Contribute
Register

[HOW TO] SecureBootModel changes in OpenCore 0.7.2

I ran the latest PC Health Check app on Windows and my Z370 build fulfilled the requirements of Windows 11, but UEFI Secure Boot was disabled. If Windows 11 can run without problems when UEFI Secure Boot is capable but disabled, I won’t have any motivation to set anything related to UEFI Secure Boot for OpenCore.
螢幕擷取畫面 2021-10-01 121528.png
 
Yes, most of us don't need UEFI Secure Boot if we don't have Windows 11 or Windows 11 can run without problems when UEFI Secure Boot is capable but disabled (in your own words).
The reason to study this further is: a person I know has a laptop provided by his company, for professional and personal use, he likes to have macOS in addition to Windows (pre-installed by default) but the BIOS comes with UEFI secure boot enabled and has no option to disable it and this led me to look for a solution to boot OpenCore with UEFI secure boot. I wanted to know if this is possible and how. I know it is possible but at the moment it is a very hard task, although that person at least can't boot OpenCore with UEFI secure boot because, as BIOS is blocked, it's not possible to shove keys into the firmware.
 
Yes, most of us don't need UEFI Secure Boot if we don't have Windows 11 or Windows 11 can run without problems when UEFI Secure Boot is capable but disabled (in your own words).
The reason to study this further is: a person I know has a laptop provided by his company, for professional and personal use, he likes to have macOS in addition to Windows (pre-installed by default) but the BIOS comes with UEFI secure boot enabled and has no option to disable it and this led me to look for a solution to boot OpenCore with UEFI secure boot. I wanted to know if this is possible and how. I know it is possible but at the moment it is a very hard task, although that person at least can't boot OpenCore with UEFI secure boot because, as BIOS is blocked, it's not possible to shove keys into the firmware.
Disabling UEFI Secure Boot may be risky too, like bricking Windows. I attempted to try loading OpenCore on a PC in office, but I gave up after seeing OC getting blocked and UEFI Secure Boot enabled.
 
It seems that:
  • macOS doesn't support full security on non T2 Mac models
  • Monterey public beta can't have full security even with ApECID + boot volume personalized, only medium security.
In fact, I can have full security in Big Sur with T2 SecureBootModel + ApECID but in Monterey I only have medium security.
 
Last edited:
It seems that:
  • Monterey public beta can't have full security even with ApECID + boot volume personalized, only medium security...
Fixed in last OpenCore commits, current 19aea59, alongside with RestricEvents 466fab9:
  • Monterey can now have full security when using T2 SecureBootModel and SMBIOS
  • SecureBootModel=Default in Monterey now picks the SMBIOS model.
SMBIOS non T2 (iMac19,1) + SMB=Default + ApECID non zero: only medium security.
SMBIOS T2 model (MacPro7,1) + SMB=Default + ApECID non zero: full security.
This can be as expected in real Macs, Macs without T2 only achieve medium security.
 
Therefore, with OpenCore 0.7.4, and:
  • UEFI Secure Boot disabled
  • TPM 2.0 enabled (fTPM)
Windows on my Z370 build has been upgraded to 11 without any tweak, and it can still receive updates.
螢幕擷取畫面 2021-10-05 214251a.jpg

macOS 11 in the separate SSD is unaffected and still let me write this post.
 
@Bustycat
It's as expected.

I've installed Windows 11 today with the same options you have selected: UEFI secure boot disabled (Windows 11 looks for a capable UEFI secure boot system) + TPM 2 enabled. I have PTT enabled also but I don't know if it is mandatory having TPM 2 enabled. And you're right, in this way macOS boots fine.

I've also tried to digitally sign Opencore files in an Ubuntu system and enabling UEFI secure boot and both Windows and macOS boot and run fine.

Btw, nice windows wallpaper :)
 
I have PTT enabled also but I don't know if it is mandatory having TPM 2 enabled.
Isn’t PTT an Intel technology for TPM?
 
Isn’t PTT an Intel technology for TPM?
Yes, but what confuses me is that in my mobo I have the 2 options, PTT and TPM2.
 
Yes, but what confuses me is that in my mobo I have the 2 options, PTT and TPM2.

With TPM, I think you have to buy a TPM chip and plug it into your mobo. Then you enable it.

With PTT, this is part of the Intel chipset, so no separate purchase is necessary. In other words, if you have a TPM chip, you can use this, but if you don't, the later generations of the Intel Processors can use PTT.

(That's how I understand the story!)
 
Back
Top