Docs: Update FixupAppleEfiImages wording

Docs/Configuration.md5

@@ -1 +1 @@
-b793988590c9e9ddd71ce9318abe5369
+476c1deb24db35e352f1a9fcf36b8374

Docs/Configuration.tex

@@ -1620,22 +1620,20 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
   \texttt{FixupAppleEfiImages}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
-  \textbf{Description}: Fix errors in early Mac OS X boot.efi images.
+  \textbf{Description}: Fix permissions and section errors in macOS \texttt{boot.efi} images.
 
-  Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
-  Mac OS X 10.4 to macOS 10.12 due to these files containing \texttt{W\^{}X} errors
-  (in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit
-  versions only).
+  Mac OS X \texttt{boot.efi} images contain \texttt{W\^{}X} permissions errors
+  (in all versions) and in very old versions additionally contain illegal overlapping sections
+  (affects 10.4 and 10.5 32-bit versions only). Modern secure PE loaders (including the OpenCore
+  loader in current releases of OpenDuet) will refuse to load these images
+  unless additional mitigations are applied.
 
-  This quirk detects these issues and pre-processes such images in memory,
+  This quirk detects these issues and pre-processes such images in memory
   so that a modern loader will accept them.
 
-  Pre-processing in memory is incompatible with secure boot, as the image loaded
-  is not the image on disk, so you cannot sign files which are loaded in this way
-  based on their original disk image contents.
-  Certain firmware will offer to register the hash of new, unknown images - this would
-  still work. On the other hand, it is not particularly realistic to want to
-  start these early, insecure images with secure boot anyway.
+  If on a system with such a secure loader, this quirk is required to load
+  Mac OS X 10.4 to macOS 10.12, and is required for all newer
+  macOS when \texttt{SecureBootModel} is set to \texttt{Disabled}.
 
   \emph{Note 1}: The quirk is never applied during the Apple secure boot path for
   newer macOS. The Apple secure boot path includes its own separate mitigations
@@ -1652,11 +1650,13 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
       within their filesystem.
     \end{itemize}
 
-  \emph{Note 3}: This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
-  higher, if Apple secure boot is not enabled), but only when the firmware
-  itself includes a modern, more secure PE COFF image loader. This applies to
-  current builds of OpenDuet, and to OVMF if built from audk source code.
-
+  \emph{Note 3}: Pre-processing in memory is incompatible with secure boot, as the image loaded
+  is not the image on disk, so you cannot sign files which are loaded in this way
+  based on their original disk image contents.
+  Certain firmware will offer to register the hash of new, unknown images - this would
+  still work. On the other hand, it is not particularly realistic to want to
+  start these early, insecure images with secure boot anyway.
+
 \item
   \texttt{ForceBooterSignature}\\
   \textbf{Type}: \texttt{plist\ boolean}\\

Docs/Differences/Differences.tex

@@ -1,7 +1,7 @@
 \documentclass[]{article}
 %DIF LATEXDIFF DIFFERENCE FILE
-%DIF DEL PreviousConfiguration.tex   Fri Aug 16 15:32:06 2024
-%DIF ADD ../Configuration.tex        Fri Aug 16 15:32:06 2024
+%DIF DEL PreviousConfiguration.tex   Tue Sep  3 09:18:54 2024
+%DIF ADD ../Configuration.tex        Sun Sep 29 21:16:14 2024
 
 \usepackage{lmodern}
 \usepackage{amssymb,amsmath}
@@ -118,7 +118,7 @@
 %DIF HYPERREF PREAMBLE %DIF PREAMBLE
 \providecommand{\DIFadd}[1]{\texorpdfstring{\DIFaddtex{#1}}{#1}} %DIF PREAMBLE
 \providecommand{\DIFdel}[1]{\texorpdfstring{\DIFdeltex{#1}}{}} %DIF PREAMBLE
-%DIF LISTINGS PREAMBLE %DIF PREAMBLE
+%DIF COLORLISTINGS PREAMBLE %DIF PREAMBLE
 \RequirePackage{listings} %DIF PREAMBLE
 \RequirePackage{color} %DIF PREAMBLE
 \lstdefinelanguage{DIFcode}{ %DIF PREAMBLE
@@ -1680,22 +1680,28 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
   \texttt{FixupAppleEfiImages}\\
   \textbf{Type}: \texttt{plist\ boolean}\\
   \textbf{Failsafe}: \texttt{false}\\
-  \textbf{Description}: Fix errors in early Mac OS X boot.efi images.
+  \textbf{Description}: Fix \DIFdelbegin \DIFdel{errors in early Mac OS X boot.efi }\DIFdelend \DIFaddbegin \DIFadd{permissions and section errors in macOS }\texttt{\DIFadd{boot.efi}} \DIFaddend images.
 
