Contribute
Register

[GUIDE] OpenCore and UEFI Secure Boot using Windows Subsystem for Linux

Joined
Dec 10, 2010
Messages
1,099
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
Motherboard UEFI firmware has Secure Boot capability so that only digitally signed boot loader files with keys that are embedded in the firmware are allowed. With UEFI Secure Boot enabled:
- Windows can boot as the firmware includes Microsoft certificates (sometimes also certificates from the motherboard manufacturer)
- macOS cannot boot; a Linux system is necessary to generate the keys and sign OpenCore files with them, this is the reason why we currently run OpenCore and macOS with UEFI Secure Boot disabled.

This text is based on the guides by:
sakaki and Ubuntu discuss how to boot Linux with UEFI Secure Boot enabled but khronokernel and profzei refer specifically to OpenCore and macOS. The 4 guides agree on the need to do it from a Linux system since the required tools do not exist for macOS. The Linux system required to sign OpenCore files can be a significant inconvenience because of the work involved in installing and configuring it (either on a separate disk or in a virtual machine). Once in Linux, everything is done from Terminal so much of the installed system is not really necessary.

This task can be simplified thanks to a not widely used infrastructure that exists in Windows 10 (build 18917 or later) and Windows 11: Windows Subsystem for Linux (WSL), thanks to which we can boot a genuine Ubuntu image provided by Canonical. This makes possible to execute commands natively in a Bash terminal within a Windows environment that behaves like Linux.
This guide proposes the activation of UEFI Secure Boot in OpenCore from a Windows 11 with WSL installed, so the installation and configuration of a complete Linux system is not necessary. Some knowledge of basic Linux commands is still required, but less time and effort is required. In the Microsoft Store there are other Linux distributions available to install within WSL, it is even possible to have more than one and they can be managed with the WSL Manager app.

Installing WSL from command line (Ubuntu distro by default)

Open PowerShell as Administrator
Run the wsl --install command:
Code:
PS C: /Users/miliuco> wsl --install
Installing: Virtual Machine Platform
Virtual Machine Platform has been installed.
Installing: Windows Subsystem for Linux
Windows Subsystem for Linux has been installed.
Downloading: WSL Kernel
Installing: WSL Kernel
WSL Kernel has been installed.
Downloading: GUI App Technical Support
Installing: GUI application technical support
GUI Application Support has been installed.
Downloading: Ubuntu
The requested operation was successful. The changes will take effect after the system reboots.
At the end, it requests username and password (they are not related to the ones you use in Windows). This will be the default account and will automatically log into the home folder. It is an administrator account and can run commands with sudo.
WSL boots from the Ubuntu icon in the application menu or by typing ubuntu in the command line window. A Bash Terminal window is shown with the prompt in our user folder.
Windows disks are accessible in the path /mnt/c, /mnt/d and so on. The Linux system is accessible from Windows Explorer >> Linux. It is not recommended to modify Ubuntu elements from Windows Explorer, it is preferable to do it from within WSL.
If at any time you forget the Linux password >> open PowerShell >> wsl -u root (open Ubuntu in the Windows user's directory) >> passwd <user> >> request a new password >> exit.

Note: you can install Ubuntu from Microsoft Store to get a fully functional WSL without the need of PowerShell commands.

Installing the tools

In the Ubuntu Terminal window:
sudo apt update && sudo apt upgrade
(to update repositories of installation packages)
sudo apt-get install unzip
(unzip is not installed by default with WSL Ubuntu, zip utility is already installed)
sudo apt-get install sbsigntool
(digital signature utility for UEFI Secure Boot)
sudo apt-get install efitools
(tools to manage UEFI Secure Boot variables)
Openssl tool is also required but it is already installed on Ubuntu.
If we want to see the utilities already installed in Ubuntu we can use the command: sudo apt list --installed.

Creating the keys to shove into the firmware and sign OpenCore

Create a working dir:
mkdir efikeys
cd efikeys


Create PK (Platform Key):
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=NAME PK Platform Key/" -keyout PK.key -out PK.pem
Create KEK (Key Exchange Key):
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=NAME KEK Exchange Key/" -keyout KEK.key -out KEK.pem
Create ISK (Initial Supplier Key):
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=NAME ISK Image Signing Key " -keyout ISK.key -out ISK.pem
Note: replace NAME with something characteristic that helps you to recognize the keys when you view them in the UEFI menu, for example KEYS2021.

