Jump to content
About Just Joined group Read more... ×
Andy Vandijck

Secure boot signing tools for OS X (sbsigntool-0.6-Clover_V3 with updates and Apple based libraries)

30 posts in this topic

Recommended Posts

I ported and updated the secure boot tools from Linux.

This means we have tools to make signature lists, sign the signature lists, sign EFI files, ...

I updated also most tools (for example the signature list signer in order to be able to sign multi-signature databases) to work optimal and properly in OS X.

Recently I updated the sources for libuuid (1.0.3) and openssl (1.0.1i) so that it builds against the latest versions.

I built 32 and 64 bit versions.

Also included is my bioskeydump tool to dump PK, KEK, DB and DBX files and also their signature if they are signed.

Everything is compiled to run very fast (-O3).

Source is included.

Built results and Clovers signing certificate are included under Build.

 

Enjoy :D

 

@Slice: You might want to include these in Clover to sign the EFI files in the CloverPackage dir, I also included a recursive script and this can be slightly adapted to run sbsign from another directory.

This cloversign.sh script can sign any file you feed to it directly (even multiple files).

 

EDIT: New version V3 for Yosemite built with Apple optimisations.

ZLIB 1.2.8 58 with apple extensions, libuuid-1.0.3 with Xcode build project, OpenSSL 1.0.1j 52 with apple extensions and GMP 6.0.0 are used as renewed libraries in the installer.

The uuid library now has an Xcode project and is built with full optimisations on same as the ZLIB and OpenSSL parts.

Package build script is included in the Makefile under src/pkg.

One make installer command in this folder will generate and installer package automatically but you would have to edit the Makefile for changing the installer package signing identity.

Installer package included with Apple dev cert signed binaries and package.

All works optimal and fast, build flags are -g0 -arch x86_64 -Ofast which means no debugging, 64-bit intel and fastest possible code.

Enjoy this enormously fast release. :D

 

EDIT2:

Added a github repo.

https://github.com/andyvand/sbsigntool_osx

sbsigntool-0.6-Clover_R2.zip

sbsigntool-0.6-R3-installer.zip

sbsigntool-0.6-Clover_R3.zip

Share this post


Link to post
Share on other sites
Advertisement

awesome, i have no words :-)


I have PK, KEK, DB and DBX, Dumped from my Laptop, how do i sign Clover? sbsign somehow doesn't work for me, but maybe im doing something wrong, so thats why i ask you for an example...

 

I can update my PK, KEK, DB, and DBX in the laptop too, directly in the bios from a file... if that helps...

Share this post


Link to post
Share on other sites

Awesome, Andy, thanks for this. So what do we gain from using secureboot with a signed Clover? Doesn't Clover's ability to boot multiple operating systems defeat the purpose of secureboot?

Share this post


Link to post
Share on other sites

awesome, i have no words :-)

I have PK, KEK, DB and DBX, Dumped from my Laptop, how do i sign Clover? sbsign somehow doesn't work for me, but maybe im doing something wrong, so thats why i ask you for an example...

 

I can update my PK, KEK, DB, and DBX in the laptop too, directly in the bios from a file... if that helps...

sbsign is used to sign .efi files.

You can sign them using:

sbsign --key /path/to/something.rsa --cert /path/to/something.pem --output new_efi_file.efi old_efi_file.efi.

 

For appending Clover's certificate's to your BIOS keys, look in the package.

I included my custom PK, KEK, DB and DBX files and also the Clover-key.rsa and Clover-cert.pem files you need to sign the binaries.

You can just use my bioskeydump tools to look at the contents.

sbsiglist can make a new entry file (.siglist) containing a certificate.

You can then just append that to your database by concatenating it in the database.

NOTE: The type of certificate needed to make a signature list need to be in .der format.

My KEK contains Clover's exchange certificate, my DB contains Clover's certificate (with what it is signed) and PK is a self-signed Clover platform key.

These you can update thus in the BIOS.

PK: No mods, just use mine

KEK: Append Clover exchange certificate

DB: Append Clover signing certificate

Then use your BIOS menu to install these keys, after signing Clover and boot.efi of Apple you should have secure boot...

NOTE2: In order to be able to edit boot.efi in /System/Library/CoreServices you need to first unlock it using Terminal...

sudo chflags nouchg /System/Library/CoreServices/boot.efi

Should do the trick nicely (if you look then in the Finder, the lock item will be gone...)

Have fun :D

Share this post


Link to post
Share on other sites

Where is the DBX File? :-)

Not included.

I have no modules to block...

DBX = Unauthorized Database and is used for preventing certain drivers (signed with the certs included in the DBX) from loading.

Share this post


Link to post
Share on other sites

New hyper optimized version for Yosemite (V3).