-  Modern secure PE loaders will refuse to load \texttt{boot.efi} images from
-  Mac OS X 10.4 to macOS 10.12 due to these files containing \texttt{W\^{}X} errors
-  (in all versions) and illegal overlapping sections (in 10.4 and 10.5 32-bit
-  versions only).
+  \DIFdelbegin \DIFdel{Modern secure PE loaders will refuse to load }\texttt{\DIFdel{boot.efi}} %DIFAUXCMD
+\DIFdel{images from
+  }\DIFdelend Mac OS X \DIFdelbegin \DIFdel{10.4 to macOS 10.12 due to these files containing }\DIFdelend \DIFaddbegin \texttt{\DIFadd{boot.efi}} \DIFadd{images contain }\DIFaddend \texttt{W\^{}X} \DIFaddbegin \DIFadd{permissions }\DIFaddend errors
+  (in all versions) and \DIFaddbegin \DIFadd{in very old versions additionally contain }\DIFaddend illegal overlapping sections
+  (\DIFdelbegin \DIFdel{in }\DIFdelend \DIFaddbegin \DIFadd{affects }\DIFaddend 10.4 and 10.5 32-bit versions only). \DIFaddbegin \DIFadd{Modern secure PE loaders (including the OpenCore
+  loader in current releases of OpenDuet) will refuse to load these images
+  unless additional mitigations are applied.
+}\DIFaddend 
 
-  This quirk detects these issues and pre-processes such images in memory,
-  so that a modern loader will accept them.
+  This quirk detects these issues and pre-processes such images in memory
+  \DIFdelbegin \DIFdel{,
+  }\DIFdelend so that a modern loader will accept them.
 
-  Pre-processing in memory is incompatible with secure boot, as the image loaded
+  \DIFdelbegin \DIFdel{Pre-processing in memory is incompatible with secure boot, as the image loaded
   is not the image on disk, so you cannot sign files which are loaded in this way
   based on their original disk image contents.
   Certain firmware will offer to register the hash of new, unknown images - this would
-  still work. On the other hand, it is not particularly realistic to want to
-  start these early, insecure images with secure boot anyway.
+  still work. On the other hand, it is not particularly realistic to want to start these early, insecure images with secure boot anyway}\DIFdelend \DIFaddbegin \DIFadd{If on a system with such a secure loader, this quirk is required to load
+  Mac OS X 10.4 to macOS 10.12, and is required for all newer
+  macOS when }\texttt{\DIFadd{SecureBootModel}} \DIFadd{is set to }\texttt{\DIFadd{Disabled}}\DIFaddend .
 
   \emph{Note 1}: The quirk is never applied during the Apple secure boot path for
   newer macOS. The Apple secure boot path includes its own separate mitigations
@@ -1712,10 +1718,15 @@ \subsection{Quirks Properties}\label{booterpropsquirks}
       within their filesystem.
     \end{itemize}
 
-  \emph{Note 3}: This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
-  higher, if Apple secure boot is not enabled), but only when the firmware
-  itself includes a modern, more secure PE COFF image loader. This applies to
-  current builds of OpenDuet, and to OVMF if built from audk source code.
+  \emph{Note 3}: \DIFdelbegin \DIFdel{This quirk is needed for Mac OS X 10.4 to macOS 10.12 (and
+  higher, if Apple secure bootis not enabled), but only when the firmware
+  itself includes a modern, more secure PE COFF image loader.
+  This applies to current builds of OpenDuet, and to OVMF if built from audk source code}\DIFdelend \DIFaddbegin \DIFadd{Pre-processing in memory is incompatible with secure boot, as the image loaded
+  is not the image on disk, so you cannot sign files which are loaded in this way
+  based on their original disk image contents.
+  Certain firmware will offer to register the hash of new, unknown images - this would
+  still work. On the other hand, it is not particularly realistic to want to
+  start these early, insecure images with secure boot anyway}\DIFaddend .
 
 \item
   \texttt{ForceBooterSignature}\\