Asus Z690 ProArt Creator WiFi (Thunderbolt 4) + i7-12700K + AMD RX 6800 XT

[steve20677]

If you visit the photo gallery at the bottom of the post below, you'll see a couple of photos showing how I replaced this module on my Asus ROG Strix Z690-i Gaming WiFi.

Asus Z690 ProArt Creator WiFi (Thunderbolt 4) + i7-12700K + AMD RX 6800 XT

[SOLVED] I solved the issue and success to install macOS Monterey, here is what I did: - I took the EFI folder from this topic, I had previously taken only the config.plist - I corrected some details to adjust it to my build - I updated OC to version 0.8.0 The installation was able to work...

www.tonymacx86.com

Instead of opening up the MB heatsink and replacing the intel WIFI, can I not utilize one of the M.2 slots for a M.2 A/E Key NGFF WiFi Card to M.2 Key M Adapter Card

 

[dehjomz]

Instead of opening up the MB heatsink and replacing the intel WIFI, can I not utilize one of the M.2 slots for a M.2 A/E Key NGFF WiFi Card to M.2 Key M Adapter Card

What about having to route the antennas ?

 

[zappy39]

maybe something like this.

 

[CaseySJ]

Instead of opening up the MB heatsink and replacing the intel WIFI, can I not utilize one of the M.2 slots for a M.2 A/E Key NGFF WiFi Card to M.2 Key M Adapter Card

Yes this is an option, but it will require:

• Routing antenna cables to a PCIe slot bracket such as the one in previous post
• Connecting USB cable from the adapter to an internal USB 2 header for Bluetooth

 

[Kalypso478]

I would be interested to know if anyone has managed to add full secure boot to MacOS and Windows 11 on the Asus Z690 Creator Board.
I managed to do it on MacOS, but not on Windows 11. Since I have to select "Boot -> OS Type: Other OS" in the BIOS to get Opencore working, Secure Boot on Windows 11 doesn't work.
Windows 11 expects the "OS Type: Windows UEFI mode" selection setting in the BIOS to run Secure Boot correctly.
Does anyone have any tips on getting both to run?

 

[Raftrix86]

That is wonderful!

It is a bit tricky to get a working eGPU via Thunderbolt without enabling Thunderbolt Bus in macOS. Some eGPU systems work better than others.

Which external Thunderbolt chassis are you using?

Yeah is wonderful, my New AMD Radeon RX 6800 16GB has arrived and my new SSD NVME Gen 4 will arrive tomorrow I will finish the HackiLaptopTosh.

I am using the Sonnet EGPU Breakaway Box 750. I share a pic showing my new RX 6800 working . iGPU and dGPU totally disabled in order just the eGPU works, as I said if the iGPU or the dGPU are working I have black screen.

 

[rushstrike]

I would be interested to know if anyone has managed to add full secure boot to MacOS and Windows 11 on the Asus Z690 Creator Board.
I managed to do it on MacOS, but not on Windows 11. Since I have to select "Boot -> OS Type: Other OS" in the BIOS to get Opencore working, Secure Boot on Windows 11 doesn't work.
Windows 11 expects the "OS Type: Windows UEFI mode" selection setting in the BIOS to run Secure Boot correctly.
Does anyone have any tips on getting both to run?

Yes. This requires you to either
a) use motherboard GUI to add all the .EFI files from open core as "trusted" so the motherboard's firmware will allow loading if your .EFI in secure boot
b) Use linux UEFI Sign tools to sign all the .efi images from the open core EFI folder with your own private key. Then you need to upload your own PK, KEK, DB to your motherboard. You also need to trust sign the Microsoft's UEFI key and 3rd party platform keys.

This is the general step for b) if you want to do it.

1. Generate PK, KEK, and ISK:
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 365 -subj "/CN=Platform Key" -keyout PK.key -out PK.pem

openssl req -new -x509 -newkey rsa:2048 -sha256 -days 365 -subj "/CN=Key Exchange Key" -keyout KEK.key -out KEK.pem

openssl req -new -x509 -newkey rsa:2048 -sha256 -days 365 -subj "/CN=Image Signing Key" -keyout ISK.key -out ISK.pem
openssl rsa -in ISK.key -out ISK2.key
2. Convert pem to ESL
cert-to-efi-sig-list -g "$(uuidgen)" PK.pem PK.esl

cert-to-efi-sig-list -g "$(uuidgen)" KEK.pem KEK.esl

cert-to-efi-sig-list -g "$(uuidgen)" ISK.pem ISK.esl

3. Convert Microsoft’s public key to ESL
https://go.microsoft.com/fwlink/p/?linkid=321192
openssl x509 -in MicWinProPCA2011_2011-10-19.crt -inform DER -out MSWIN.pem -outform PEM
https://go.microsoft.com/fwlink/p/?linkid=321194
openssl x509 -in MicCorUEFCA2011_2011-06-27.crt -inform DER -out MS3P.pem -outform PEM

cert-to-efi-sig-list -g "$(uuidgen)" MSWIN.pem MSWIN.esl

cert-to-efi-sig-list -g "$(uuidgen)" MS3P.pem MS3P.esl

4. Convert Ubuntu’s cert to ESL (Optional if you want to be able to boot Ubuntu)
Ubuntu’s UEFI cert key is located here: /usr/share/grub/canonical-uefi-ca.crt

openssl x509 -in /usr/share/grub/canonical-uefi-ca.crt -out ubuntu.pem -outform PEM
cert-to-efi-sig-list -g "$(uuidgen)" ubuntu.pem ubuntu.esl

