Contribute
Register

Building Clover with secure boot

Status
Not open for further replies.
Joined
Jun 16, 2011
Messages
21
Motherboard
ThinkPad P51
CPU
E3-1535 v6
Graphics
P630 / Quadro 2200
Mac
  1. MacBook Pro
Mobile Phone
  1. iOS
Hi,

I'm looking to make clover work with secure boot, which means compiling it with the ENABLE_SECURE_BOOT flag and signing all the binaries with a valid key.

Following the fork and instructions here: https://github.com/RehabMan/Clover

What I really want to know at this point is what macros are set for the builds released here:
https://www.tonymacx86.com/resources/clover-uefi-boot-mode-v2-4k-r4586.396/

EDIT: Looks like I can get that with bdmesg:

Build with: [Args: -mc --no-usb -D NO_GRUB_DRIVERS_EMBEDDED -t XCODE8 | -D DISABLE_USB_SUPPORT -D NO_GRUB_DRIVERS_EMBEDDED --conf=/Users/macman/src/edk2/Conf -D USE_BIOS_BLOCKIO -D USE_LOW_EBDA -a X64 -b RELEASE -t XCODE8 -n 9 | OS: 10.13.5 | XCODE: 9.4.1]

I will get the new build signed and try it. Let's see what happens...
 
Last edited:
I've successfully booted Clover under secure boot into macOS.

It was a bit of a hassle, but what I did was follow the instructions here: https://www.rodsbooks.com/efi-bootloaders/secureboot.html for creating my own machine keys, with the microsoft public key appended to keep windows happy.
From there, I signed my secure-boot enabled clover with the key and also signed /System/Library/CoreServices/boot.efi with the same key.

Once that was all done, it works and I'm into macOS with no hassles.

@RehabMan is there a possibility that on the future releases of clover through tonymac, we could have the ENABLE_SECURE_BOOT flag set?
 
I would say if you're not comfortable compiling from source and mucking about with your motherboard certificate chain, then probably not worth the hassle for you.
I did it because I wanted the laptop to dual boot with windows properly and to keep bitlocker and fingerprint logon - both of which require secure boot.

I didn't know any of it at the start, but I do have a solid understanding of PK auth / encryption
 
It does nothing really in terms of security. For me, it was about allowing windows secure boot to remain on, which meant I can just boot into macOS without having to go into the bios and turn it off.
 
You can use pretty much any clover build you want. The additional parts of the clover relating to secure boot are to automate the signing system, which I ended up doing manually in Linux.
You basically need to create your own certificate chain for the computer and then sign each of the macOS EFI files with the certificate in order for the UEFI to execute them under secure boot mode.

See post #2 for details on that.
 
Hi MNArnieB,

I tried to access the link https://www.tonymacx86.com/threads/clover-secure-boot.272446/, but it seemed that thread has been removed. I tried using the methods you posted in that link before and it worked, however I forgot the steps of doing that. Could you please provide me some guidance on how to do this?

Thanks.

POGT
 
Status
Not open for further replies.
Back
Top