Security for OCLP (OpenCore Legacy Patcher)

[Omega Mac]

I setup this topic to better handle my own and others side queries instead of adding read and slide overhead to this topic, I wold welcome all contributors to chime in here if and when they can, thank you in advance for your efforts!

Securing unsupported Macs (OCLP) - What is your setup / Best practices?

 

[deeveedee]

One recurring comment by way of caution that I do not fully understand are those who profess to shy away from using banking on a OCLP Mac, how would this be more secure on older browsers on older versions of macOS, since current crop of Bank security measures usually require two factor, thus meaning the need to utilise a second device with Bank app to confirm log in, payment and whatever else, which inevitably will be a phone and most likely an iPhone in OCLP use cases.

When this thread was first created, OCLP Documentation made claims that implied that an OCLP-patched Mac is just as secure as a fully supported Mac. This thread prompted changes to the OCLP documentation, so that this claim is no longer made (in fact, in this very thread, one of the primary OCLP Devs states that an OCLP-patched Mac will never be as secure as a fully-supported Mac). Read the 2nd post in this thread to learn more about initial OCLP claims.

For those who care about security, the comparison to be made is an OCLP-patched Mac running macOS version A to a fully supported Mac running macOS version A. It would be a mistake to assume that an unsupported Mac running macOS Version A with OCLP is just as secure as a fully supported Mac running macOS Version A without OCLP. It would also be a mistake to blindly assume that a Mac that natively runs Ventura (without OCLP) is less secure than the same Mac running Sequoia (later than Ventura) with OCLP. The mistake made by the uninformed will be to assume that a Mac running a later version of macOS is automatically more secure than the same Mac running an older version of macOS. The use case cannot be ignored (e.g., home office Ethernet vs. coffee shop Wi-Fi) for reasons including the following:

• OCLP is software, software has bugs and there is no certification testing of OCLP
• The Wi-Fi framework injected by OCLP into Macs no longer supported after Ventura is "frozen" at Ventura. Combine this with the fact that the patched legacy Wi-Fi Framework in Sonoma, Sequoia and soon Tahoe (which is an old framework extracted from Ventura that is no longer receiving any updates) is a Wi-Fi framework that is not subject to any certification testing. It would be a mistake to believe that one can implement "User Space" protections to remedy Layer-2 vulnerabilities introduced by an out-dated, uncertified Wi-Fi framework.
• The OCLP patches are extracted from older versions of macOS and come with any vulnerabilities that were fixed in later versions of macOS. Thus, the OCLP-patched Mac running Sequoia (for example) may now have old vulnerabilities from Ventura that were fixed in Sequoia. Without certification testing, there's no way to know.
• Many will assume that, because OCLP is open source on GitHub, that it must be secure because everyone is free to view the code. There are numerous vulnerabilities that cannot be tested by inspection. Without certification testing of an OCLP-patched Mac (with disabled SIP and broken APFS seal), there is no way to conduct a proper risk assessment.