Correct permissions for key files:
chmod 0600 * .key

Download Microsoft certificates:
Copy Windows certificates to the working folder:
cp /mnt/c/Users/yo/Downloads/MicCorUEFCA2011_2011-06-27.crt /home/me/efikeys/
cp /mnt/c/Users/yo/Downloads/MicWinProPCA2011_2011-10-19.crt /home/me/efikeys/


Digitally sign Microsoft certificates:
openssl x509 -in MicWinProPCA2011_2011-10-19.crt -inform DER -out MicWinProPCA2011_2011-10-19.pem -outform PEM
openssl x509 -in MicCorUEFCA2011_2011-06-27.crt -inform DER -out MicCorUEFCA2011_2011-06-27.pem -outform PEM


Convert PEM files to ESL format suitable for UEFI Secure Boot:
cert-to-efi-sig-list -g $(uuidgen) PK.pem PK.esl
cert-to-efi-sig-list -g $(uuidgen) KEK.pem KEK.esl
cert-to-efi-sig-list -g $(uuidgen) ISK.pem ISK.esl
cert-to-efi-sig-list -g $(uuidgen) MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
cert-to-efi-sig-list -g $(uuidgen) MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl


Create the database including the signed Microsoft certificates:
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl> db.esl

Digitally sign ESL files:
1. PK signs with herself:
sign-efi-sig-list -k PK.key -c PK.pem PK PK.esl PK.auth
Timestamp is 2021-11-2 00:05:40
Authentication Payload size 887
Signature of size 1221
Signature at: 40

2. KEK is signed with PK:
sign-efi-sig-list -k PK.key -c PK.pem KEK KEK.esl KEK.auth
Timestamp is 2021-11-2 00:05:47
Authentication Payload size 891
Signature of size 1221
Signature at: 40

3. The database is signed with KEK:
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth
Timestamp is 2021-11-2 00:05:52
Authentication Payload size 4042
Signature of size 1224
Signature at: 40


The .auth files (PK.auth, kek.auth and db.auth) will be used to integrate our signatures into the firmware. Copy these files to a folder outside Ubuntu so that they are accessible from Windows.
The ISK.key and ISK.pem files will be used to sign OpenCore files.

Signing OpenCore files

Files with .efi extension must be signed: OpenCore.efi, BOOTx64.efi, Drivers and Tools.

Create working directory:
mkdir oc

Copy ISK.key and ISK.pem to the oc folder:
cp ISK.key ISK.pem oc
cd oc


User profzei has a script sign_opencore.sh that automates this process: create required folders, download and unzip OpenCore current version (0.8.4 at the time of writing), download HFSPlus.efi, check ISK keys, digitally sign files and copy them to the Signed folder. The script must be in the oc folder next to ISK.key and ISK.pem. It is slightly modified by me to suit my needs. You can also modify it to your liking. Check the drivers and tools that you use and modify the script in the signing files part to include those that are not currently included. Copy this text into a text editor and save it with the name sign_opencore.sh (you can do it on Windows):
Bash:
#!/bin/bash
# Copyright (c) 2021 by profzei
# Licensed under the terms of the GPL v3

LINK=$1
# https://github.com/acidanthera/OpenCorePkg/releases/download/0.8.4/OpenCore-0.8.4-RELEASE.zip
VERSION=$2
# 0.8.4

mkdir Signed
mkdir Signed/Drivers
mkdir Signed/Tools

# Download and unzip OpenCore
wget $LINK
unzip "OpenCore-${VERSION}-RELEASE.zip" "X64/*" -d "./Downloaded"
rm "OpenCore-${VERSION}-RELEASE.zip"

# Download HfsPlus
wget https://github.com/acidanthera/OcBinaryData/raw/master/Drivers/HfsPlus.efi -O ./Downloaded/HfsPlus.efi

if [ -f "./ISK.key" ]; then
    echo "ISK.key was decrypted successfully"
fi

if [ -f "./ISK.pem" ]; then
    echo "ISK.pem was decrypted successfully"
fi

# Sign drivers
sbsign --key ISK.key --cert ISK.pem --output ./Signed/BOOTx64.efi ./Downloaded/X64/EFI/BOOT/BOOTx64.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/OpenCore.efi ./Downloaded/X64/EFI/OC/OpenCore.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/OpenRuntime.efi ./Downloaded/X64/EFI/OC/Drivers/OpenRuntime.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/OpenCanopy.efi ./Downloaded/X64/EFI/OC/Drivers/OpenCanopy.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/AudioDxe.efi ./Downloaded/X64/EFI/OC/Drivers/AudioDxe.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/HfsPlus.efi ./Downloaded/HfsPlus.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Tools/OpenShell.efi ./Downloaded/X64/EFI/OC/Tools/OpenShell.efi

