Contribute
Register

[HOW TO] SecureBootModel changes in OpenCore 0.7.2

Have you tried using Itlwm.kext and the Helport application, to see if they work any better than the current kext you are using.
Thanks for your help Edhawk will look more into Itlwm and Helport
 
1. Added Vault in the first post.

2. Added this text at the end of the first post:

Khronokernel has a file uefisecureboot.md with instructions about how to add custom Secure Boot keys into your firmware and I've found some sites on Internet with instructions to digitally sign boot loader files and to include the signature inside the firmware but all of them use Linux systems and the process seems very hard and away from the knowledge of an average user (like me).

So for now, secure boot mode in BIOS will remain disabled in order to boot OpenCore and macOS.
 
Last edited:
Wow OpenCore may support UEFI Secure Boot in the future. Really curious about how it is done and how it will impact dual-boot of macOS and Windows 11.
The way to do this is described in the uefisecureboot.md text from khronokernel, based on other texts such as Sakaki's.
But they have to find a way to make it simple for the end user because it is currently a task too complex except for (very) advanced users.
I don't see it as easy to implement but I like the project.
 
@Bustycat
Things are moving: OC build e2819b2 added tool to extract vendor secure boot certificate from GRUB shim file.
 
I agree the methodology used by Sakaki is not for the faint hearted. It follows a well thought out process, but there are too many variables and steps for a noob to follow and not mess up.
 
Even more so when you add OpenCore Vault in to the process, which I believe needs to be enabled for the UefiSecureBoot process Acidanthera wants to incorporate in to OpenCore.

Note: Vaulting is not the same as FileVault2. It is explained as follows:

Vault: This can be seen as secure boot for OpenCore, so no one can modify it and get in without your permission.

Link to Vault page in OC guide - https://dortania.github.io/OpenCore-Post-Install/universal/security/vault.html
 
@Edhawk
Actually all the articles that I have found have the same base: a Linux system (Ubuntu, Gentoo, etc.) in which to generate the keys and sign the bootloader's files with them. Of course, it is unthinkable to propose this method to the general public. Hard and tedious.

I think that Acidanthera is in the first step of creating a simple method (if possible) to do the same task from macOS. There is still a long way to go but this team is capable of achieving it.

Basically we need linux because sbsigntools and efitools only exist for linux. The other required tools, openssl and keytool, can be used from macos.

If someone could port sbsigntools and efitools to macos (I have no knowledge for it, not even close to it) the task that is done in linux could be done in macos but still I think it should be simplified.

Anyway, it is the beginning of the road, we will see where it takes us.
 
Last edited:
Even more so when you add OpenCore Vault in to the process, which I believe needs to be enabled for the UefiSecureBoot process Acidanthera wants to incorporate in to OpenCore.

Note: Vaulting is not the same as FileVault2. It is explained as follows:

Vault: This can be seen as secure boot for OpenCore, so no one can modify it and get in without your permission.
Yes, Vault and FileVault are different things.
But Vault itself isn't mandatory for UEFI secure boot, I've generated keys and signed OpenCore efi files in an Ubuntu system, put them into an USB, replacing BIOS keystore with muy own keys (plus Microsoft certificates) and, when enabling UEFI secure boot, OpenCore boots fine with and without Vault.
 
Back
Top