Contribute
Register

[HOW TO] SecureBootModel changes in OpenCore 0.7.2

Joined
Mar 7, 2011
Messages
219
Motherboard
Asus Sabertooth Z170 Mark 1
CPU
i7-6700K
Graphics
rx 5700 xt
Mobile Phone
  1. Android
  2. iOS
Have you tried using Itlwm.kext and the Helport application, to see if they work any better than the current kext you are using.
Thanks for your help Edhawk will look more into Itlwm and Helport
 
Joined
Dec 10, 2010
Messages
763
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 580
Mobile Phone
  1. iOS
1. Added Vault in the first post.

2. Added this text at the end of the first post:

Khronokernel has a file uefisecureboot.md with instructions about how to add custom Secure Boot keys into your firmware and I've found some sites on Internet with instructions to digitally sign boot loader files and to include the signature inside the firmware but all of them use Linux systems and the process seems very hard and away from the knowledge of an average user (like me).

So for now, secure boot mode in BIOS will remain disabled in order to boot OpenCore and macOS.
 
Last edited:
Joined
Dec 10, 2010
Messages
763
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 580
Mobile Phone
  1. iOS
Wow OpenCore may support UEFI Secure Boot in the future. Really curious about how it is done and how it will impact dual-boot of macOS and Windows 11.
The way to do this is described in the uefisecureboot.md text from khronokernel, based on other texts such as Sakaki's.
But they have to find a way to make it simple for the end user because it is currently a task too complex except for (very) advanced users.
I don't see it as easy to implement but I like the project.
 

Edhawk

Moderator
Joined
Aug 2, 2013
Messages
2,449
Motherboard
Gigabyte Z97X-UD5H
CPU
i7-4790K
Graphics
HD 4600 / RX 580
Mac
  1. iMac
  2. MacBook Air
  3. MacBook Pro
Mobile Phone
  1. iOS
I agree the methodology used by Sakaki is not for the faint hearted. It follows a well thought out process, but there are too many variables and steps for a noob to follow and not mess up.
 

Edhawk

Moderator
Joined
Aug 2, 2013
Messages
2,449
Motherboard
Gigabyte Z97X-UD5H
CPU
i7-4790K
Graphics
HD 4600 / RX 580
Mac
  1. iMac
  2. MacBook Air
  3. MacBook Pro
Mobile Phone
  1. iOS
Even more so when you add OpenCore Vault in to the process, which I believe needs to be enabled for the UefiSecureBoot process Acidanthera wants to incorporate in to OpenCore.

Note: Vaulting is not the same as FileVault2. It is explained as follows:

Vault: This can be seen as secure boot for OpenCore, so no one can modify it and get in without your permission.

Link to Vault page in OC guide - https://dortania.github.io/OpenCore-Post-Install/universal/security/vault.html
 
Joined
Dec 10, 2010
Messages
763
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 580
Mobile Phone
  1. iOS
@Edhawk
Actually all the articles that I have found have the same base: a Linux system (Ubuntu, Gentoo, etc.) in which to generate the keys and sign the bootloader's files with them. Of course, it is unthinkable to propose this method to the general public. Hard and tedious.

I think that Acidanthera is in the first step of creating a simple method (if possible) to do the same task from macOS. There is still a long way to go but this team is capable of achieving it.

Basically we need linux because sbsigntools and efitools only exist for linux. The other required tools, openssl and keytool, can be used from macos.

If someone could port sbsigntools and efitools to macos (I have no knowledge for it, not even close to it) the task that is done in linux could be done in macos but still I think it should be simplified.

Anyway, it is the beginning of the road, we will see where it takes us.
 
Last edited:
Joined
Dec 10, 2010
Messages
763
Motherboard
Gigabyte Z390 Aorus Elite
CPU
i9-9900K
Graphics
RX 580
Mobile Phone
  1. iOS
Even more so when you add OpenCore Vault in to the process, which I believe needs to be enabled for the UefiSecureBoot process Acidanthera wants to incorporate in to OpenCore.

Note: Vaulting is not the same as FileVault2. It is explained as follows:

Vault: This can be seen as secure boot for OpenCore, so no one can modify it and get in without your permission.
Yes, Vault and FileVault are different things.
But Vault itself isn't mandatory for UEFI secure boot, I've generated keys and signed OpenCore efi files in an Ubuntu system, put them into an USB, replacing BIOS keystore with muy own keys (plus Microsoft certificates) and, when enabling UEFI secure boot, OpenCore boots fine with and without Vault.
 
Top