Majorly updated with latest Apple based updates and other optimisations... ;)

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for these great tools, I have a few questions. I have my files dumped and can look at them with your bioskeydump tool. I have keytool image on a usb drive and can add certs to the various keys etc. I Just need to know how to proceed. Do I use my current dumped files as the base then add the clover-exchange cert to KEK(the canonical-isle of man cert from your KEK?) and clover-signing cert(from src?) to db, then at the end put the PK you provided in place to secure it? Do I have to do anything else to the keys like sign one with another etc? I then just sign all of the .efi binary files from my boot loader and the boot.efi from apple, as described above? You also mentioned that the boot.efi wouldn't verify and might need stripped? IF so how to do that? Or, should boot.efi still run as is once signed?

 

thanks.

 

 

Q

Share this post


Link to post
Share on other sites

I was able to use the sbsign tool provided here to get secure boot enabled on my Surface Pro 2. No More Red Screen!

 

First I had to download the software provided above as I have Mavericks installed I chose version 3, should also work for Yosemite. I just used the pre-built executables by moving them into my /usr/bin I made sure to have newer versions of openssl, etc. installed. Any how once I signed all my Binaries in my Clover folder and Boot Folder. And added Policy <string>Deny</string> and Secure <true/> to by boot section of config.plist, I still couldn't figure out how to make it work.

 

So I installed the latest version of shim-signed from my ubuntu VM.

 

sudo apt-get install shim-signed

 

I copied over shim-signd.efi to my EFI/Microsoft/Boot folder

and named it bootmgfw.efi

 

I already had a copy of Cloverx64.efi there so I re-named that first to grubx64.efi which is what shim looks for.

 

The original microsoft bootmgfw.efi I renamed to bootmgfw-orig.efi, I created a custom entry in my config.plist that points to it.

 

Surface Pro 2 is tricky as it doesn't come with the UEFI 3rdParty CA installed so I had to find this tool online and download it. It is a series of scripts and files that you can use in windows to upgrade and add the 3rd party DBs so that you can use the signed shim to chain-load Clover.

 

It usually needs mokmanager to install its certificates. But I found it easier to use a keytool.efi USB key that I was able to create from an easy to find image that is out there.(Google)

 

I converted the clover signing certificate to a format that shim could use using openssl

 

openssl -x509 -in /path-to-clover-sign.pem -inform PEM -out /path-to-converted-clover-cert.cer -outform DER

 

or something like that.

 

Keytool needs the file to be named .cer in order to use it even though it is DER format.

 

So the procedure to lock down the surface pro 2 once all the binaries are signed is:

 

-Clear all of the secure boot section by disableing secure boot.

 

-Open the long named UEFI script that installs the microsoft dbs with right-click>edit,

 then in powershell eliminate the final line that talks about the PK. save as OnlyDBs.ps1

 

-Close and open the same long ass file as above, this time eliminate everything except the final line about the PK, save as OnlyPK.ps1

 

-Then run the OnlyDBs script with a comand prompt as admin. It should run without any errors.

 

-Copy over all of the .cer files you can find in the sbsigntool package. to the usb keytool stick including the new one that you created above.

 There should be one called cannonical that is used to sign the KEK and DB, another one under /src called Clover-signed.der(Re-name it to .cer)

 

-shutdown and boot up into the usb keytool. Use the Edit keys>Add to find the .cer files you copied over. The main cert that you used to sign the binaries then converted is the one to add to Mok db. Add all of them, one at a time, to DB, adding is the same as appending. Then the Kek is only getting the Canonical one added.

 

-Then reboot up into windows and run the OnlyPK.ps1 script. using the Admin Cmd prompt.

 

-Reboot into UEFI bios and enable secure boot. Save>Re-boot.

 

Should see black screen. then Clover.

 

The reason we have to use Shim is cuz it's one of the few trusted loaders that Microsoft decided to sign. So by chain loading Clover with it we can eliminate the red screen. Which we wouldn't be able to do using a self signed key of our own.

Share this post


Link to post
Share on other sites

I was able to use the sbsign tool provided here to get secure boot enabled on my Surface Pro 2. No More Red Screen!

 

...

Awesome job, man! by chain loading Clover with Shim, it works in non secure boot at the moment for me. I signed Cloverx64.efi with sbsign and rename to grubx64.efi under the same folder of shim.efi, then enrolled the clover certificates using mokmanager. With secure boot on, it shows "binary is whitelisted" and does not load the secondary bootloader(clover in my case). You have any ideas?

 

Could you help me to about the long named UEFI script (OnlyDBs.ps1) you mention in the instruction please. I did not find it in any resources. I am also interested about what it does in windows's cmd.