5. Combine self-signed ISK, Microsoft and Ubuntu ESL into 1 DB file:
cat ISK.esl MSWIN.esl MS3P.esl ubuntu.esl > db.esl

6. Sign your ESL file into AUTH format
sign-efi-sig-list -k PK.key -c PK.pem PK PK.esl PK.auth
sign-efi-sig-list -k PK.key -c PK.pem KEK KEK.esl KEK.auth
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth

7. Sign your EFI bootloader and EFI drivers with your private key:
sbsign --key ISK.key --cert ISK.pem bootx64.efi (Do it for all other .efi that is required by OpenCore)
Tip: you might want to make sign.sh script to automate signing all *.efi file inside OpenCore x64 folder. You will probably want to generate an ISK.key that is not password protected in order to run this script without typing your password over and over.


for i in `find X64 -name "*.efi" -type f`; do
sbsign --key ISK.key --cert ISK.pem $i --output $i
done


8. Load the PK.auth, KEK.auth, db.auth files from step 6. into bios per motherboard instructions

 

[CaseySJ]

@rushstrike,

Thank you for the detailed guide on setting up firmware secure boot. I've added this to Tech Talk in Post 1.

---

 

[Kalypso478]

Yes. This requires you to either
a) use motherboard GUI to add all the .EFI files from open core as "trusted" so the motherboard's firmware will allow loading if your .EFI in secure boot
b) Use linux UEFI Sign tools to sign all the .efi images from the open core EFI folder with your own private key. Then you need to upload your own private key to your motherboard. You also need to trust sign the Microsoft's UEFI key and 3rd party platform keys.

This is the general step for b) if you want to do it.

1. Generate PK, KEK, and ISK:
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 365 -subj "/CN=Platform Key" -keyout PK.key -out PK.pem

openssl req -new -x509 -newkey rsa:2048 -sha256 -days 365 -subj "/CN=Key Exchange Key" -keyout KEK.key -out KEK.pem

openssl req -new -x509 -newkey rsa:2048 -sha256 -days 365 -subj "/CN=Image Signing Key" -keyout ISK.key -out ISK.pem
openssl rsa -in ISK.key -out ISK2.key
2. Convert pem to ESL
cert-to-efi-sig-list -g "$(uuidgen)" PK.pem PK.esl

cert-to-efi-sig-list -g "$(uuidgen)" KEK.pem KEK.esl

cert-to-efi-sig-list -g "$(uuidgen)" ISK.pem ISK.esl

3. Convert Microsoft’s public key to ESL
https://go.microsoft.com/fwlink/p/?linkid=321192
openssl x509 -in MicWinProPCA2011_2011-10-19.crt -inform DER -out MSWIN.pem -outform PEM
https://go.microsoft.com/fwlink/p/?linkid=321194
openssl x509 -in MicCorUEFCA2011_2011-06-27.crt -inform DER -out MS3P.pem -outform PEM

cert-to-efi-sig-list -g "$(uuidgen)" MSWIN.pem MSWIN.esl

cert-to-efi-sig-list -g "$(uuidgen)" MS3P.pem MS3P.esl

4. Convert Ubuntu’s cert to ESL (Optional if you want to be able to boot Ubuntu)
Ubuntu’s UEFI cert key is located here: /usr/share/grub/canonical-uefi-ca.crt

openssl x509 -in /usr/share/grub/canonical-uefi-ca.crt -out ubuntu.pem -outform PEM
cert-to-efi-sig-list -g "$(uuidgen)" ubuntu.pem ubuntu.esl

5. Combine self self ISK, Microsoft and Ubuntu ESL into 1 DB file:
cat ISK.esl MSWIN.esl MS3P.esl ubuntu.esl > db.esl

6. Sign your ESL file into AUTH format
sign-efi-sig-list -k PK.key -c PK.pem PK PK.esl PK.auth
sign-efi-sig-list -k PK.key -c PK.pem KEK KEK.esl KEK.auth
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth

7. Sign your EFI bootloader and EFI drivers with your private key:
sbsign --key ISK.key --cert ISK.pem bootx64.efi (Do it for all other .efi that is required by OpenCore)

8. Load the *.auth files into bios per motherboard instructions

Thanks for the guide.
I still haven't found a way to make the .efi files from OpenCore known to the BIOS. Method a) is therefore ruled out at the moment.
That leaves only method b), but I can't find the entry for the ISK key, as mentioned in your general version (see attached image).

 

[rushstrike]

Thanks for the guide.
I still haven't found a way to make the .efi files from OpenCore known to the BIOS. Method a) is therefore ruled out at the moment.
That leaves only method b), but I can't find the entry for the ISK key, as mentioned in your general version (see attached image).

ISK (Image Signing Key) is your private key which is only used for signing. You don't need to upload ISK to your motherboard. You only upload PK, KEK and DB.