# Clean 
rm -rf Downloaded
echo "Cleaned..."
"

Copy it into the oc folder:
cp /mnt/c/Users/yo/Downloads/sign_opencore.sh /home/yo/efikeys/oc

This script needs 2 parameters to be run: OpenCore download site and version number. For example, with version 0.8.4 (current):
sh ./sign_opencore.sh https://github.com/acidanthera/OpenCorePkg/releases/download/0.8.4/OpenCore-0.8.4-RELEASE.zip 0.8.4

At the end we will have in the Signed folder the OpenCore .efi files digitally signed with our own keys. Copy the Signed folder to a folder (outside Ubuntu) that is accessible from Windows and/or macOS to put the signed files in the OpenCore EFI folder replacing the ones with the same name.
cp -r /home/me/efikeys/ /mnt/c/Users/yo/Downloads/

Include signatures into the firmware

Final step is to shove the signature files into the firmware, replacing the existing variables:
  • db.auth >> Authorized Signatures
  • kek.auth >> KEK (Key Exchange Keys)
  • pk.auth >> PK (Platform key).
This can be done in 2 ways: from the configuration menu of the motherboard or with the specialized tool KeyTool.

BIOS

In the Secure Boot section there are usually options to restore default factory keys or to edit variables separately. On my motherboard (Z390 Aorus Elite) this menu is in Boot >> Secure Boot tab >> Key Management.
If you have modified the keystores before (if it is not the first time it's done) it is highly recommended, to avoid errors, restore default factory keys before adding the new ones >> Restore Factory keys >> Install factory defaults >> Yes.

Restory Factory Keys.jpeg

Now you can edit the keys. Select the variable that you are going to modify in this order: Authorized Signatures >> Key Exchange Keys >> Platform Key (PK). In each variable you can see details, export it, update it (replace), add it to the existing ones or delete it. For example, with Authorized Signatures, options menu is Details / Export / Update / Append / Delete.

DB options.jpeg

To replace one variable with another: select Update >> search in the USB device >> locate and select db.auth >> this database of allowed signatures replaces the current one. Likewise with Append if you want to add it to the existing one instead of replacing it. You can use Append with db.auth and kek.auth but pk.auth only allows replacement.
To see the details, select Details >> variable's details are displayed.
In the example of Authorized Signatures, after adding db.auth I see 4 authorized signatures: the one I created (ISK Image Signing Key), the two from Microsoft to be able to boot Windows with UEFI Secure Boot enabled and the one from Canonical (extracted from the Ubuntu shimx64.efi file with the shim-to-cert.tool tool included in OpenCore) to also be able to boot Ubuntu (in a separate disk, not in WSL) with UEFI Secure Boot.

DB details.jpeg

KeyTool

KeyTool is included in the efitools Linux package, you can find the utility in /usr/share/efitools/efi/KeyTool.efi. Copy KeyTool.efi with the name bootx64.efi into the EFI folder of an USB device (formatted as FAT32 and MBR). Along with bootx64.efi (KeyTool.efi), the EFI folder on the USB device must also include db.auth, kek.auth and pk.auth.
When booting from this bootable USB, it launches the graphical interface of the tool. When keytool starts we see a menu with the options Save Keys / Edit Keys / Execute Binary / Exit. Click on Edit Keys.

keytool1.jpg

Select the variable that you are going to modify in this order: The Allowed Signature Database (db) >> The Key Exchange Keys Database (kek) >> The Platform Key (pk).
First select The Allowed Signature Database (db) >> Replace Keys >> USB device >> db.auth >> click Enter >> return to the list of variables (message is dislayed only in case of error).

keytool2.jpgkeytool3.jpgkeytool4.jpg

Repeat the same for The Key Exchange Keys Database (kek) and The Platform Key (pk).

After introducing db.auth, kek.auth and pk.auth in the firmware we can boot OpenCore and macOS with UEFI Secure Boot enabled.
 

Attachments

  • Export variables.jpg
    Export variables.jpg
    105.4 KB · Views: 67
Last edited:
Joined
Sep 24, 2016
Messages
15
Motherboard
Asus Prime Z390-A
CPU
i9-9900K
Graphics
RX 5700 XT
Mac
  1. MacBook Pro
Mobile Phone
  1. iOS
Set up OC to boot Mac OS and windows with secure boot, but still can't fix linux booting.
When os type is set to windows, I get error "OC: LoadImage failed Access denied".
All drivers and other efi are signed. I signed even files in linux boot directory, still no effect.
When I set mode to other os, everything is fine, but I need windows mode cause I need it in windows 11.
Tried on versions 0.7.5 and 0.7.6
Any ideas?
 
