
+				<key>MinKernel</key>
+				<string>20.0.0</string>
+				<key>PlistPath</key>
+				<string>Contents/Info.plist</string>
+			</dict>
 		</array>
 		<key>Block</key>
 		<array/>

resources/build/security.py

@@ -41,6 +41,12 @@ def build(self):
             # Lets us check in sys_patch.py if config supports FileVault
             self.config["NVRAM"]["Add"]["4D1FDA02-38C7-4A6A-9CC6-4BCCA8B30102"]["OCLP-Settings"] += " -allow_fv"
 
+            # Patch KC UUID panics due to RSR installation
+            # - Ref: https://github.com/dortania/OpenCore-Legacy-Patcher/issues/1019
+            print("- Enabling KC UUID mismatch patch")
+            self.config["NVRAM"]["Add"]["7C436110-AB2A-4BBB-A880-FE41995C9F82"]["boot-args"] += " -nokcmismatchpanic"
+            support.build_support(self.model, self.constants, self.config).enable_kext("RSRHelper.kext", self.constants.rsrhelper_version, self.constants.rsrhelper_path)
+
         if self.constants.disable_cs_lv is True:
             print("- Disabling Library Validation")
             # In Ventura, LV patch broke. For now, add AMFI arg

resources/constants.py

@@ -79,6 +79,7 @@ def __init__(self):
         self.mce_version = "1.0.0"  #                AppleMCEReporterDisabler
         self.btspoof_version = "1.0.0"  #            Bluetooth-Spoof
         self.aspp_override_version = "1.0.1"  #      ACPI_SMC_PlatformPlugin Override
+        self.rsrhelper_version = "1.0.0"  #          RSRHelper
 
         ## Syncretic
         ## https://forums.macrumors.com/members/syncretic.1173816/
@@ -448,6 +449,10 @@ def autopkg_path(self):
     def cryptexfixup_path(self):
         return self.payload_kexts_path / Path(f"Acidanthera/CryptexFixup-v{self.cryptexfixup_version}-{self.kext_variant}.zip")
 
+    @property
+    def rsrhelper_path(self):
+        return self.payload_kexts_path / Path(f"Acidanthera/RSRHelper-v{self.rsrhelper_version}-{self.kext_variant}.zip")
+
     @property
     def innie_path(self):
         return self.payload_kexts_path / Path(f"Misc/Innie-v{self.innie_version}.zip")
@@ -590,6 +595,10 @@ def ocvalidate_path(self):
     def oclp_helper_path(self):
         return self.payload_path / Path("Tools/OCLP-Helper")
 
+    @property
+    def rsrrepair_userspace_path(self):
+        return self.payload_path / Path("Tools/RSRRepair")
+
     # Icons
     @property
     def app_icon_path(self):

resources/sys_patch/sys_patch.py

@@ -295,6 +295,9 @@ def rebuild_kernel_collection(self):
 
             for file in ["KextPolicy", "KextPolicy-shm", "KextPolicy-wal"]:
                 self.remove_file("/private/var/db/SystemPolicyConfiguration/", file)
+        else:
+            # Install RSRHelper utility to handle desynced KCs
+            sys_patch_helpers.sys_patch_helpers(self.constants).install_rsr_repair_binary()
 
         print("- Successfully built new kernel cache")
         return True

resources/sys_patch/sys_patch_helpers.py

@@ -183,4 +183,24 @@ def remove_news_widgets(self):
         if did_find:
             with open(file_path, "wb") as f:
                 plistlib.dump(data, f, sort_keys=False)
-            subprocess.run(["killall", "NotificationCenter"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+            subprocess.run(["killall", "NotificationCenter"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+
+
+    def install_rsr_repair_binary(self):
+        # With macOS 13.2, Apple implemented the Rapid Security Response System
+        # However Apple added a half baked snapshot reversion system if seal was broken,
+        # which forgets to handle Preboot BootKC syncing
+
+        # Thus this application will try to re-sync the BootKC with SysKC in the event of a panic
+        # Reference: https://github.com/dortania/OpenCore-Legacy-Patcher/issues/1019
+
+        # This is a (hopefully) temporary work-around, however likely to stay.
+        # RSRRepair has the added bonus of fixing desynced KCs from 'bless', so useful in Big Sur+
+
+        if self.constants.detected_os < os_data.os_data.big_sur:
+            return
+
+        print("- Installing RSRRepair userspace utility")
+        result = utilities.elevated([self.constants.rsrrepair_userspace_path, "--install"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+        if result.returncode != 0:
+            print(f"  - Failed to install RSRRepair: {result.stdout.decode()}")