Secondly, is it necessary to sign the boot.efi in /System/Library/CoreServices ?

Last, I am on a surface pro 3, it seems to come with the UEFI 3rdParty CA installed, does it mean I will only have to register the clover certificates using mokmanager (or keytool)?

Share this post


Link to post
Share on other sites

Richard,

 

Hello, the script I edited with powershell to install only the DBs is originally named InstallSecureBootWithMsftUefiCertAuthToDB.ps1, so a long name for sure. Yes it is a part of the special tool MS came up with for the Surface Pros 1 & 2. Since you use a Pro 3 you may not need to find the special Tool for UEFI CA, but I like the control it gives us for customization. Keytool only lets you update .cer files to the DB while in setup mode. If your built in UEFI bios lets you add in the DBs separate from the PK, then no problem, otherwise do as I did above and find the tool to add CA to the early Surface Pros. Edit it similar to me then you can use keytool, which I find easier to use. Keytool will only allow adding certs in setup mode which means the system will be in un-secure mode. Once PK is added it will not allow you to add in the .cers to the Db and KEK.

 

Mokmanager may let you add the .cers to MOK and try that as an alternative, you never know it may work for the DBs to have then there instead of in the MS DBs? Then you can lock down everything and see if you have Clover and Black screen.

 

Yes you need to sign the boot.efi with sbsign as the example towards the top of this thread. Also any boot.efi you might have in a recovery partition.

 

Also, sbsign everything .efi under /EFI/Clover and /EFI/Boot

 

as far as shim-signed, make sure it's from a recent version of Ubuntu or equiv. 64 bit version. I used the one from 14.04, I had trouble with an earlier shim I originally found on the internet.

 

The UEFI CA tool from MS also has a savepk.ps1 script which can be edited to save all current DBs and the PK. That is usefull once you have all the cool new certs added and you want to save everything in the combined .bins it creates from the new combined dbs. The original script only saves the current dbx and PK.

 

You can then create a new lockdown.ps1 script that is based on the newly created combined db.bins. When you download the UEFI tool look at the documentation that comes with it and the scripts themselves to determine how to edit them for this type of customization. The new lockdown.ps1 could then have the PK line added back into it once all the newly combined DBs and Kek are created. Greatly simplifying application in the future.

 

I have since updated my machine to Windows 10 and both the upgrade, and a further update overwrote my shim-signed(re-named to bootmgfw.efi) in /EFI/Microsoft/boot. So keep a copy of it handy to move back over to SYSTEM each time.

Share this post


Link to post
Share on other sites

I finally managed to secure boot CLOVER on surface pro 3, no more red screen. Thanks Andy for the amazing signing tool and Quattro for the detail instruction&help !!!

 

I boot directly from CLOVER, no shim.efi is required. (Specifically, chain loading with shim.efi dosen't work for me somehow, dunno why). And since sp3 already have the UEFI 3rdParty CA installed, one have to first delete all the platform key in order to start from scratch.

 

There are the steps I followed:

1. Use sbsigntool to sign all the necessary binary (*.efi) under /EFI/Clover (also /EFI/Boot/ if on a usb key), /System/Library/CoreServices/boot.efi, Recovery HD/com.apple.xx/boot.efi

2. Use Microsoft's OEM_PK_Surface to backup current dbs and PK.

3. go into bios and delete all the platform key.

4. back into window use modified Onlydbs.ps1 script to first append OEM db, KEK , dbx.

5. boot from keytool USB key and append all the cert files from sbsigntool into db and KEK. (one clover signing certificate convert from pem using openssl,  two *.der files under /src, and all the rest *.der is under /src/EFI_SECDB. change extension name from der to cer)

6. back into window use modified OnlyPK.ps1 script to add the finishing PK key.

7. use EasyUEFI to create a new entry pointing to /EFI/CLOVER/CLOVERX64.efi on SYSTEM partiotion, move it above Microsoft's boot entry. (This is a work around than renaming CLOVERX64.efi to bootmgfw.efi, so that future windows update will not break it)

8. reboot, voila! secure boot enabled and Clover is up.

9.(optional) as suggested by Quattro, in Windows backup the new KEK, db, dbx and PK using a modified SavePlatformKey.ps1 script.

Share this post


Link to post
Share on other sites

Hello. I have a surface pro 3 that i purchased from ebay. They never gave me the uefi password But I can install windows just fine. Should I be able to sign the clover bootloader and efi files to install osx and then boot off of the usb every time if I want to run osx? Many thanks.

Share this post


Link to post
Share on other sites

WM,

 

Your best bet is to follow the instructions on Surface Pro OSX, android and Windows triple boot thread to get OSX installed and working correctly, which means dis-ableing secure boot for now. When all of those other things are working to your satisfaction then come back here to lock it down.

