Contribute
Register

[GUIDE] OpenCore and UEFI Secure Boot using Windows Subsystem for Linux

@Gobias
I think UEFI Secure Boot can be run without vaulting OpenCore but there is no sense doing this since it's an incomplete secure way. In case of vaulting, yes, you're right, it must go after signing OpenCore.
 
Thanks again for this guide! I got UEFI Secure Boot working, but I ran into a few hiccups:
  • Installing WSL from Powershell only installed it for my admin account, but I wanted to use WSL in my regular user account. To do that, I had to install Ubuntu from the Microsoft Store.
  • Your instructions said to create a working directory called efykeys, but later commands refer to an efikeys directory, which I assume was what you meant.
  • The commands for creating the keys included a space between rsa: and 2048, which prevented the commands from working. I had to delete the space to create the keys.
  • I don't know why, but I couldn't get your version of sign_opencore.sh to work. It kept messing up the naming of the Signed directory for some reason, which led to errors for subsequent commands. I had to download profzei's original sign_opencore.sh file and modify it to include my drivers.
  • You didn't include the command to copy the keys back to Windows, but I figured it out:
    • Bash: 
      cp -r /home/me/efikeys/ /mnt/c/Users/yo/Downloads/

I'll try OpenCore vault next.

I also wanted to turn on device encryption in Windows, but it's not available in Settings for me. System Information is also showing a bunch of "Reasons for failed automatic device encryption", so I need to figure out what's going on.
 
Hack Pro [RIP]
GA-Z87X-UD5H |  i7 4770K |  RX 580 Pulse 8GB
Hack Pro II
Prime Z490-A |  i7 10700K |  RX 6600 Pulse 8GB
@Gobias
  • Installing WSL from Powershell only installed it for my admin account, but I wanted to use WSL in my regular user account. To do that, I had to install Ubuntu from the Microsoft Store >> I didn't know that, thanks for the info.

  • Your instructions said to create a working directory called efykeys, but later commands refer to an efikeys directory >> my mistake, corrected in the first post, thanks.

  • The commands for creating the keys included a space between rsa: and 2048, which prevented the commands from working. I had to delete the space to create the keys >> my mistake again, corrected in the first post, thanks.

  • I don't know why, but I couldn't get your version of sign_opencore.sh to work. It kept messing up the naming of the Signed directory for some reason, which led to errors for subsequent commands. I had to download profzei's original sign_opencore.sh file and modify it to include my drivers >> I have to check my script, it should not be different but sure I have some mistake here.

  • You didn't include the command to copy the keys back to Windows >> yes, I didn't see it necessary but now reading your post I think it's useful, added into the first post.
Well, the guide is better now with your help. Thanks!
 
@Gobias
I see. Let me check it in my PC. I’m not at home. No idea about it. But maybe it has to do with the signing order, vault first or after uefi?
 
miliuco said:
@Gobias
I see. Let me check it in my PC. I’m not at home. No idea about it. But maybe it has to do with the signing order, vault first or after uefi?
Click to expand...
Did you get a chance to look into this?
 
Hack Pro [RIP]
GA-Z87X-UD5H |  i7 4770K |  RX 580 Pulse 8GB
Hack Pro II
Prime Z490-A |  i7 10700K |  RX 6600 Pulse 8GB
Sorry @Gobias I have been out. Tomorrow I'll try and comment.
 
Deleted.
 
Last edited:
@Gobias
I have created the signing keys. I have embedded the keys in the UEFI firmware (I have done it with Keytool but the process is equally valid with the BIOS menu built-in tools). I have digitally signed the OpenCore files (all with .efi extension). So far so good because macOS boots and runs fine with UEFI Secure Boot enabled.

Now comes the second part. Securing macOS with Full Security. I have had an issue because, after generating the ApECID, macOS does not start.

In my opinion, this may be the bug and the fix:
  • I add ApECID to OpenCore
  • boot fails if I don't personalize the boot volume after adding ApECID
  • to personalize the boot volume I have to go to Recovery
  • but the personalization fails if SecureBootModel has a value other than a Mac with a T2 chip, Default or x86legacy do not work, of course Disabled does not work either, I have configured it to j185 (iMac20, August 1, 2020, macOS 10.15.6 or back) which has T2 chip
  • with this value of SecureBootModel I was able to personalize the boot volume (note: the output after the command in Recovery Terminal should be Personalization Succeeded)
  • after this, macOS boots fine with UEFI Secure Boot enabled and with Full Security.
Remember that the current status of Apple Secure Boot on Intel-based Macs can be obtained from NVRAM:
Code: 
nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy

If the variable exists, it can be:
  • %02 – Full Security
  • %01 – Medium Security
  • %00 – NoSecurity.
Next step (for today) is vaulting OC. I’ll comment to you after doing it.
 
Last edited:
You must log in or register to reply here.
Copyright © 2010 - 2024 tonymacx86 LLC
Back
Top