Contribute
Register

[GUIDE] OpenCore and UEFI Secure Boot using Windows Subsystem for Linux

Joined
Dec 10, 2010
Messages
1,030
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
I tried again, the only step i skipped was that of adding the microsoft ca keys, opting to rather just combine the original db as well as kek with the created ones (Like in this guide). Still no avail.
Sakaki's guide is for Linux, my guide and the guides of khronokernel and profzei are specifically for Opencore. This makes a difference. Sakaki's guide is very good but I recommend you to follow one of the guides written for macOS.
 
Joined
Jan 12, 2022
Messages
7
Motherboard
HP ProBook 450 G6
CPU
Intel i5-8265U
Graphics
Intel WhiskeyLake-U GT2 [UHD Graphics 620]
Mobile Phone
  1. Android
Sakaki's guide is for Linux, my guide and the guides of khronokernel and profzei are specifically for Opencore. This makes a difference. Sakaki's guide is very good but I recommend you to follow one of the guides written for macOS.
From what i can gather, the steps to actually generate and register the keys in bios are almost the same, the only real difference being that with sakaki's guide (side note, I do also use linux, but not through opencore. I chainload opencore through refind specifically only for mac booting), the original keys are preserved, and they use .crt for the cert files instead of .pem. Is that what could be causing the issue?
 
Joined
Dec 10, 2010
Messages
1,030
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
@UnequalBiscuit
Yes, steps to generate the keys and shove them into the firmware are almost the same.
If you follow profzei's guide, for example, do you have macOS entry displayed to be booted after digitally signed?
 
Joined
Jan 12, 2022
Messages
7
Motherboard
HP ProBook 450 G6
CPU
Intel i5-8265U
Graphics
Intel WhiskeyLake-U GT2 [UHD Graphics 620]
Mobile Phone
  1. Android
@miliuco
So as it turns out the signature method doesn't really matter, and the issue was just a stupid oversight on my part
I started reading through profzei's guide, and saw the line:
set Misc -> Security -> SecureBootModel to
  • Default
Then I remembered I had it set to Disabled from my Catalina install, as having it at default would cause it to bootloop.
I decided I'd try that before I went ahead and redid just over two hours worth of work, and to my surprise it did, mac boots fine as well now.
I genuinely have no idea why I didn't think of that at first..
My apologies :<
 
Joined
Mar 27, 2022
Messages
1
Motherboard
Lenovo T450S
CPU
Intel Core i5-5200U
Graphics
Intel HD Graphics 5500
Hi, I tried to complete the guide (using a "normal" Ubuntu, not WSL), signed all .efis and imported it in my UEFI.

But at boot it stops with:
Code:
OC: Driver OpenRuntime.efi at 1 cannot be loaded - Invalid Parameter!
Halting on critical error
as soon as I enabled SecureBoot in UEFI.
I can still boot my Win10 with SecureBoot enabled or disabled.
OpenCore will only show the picker with disabled.

I signed OpenRuntime.efi same way I signed "BOOTx64.efi" and that seemed to work - else it would not have passed to this fault message. Any advice?
Using OpenCore 0.7.9
 
Last edited:
Joined
Apr 1, 2017
Messages
316
Motherboard
Asus Z370-G WiFi AC
CPU
i7-8700K
Graphics
RX 5700
Mac
  1. MacBook Air
  2. MacBook Pro
Mobile Phone
  1. iOS
I'm on WSL and I'm a no-go at this point:

PS C:\Users\x> ubuntu
x@i5-9400:~$ sudo apt-get install sbsigntool
[sudo] password for x:
Reading package lists... Done
Building dependency tree
Reading state information... Done
sbsigntool is already the newest version (0.9.2-2ubuntu1.1).
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
x@i5-9400:~$ sudo apt-get install efitools
Reading package lists... Done
Building dependency tree
Reading state information... Done
efitools is already the newest version (1.8.1-0ubuntu2).
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
x@i5-9400:~$ cd efykeys/
x@i5-9400:~/efykeys$ ls
x@i5-9400:~/efykeys$ openssl req -new -x509 -newkey rsa: 2048 -sha256 -days 3650 -nodes -subj "/CN=NAME PK Platform Key/" -keyout PK.key -out PK.pem
req: Use -help for summary.
x@i5-9400:~/efykeys$

Can anyone tell me what I might be doing wrong?
 
Joined
Dec 10, 2010
Messages
1,030
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 6600 XT
Mobile Phone
  1. iOS
@dclive
Yes, re-sign needed at every OC update.

XML:
openssl req -new -x509 -newkey rsa: 2048 -sha256 -days 3650 -nodes -subj "/CN=NAME PK Platform Key/" -keyout PK.key -out PK.pem

This code has a typo, rsa:2048 (remove the space between rsa: and 2048). The same for the other 3 lines. Sorry. Fixed now.
 
Last edited:
Top