Joined
Dec 10, 2010
Messages
1,099
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
@ilyanin3127
If I understand well, you can not boot linux when UEFI Secure boot enabled.
I don't know what linux distro you are using.
In Ubuntu, for example, there is no need to sign boot files since shimx64.efi is already digitally signed by Canonical.
What we need is the certificate included in shimx64.efi, it can be obtained thanks to shim-to-cert.tool included in OpenCore.
Once you have this certificate, it has to be shoved into the database (db.esl) in addition to ISK.esl and Microsoft certificates, e.g.
Code:
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl CanonicalLtd.MasterCertificateAuthority.esl > db.esl

instead of
Code:
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > db.esl

In this way, it's possible to boot linux with UEFI Secure Boot enabled and OS Type Windows 8/10.
Tell me if my text is understandable (non native English).
 
Joined
Sep 24, 2016
Messages
15
Motherboard
Asus Prime Z390-A
CPU
i9-9900K
Graphics
RX 5700 XT
Mac
  1. MacBook Pro
Mobile Phone
  1. iOS
@ilyanin3127
If I understand well, you can not boot linux when UEFI Secure boot enabled.
I don't know what linux distro you are using.
In Ubuntu, for example, there is no need to sign boot files since shimx64.efi is already digitally signed by Canonical.
What we need is the certificate included in shimx64.efi, it can be obtained thanks to shim-to-cert.tool included in OpenCore.
Once you have this certificate, it has to be shoved into the database (db.esl) in addition to ISK.esl and Microsoft certificates, e.g.
Code:
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl CanonicalLtd.MasterCertificateAuthority.esl > db.esl

instead of
Code:
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > db.esl

In this way, it's possible to boot linux with UEFI Secure Boot enabled and OS Type Windows 8/10.
Tell me if my text is understandable (non native English).
Your text is understandable.
I use Ubuntu LTS distro and it boots with secure boot through grub, the problem is in opencore.
I signed everything successfully with extra crt from shimx64.efi and now everything works, thank you
 
Joined
Jan 12, 2022
Messages
7
Motherboard
HP ProBook 450 G6
CPU
Intel i5-8265U
Graphics
Intel WhiskeyLake-U GT2 [UHD Graphics 620]
Mobile Phone
  1. Android
My macOS install doesn't show up while secure boot is enabled, though I can get into the boot picker and boot to windows just fine?
 
Joined
Aug 16, 2012
Messages
95
Motherboard
GA-H370M-DS3H
CPU
i5-9600K
Graphics
RX 560
Mac
  1. Mac mini
  2. Mac Pro
Mobile Phone
  1. Android
KeyTool is included in the efitools Linux package, you can find the utility in /usr/share/efitools/efi/KeyTool.efi. Copy KeyTool.efi with the name bootx64.efi into the EFI folder of an USB device (formatted as FAT32 and MBR). Along with bootx64.efi (KeyTool.efi), the EFI folder on the USB device must also include db.auth, kek.auth and pk.auth.
When booting from this bootable USB, it launches the graphical interface of the tool. When keytool starts we see a menu with the options Save Keys / Edit Keys / Execute Binary / Exit. Click on Edit Keys.


If you are going to boot from a USB to actually perform the procedure, then all the other steps to get to that point can be done from a boot USB of Ubuntu. It allows the installation of software while booted. As well on my installs of Ubuntu it uses the shimx64.efi to boot I see the secure boot not enabled warning every time I boot an efi machine with it installed, it simple matter of copying everything needed to the EFI partition of a USB drive to be used for the procedure from it.

Code:
root@kde:~# mount /dev/sdd1 /mnt
root@kde:~# ls -l /mnt/EFI/ubuntu/
total 3480
-rwxr-xr-x 1 root root 108 Aug 20 02:51 BOOTX64.CSV
-rwxr-xr-x 1 root root 126 Aug 20 02:51 grub.cfg
-rwxr-xr-x 1 root root 1734528 Aug 20 02:51 grubx64.efi
-rwxr-xr-x 1 root root 856232 Aug 20 02:51 mmx64.efi
-rwxr-xr-x 1 root root 955656 Aug 20 02:51 shimx64.efi
root@kde:~# ls -l /mnt/EFI/Boot/
total 4820
-rwxr-xr-x 1 root root 1341560 Feb 8 2021 bkpbootx64.efi
-rwxr-xr-x 1 root root 955656 Aug 20 02:51 BOOTX64.EFI
-rwxr-xr-x 1 root root 85672 Aug 20 02:51 fbx64.efi
-rwxr-xr-x 1 root root 1685376 Feb 8 2021 grubx64.efi
-rwxr-xr-x 1 root root 856232 Aug 20 02:51 mmx64.efi
 
