Contribute
Register

[GUIDE] OpenCore and UEFI Secure Boot using Windows Subsystem for Linux

UnequalBiscuit said:
I tried again, the only step i skipped was that of adding the microsoft ca keys, opting to rather just combine the original db as well as kek with the created ones (Like in this guide). Still no avail.
Click to expand...
Sakaki's guide is for Linux, my guide and the guides of khronokernel and profzei are specifically for Opencore. This makes a difference. Sakaki's guide is very good but I recommend you to follow one of the guides written for macOS.
 
miliuco said:
Sakaki's guide is for Linux, my guide and the guides of khronokernel and profzei are specifically for Opencore. This makes a difference. Sakaki's guide is very good but I recommend you to follow one of the guides written for macOS.
Click to expand...
From what i can gather, the steps to actually generate and register the keys in bios are almost the same, the only real difference being that with sakaki's guide (side note, I do also use linux, but not through opencore. I chainload opencore through refind specifically only for mac booting), the original keys are preserved, and they use .crt for the cert files instead of .pem. Is that what could be causing the issue?
 
@UnequalBiscuit
Yes, steps to generate the keys and shove them into the firmware are almost the same.
If you follow profzei's guide, for example, do you have macOS entry displayed to be booted after digitally signed?
 
@miliuco
So as it turns out the signature method doesn't really matter, and the issue was just a stupid oversight on my part
I started reading through profzei's guide, and saw the line:
set Misc -> Security -> SecureBootModel to
  • Default
Click to expand...
Then I remembered I had it set to Disabled from my Catalina install, as having it at default would cause it to bootloop.
I decided I'd try that before I went ahead and redid just over two hours worth of work, and to my surprise it did, mac boots fine as well now.
I genuinely have no idea why I didn't think of that at first..
My apologies :<
 
Hi, I tried to complete the guide (using a "normal" Ubuntu, not WSL), signed all .efis and imported it in my UEFI.

But at boot it stops with:
Code: 
OC: Driver OpenRuntime.efi at 1 cannot be loaded - Invalid Parameter!
Halting on critical error
as soon as I enabled SecureBoot in UEFI.
I can still boot my Win10 with SecureBoot enabled or disabled.
OpenCore will only show the picker with disabled.

I signed OpenRuntime.efi same way I signed "BOOTx64.efi" and that seemed to work - else it would not have passed to this fault message. Any advice?
Using OpenCore 0.7.9
 
Last edited:
I'm on WSL and I'm a no-go at this point:

PS C:\Users\x> ubuntu
x@i5-9400:~$ sudo apt-get install sbsigntool
[sudo] password for x:
Reading package lists... Done
Building dependency tree
Reading state information... Done
sbsigntool is already the newest version (0.9.2-2ubuntu1.1).
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
x@i5-9400:~$ sudo apt-get install efitools
Reading package lists... Done
Building dependency tree
Reading state information... Done
efitools is already the newest version (1.8.1-0ubuntu2).
0 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
x@i5-9400:~$ cd efykeys/
x@i5-9400:~/efykeys$ ls
x@i5-9400:~/efykeys$ openssl req -new -x509 -newkey rsa: 2048 -sha256 -days 3650 -nodes -subj "/CN=NAME PK Platform Key/" -keyout PK.key -out PK.pem
req: Use -help for summary.
x@i5-9400:~/efykeys$

Can anyone tell me what I might be doing wrong?
 
@dclive
Yes, re-sign needed at every OC update.

XML: 
openssl req -new -x509 -newkey rsa: 2048 -sha256 -days 3650 -nodes -subj "/CN=NAME PK Platform Key/" -keyout PK.key -out PK.pem

This code has a typo, rsa:2048 (remove the space between rsa: and 2048). The same for the other 3 lines. Sorry. Fixed now.
 
Last edited:
@miliuco, thank you for the guide. I'm facing an issue with my laptop's BIOS—it's not as detailed and different from others. I attempted the last process using KeyTool, but I couldn't find an "efi" folder within my efitools folder, which means I couldn't locate KeyTool.efi. Later, I tried BIOS-related method. Under "Administer Secure Boot," I found sections for PK, KEK, and DB. Clicking on them revealed an "enroll" option. When I clicked "enroll," I encountered two disks with complex names. Unfortunately, I lack sufficient knowledge about BIOS and Linux systems. Your assistance would be greatly appreciated. Here are my system's features:

1693092920086.png
 
@eysnmre
To apply your own keys into the firmware using KeyTool.efi you must create this directory tree in the EFI partition of a FAT32 USB stick:
Code: 
EFI > tree
.
├── BOOT
│   └── Bootx64.efi
├── KEK.auth
├── PK.auth
└── db.auth

1 directory, 4 files
Note that Bootx64.efi really is KeyTool.efi, renamed to be selected as boot loader, so the KeyTool app runs when you boot from this USB.

Steps in summary:
  • get KeyTool.efi (attached)
  • rename it to Bootx64.efi
  • create the USB (GUID partition scheme, FAT32 format)
  • create in the EFI partition of the USB stick a folder named EFI
  • put KeyTool.efi renamed to Bootx64.efi into the EFI folder
  • copy your own keys (KEK.auth, PK.auth and db.auth) into the EFI partition of the USB, next to the EFI folder.
 

Attachments

  • KeyTool.zip
    57 KB · Views: 19
You must log in or register to reply here.
Copyright © 2010 - 2024 tonymacx86 LLC
Back
Top