Contribute
Register

[GUIDE] OpenCore and UEFI Secure Boot using Windows Subsystem for Linux

@Gobias
Tried and got the same result as you.
Vaulting OC allows to boot macOS with Full Security.
Signing OC allows to boot macOS with UEFI Secure Boot enabled.
But doing both things, OC doesn't run. I've tried signing first and vaulting afterwards and also vaulting first and signing afterwards. Nah, same result. Fail.
Both tasks change OpenCore.efi in a way that breaks the previous change and OC is detected as corrupted.
I don't have any idea to fix this. Probably it can't be done currently. We have to select only one of them, vault or UEFI.

secure.png
 
Thank you for trying to troubleshoot this for me! I'm sorry you did all those tests only for it not to work for you either.

I think I figured out the problem. I just re-read a post I had found of someone claiming to get both UEFI Secure Boot and vault working and also the UEFI Secure Boot Troubleshooting section of the OpenCore Configuration manual. I thought they had different and contradicting orders of steps for UEFI Secure Boot and vaulting, but they don't. I had just misread them. This should be the correct order of steps from the Configuration manual (bold parts added by me for clarification):
  1. (In Linux or WSL) Sign ONLY the installed drivers and tools (but not the OpenCore binaries yet) with the private key. Do not sign tools that provide administrative access to the computer, such as UEFI Shell.
  2. (In macOS) Vault the configuration as explained Vaulting section.
  3. (Back in Linux or WSL) Sign all OpenCore binaries (BOOTX64.efi, BOOTIa32.efi, OpenCore.efi, custom launchers) used on this system with the same private key.
That's an even more tedious and annoying process than I thought it was, but I'll try it when I get a chance. If I get it to work and continue doing this process in the future, I may start using a Linux virtual machine inside macOS instead of WSL so that I don't have to reboot so many times to switch my OS.

I wish there was a single OpenCore tool that did all of this in one step in macOS, but as you said in your guide, implementing UEFI Secure Boot within OpenCore isn't a high priority. I guess we'll have to keep hoping it comes in a future update.
 
Hack Pro [RIP]
GA-Z87X-UD5H |  i7 4770K |  RX 580 Pulse 8GB
Hack Pro II
Prime Z490-A |  i7 10700K |  RX 6600 Pulse 8GB
@Gobias
Thanks for the info. I haven't read it. Of course it is an annoying process. I'll try also and comment. But I'm afraid that signing OpenCore.efi and BOOTX64.ef after vaulting changes the files signature and, at boot, vault will display the corruption warning.
 
miliuco said:
But I'm afraid that signing OpenCore.efi and BOOTX64.ef after vaulting changes the files signature and, at boot, vault will display the corruption warning.
Click to expand...
I would think so, too, but I'll try and see what happens.
 
Hack Pro [RIP]
GA-Z87X-UD5H |  i7 4770K |  RX 580 Pulse 8GB
Hack Pro II
Prime Z490-A |  i7 10700K |  RX 6600 Pulse 8GB
miliuco said:
But I'm afraid that signing OpenCore.efi and BOOTX64.ef after vaulting changes the files signature and, at boot, vault will display the corruption warning.
Click to expand...
I tried and got this OpenCore error:

Code: 
OC: Configuration requires signed vault but no public key provided!
 
Hack Pro [RIP]
GA-Z87X-UD5H |  i7 4770K |  RX 580 Pulse 8GB
Hack Pro II
Prime Z490-A |  i7 10700K |  RX 6600 Pulse 8GB
@Gobias

This is what I've done:
  • In order not to have to switch from mac to windows so many times, I have installed Ubuntu 14.04 virtual machine with UTM
  • On Ubuntu I have digitally signed all OC 0.8.5.efi files except OpenCore.efi
  • On macOS I have vaulted the EFI folder with the signed files, including OpenCore.efi not signed yet
  • On Ubuntu I have signed the OpenCore.efi file which already has Vault applied
  • Back in macOS I have copied the EFI folder to the EFI partition
  • I have rebooted activating UEFI Secure Boot and... it worked!
So it's just like you said, I hadn't read the OC setup text carefully either.

It is a tedious task. The most boring part is copying files between macOS and Ubuntu. UTM in theory has the option to define a shared folder to exchange files but I have not been able to get it to work. I have used Wetransfer in both mac and linux browsers to send files between both systems. Pretty heavy but at least I've learned how to have Vault and UEFI Secure Boot at the same time.
 
Last edited:
Gobias said:
I tried and got this OpenCore error:

Code: 
OC: Configuration requires signed vault but no public key provided!
Click to expand...
I haven't got any error after doing what I posted before.
Did you do the steps as me?
 
Last edited by a moderator:
miliuco said:
I haven't got any error after doing what I posted before.
Did you do the steps as me?
Click to expand...
Not exactly. I'm still using OC 0.8.4 and WSL, and I followed the steps I outlined above:
Gobias said:
  1. (In Linux or WSL) Sign ONLY the installed drivers and tools (but not the OpenCore binaries yet) with the private key. Do not sign tools that provide administrative access to the computer, such as UEFI Shell.
  2. (In macOS) Vault the configuration as explained Vaulting section.
  3. (Back in Linux or WSL) Sign all OpenCore binaries (BOOTX64.efi, BOOTIa32.efi, OpenCore.efi, custom launchers) used on this system with the same private key.
Click to expand...


miliuco said:
  • On Ubuntu I have digitally signed all OC 0.8.5.efi files except OpenCore.efi
  • On macOS I have vaulted the EFI folder with the signed files, including OpenCore.efi not signed yet
  • On Ubuntu I have signed the OpenCore.efi file which already has Vault applied
Click to expand...
So you signed BOOTx64.efi and OpenShell.efi before vaulting and then only signed OpenCore.efi after vaulting? Does OpenShell still work? The Configuration guide said not to "sign tools that provide administrative access to the computer, such as UEFI Shell."

I might start over with an Ubuntu virtual machine and OC 0.8.5 and follow your steps.
 
Hack Pro [RIP]
GA-Z87X-UD5H |  i7 4770K |  RX 580 Pulse 8GB
Hack Pro II
Prime Z490-A |  i7 10700K |  RX 6600 Pulse 8GB
@Gobias
OC 0.8.4 or 0.8.5 are the same for this task. Version doesn't matter.
OpenCore.efi is the only file I have signed in a second pass after vaulting, all other files have been signed before vaulting. I see that OC configuration talks about UEFI Shell but at least in my case all have worked fine delaying the sign of only OpenCore.efi.
OpenSell runs fine, I've tried it, no problem. Also OpenCanopy, ResetNvram and ToogleSIP works and they have been also signed before vaulting.
 
Last edited:
@Gobias
Maybe you have a preferred app for virtual machines on macOS. I didn't have anyone and UTM (QEMU based) has been quite easy to install.
The Ubuntu 14.04 VM available to download and use as-is has also made my job a lot easier because I didn't have to install the system onto the VM from an ISO image.
UTM is free software and costs nothing.
In a short time you have Ubuntu on the macOS Desktop so you don't have to restart your PC several times.
The drawback that I have already mentioned is that of the file exchange between VM and macOS.
The clipboard is shared, at least you can copy text from one to another.

utm-ubuntu.png
 
You must log in or register to reply here.
Copyright © 2010 - 2024 tonymacx86 LLC
Back
Top