Joined
Dec 10, 2010
Messages
1,099
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
@SAC12345
You're right, all can be done from a bootable USB Ubuntu. But my post is specifically aimed at users who have Windows 10-11 in addition to macOS. This saves them the task of creating an installation medium or installing a Linux system.
Moreover, dual-booted users Windows 11 and macOS are most interested in UEFI Secure Boot alongside OpenCore, since Windows 11 requires a machine UEFI Secure Boot capable (although it can work with it disabled).

About booting Ubuntu with UEFI Secure Boot, shim64.efi comes digitally signed by Canonical as you already know. Canonical's UEFI certificate is implicitly trusted by being embedded into the shim loader, itself signed by Microsoft. This certificate can be downloaded from the net (only secure sites) or extracted from shim64.efi with shim-to-cert.tool included in OpenCore package.

shim-to-cert.tool requires the shim file as argument. If shim-to-cert.tool and shimx64.efi are copied into the same folder, we can run:
Code:
sudo ./shim-to-cert.tool shimx64.efi
This is the output:
Code:
Secure Boot block list found and saved as vendor.dbx.
Certificate extracted as CanonicalLtd.MasterCertificateAuthority.pem

Completing the text of the first post, we need CanonicalLtd.MasterCertificateAuthority.pem file, it's the Ubuntu UEFI certificate. It needs to be converted to esl format by cert-to-efi-sig-list:
Code:
cert-to-efi-sig-list -g $(uuidgen) CanonicalLtd.MasterCertificateAuthority.pem CanonicalLtd.MasterCertificateAuthority.esl

We must include into the database the signed Microsoft certificates plus the Canonical certificate:
Code:
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl CanonicalLtd.MasterCertificateAuthority.esl > db.esl

After that, db must be signed with KEK:
Code:
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth

db.auth must be shoved into the firmware, in this way we can boot, with UEFI Secure Boot, Ubuntu the same as Windows 11 and macOS (once Opencore files digitally signed).
 
Joined
Dec 10, 2010
Messages
1,099
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
My macOS install doesn't show up while secure boot is enabled, though I can get into the boot picker and boot to windows just fine?
Do you have digitally signed all OpenCore efi files? I mean drivers, tools, BOOTx64.efi and OpenCore.efi.
If OpenCore has not been signed, with UEFI Secure Boot enabled you get a security warning before the picker and OpenCore doesn't boot.
If OpenCore boots fine (the picker) but you don't see the mac volume something else is wrong. Recheck the process.
 
Joined
Aug 16, 2012
Messages
95
Motherboard
GA-H370M-DS3H
CPU
i5-9600K
Graphics
RX 560
Mac
  1. Mac mini
  2. Mac Pro
Mobile Phone
  1. Android
You're right, all can be done from a bootable USB Ubuntu. But my post is specifically aimed at users who have Windows 10-11 in addition to macOS. This saves them the task of creating an installation medium or installing a Linux system.

Yes I can see the saving of aditional steps in the process being a benifit to those who want it. That thought I posted just came to me as I read the booting with USB part of the procedure and the no need for Windows involved at all. I always have many boot USBs laying around,my first thoughts on a problem are using the best one of them to solve it. Thanks for this posting and especially your changes to OC you do every month. I look for it before making any edits to my config, it gives me the places to look for changing the file rather quickly.
 
Joined
Jan 12, 2022
Messages
7
Motherboard
HP ProBook 450 G6
CPU
Intel i5-8265U
Graphics
Intel WhiskeyLake-U GT2 [UHD Graphics 620]
Mobile Phone
  1. Android
Do you have digitally signed all OpenCore efi files? I mean drivers, tools, BOOTx64.efi and OpenCore.efi.
If OpenCore has not been signed, with UEFI Secure Boot enabled you get a security warning before the picker and OpenCore doesn't boot.
If OpenCore boots fine (the picker) but you don't see the mac volume something else is wrong. Recheck the process.
I tried again, the only step i skipped was that of adding the microsoft ca keys, opting to rather just combine the original db as well as kek with the created ones (Like in this guide). Still no avail.
 
Top