 

EDIT: or in your case one of the Surface Pro 3 OSX threads ; )

Share this post


Link to post
Share on other sites

Thank you for your reply! But since i do not have the uefi password as stated in my first post.. I cannot disable secure boot :/ I can boot off usb.. (only in secure mode). I do not want a selectable system at boot.. only when i plug in the usb and boot from clover usb. so basically my osx partition will stay hidden or unused unless i plug in the propper usb. I have 7 100% running hackintosh systems so i will not have a problem installing once I get a clover usb to boot.. All i want to know is can i get an osx usb with the clover bootloader in the /efi partition to boot in secure mode. Thank you so much for your input.

Share this post


Link to post
Share on other sites

Hi again WM,

 

If you can boot now off of USB in secure mode it is a secure USB key right? Then maybe all you need is a way to get a secured clover on a USB stick? Sounds to me like you'd have to do this anyway just to create the proper OS X insall USB key. So yeah once that is created installing OS X is the easy part. You may need another computer to help troubleshoot the USB key creation.

Share this post


Link to post
Share on other sites

Correct. All I need is a secured clover on a usb stick. Since I have never created a "secure" version of clover for usb booting I gues that is where my problem lies. This secure business is where I am running into some confusion. I see where you daisy chained a few bootloaders to work on your surface pro.. but that was only to boot your system without any external drive right? I shouldn't have the same issues with a usb clover should I? Forgive my ignorance.. but I think all I have to do is run this tool on the clover efi files and I should be golden right? Or am I missing a big step(s)? Many thanks for your help and sorry for my lack of understanding in this. 

Share this post


Link to post
Share on other sites

Hi WM,

My experience is that even on a usb drive if a bootloader is not properly signed (or signed but uncertificates in the uefi), my surface pro 3 won't be able to boot it. it will show binary unauthorized error and boot the second entry which is Windows. While getting Clover to boot in secure mode not only require a signed .efi, but also adding the certificates you use into UEFI databases. The latter step absolutely requires an access to uefi. I don't think there is much you can do if you can not go into bios to disable the secure boot or remove all the platform key.

Installing OSX will not be any issue after you fix the bios, i.e either by getting the uefi password, or maybe there is a hidden OEM way to do a hard reset.

Share this post


Link to post
Share on other sites

I am actually able to boot ubuntu with a live usb (latest). I wonder if I daisy chain shim to clover if It will work Kinda like how quattro74 got his to work but just on the usb level. Does that make sense? Anyone else think I should go for it? I think I will try this weekend. Messy messy hack lol

Share this post


Link to post
Share on other sites

Wm,

 

You still have no way to access the uefi and install the certificates to your db? If not you won't be able to get to clover regardless where it is installed. That is your main issue. Get the certificates into the db and you can do what you want. Having a working Ubuntu means you can get a working shim-signed and get that to boot OK from where-ever but you can't get past it w/o the clover certs being added.

Share this post


Link to post
Share on other sites

Hi, can someone please post an example of how to sign and a list of certs in the sbsigntools as the V3 installer only works in 10.10 and the ubuntu way keeps saying file not found ..

   thanks!

Share this post


Link to post
Share on other sites

Have you tried copying the pre-built executables? Once I had the right programming env on my 10.9.2 install I was able to just run the sbsign tool after copying it and any .lib files it needs over to the /use/bin and /use/lib directories, respectively. If it is still giving you an error about 10.10 then maybe it won't work on your Mavericks version. Don't try to run the installer and compile your own. Much too hard. It might still fail due to needing some other .libs though. Good luck.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

Announcements

  • Similar Content

    • By BALDY_MAN
      Hi All.
      Im Happy to share my new EFI file that I put together  18/10/2020. which got me up and running 11.0  Beta(20A5395g) on my hack
      a thanks you to everyone who's work I have use to assemble this EFI File. and the help I have received from this site
      I have used openCore 0.6.3, sound work for me (HDMI) and onboard Ethernet. map the usb ports as you wish.
      the definition to iMac20,2
      hope it helps all who need it
      PS. Please leave a comment if the EFI File is helpful to you
      (No Kexts were Harmed in the making of this EFI)
                                                                                                                     regards
                                                                                                                                         Baldy_man
      GigabyteZ40Master.EFI.(20A539g) .zip
    • By qmgoqwe
      I have installed MacOS and Windows on the following hardware:
       
      AMD Ryzen 7 3700X MSI B450M Mortar Max Sapphire Radeon Pulse RX 5600 XT 6G Samsung 860 QVO, 1 TB SSD (PciRoot(0x0)/Pci(0x1,0x3)/Pci(0x0,0x1)/Sata(0x5,0xFFFF,0x0)) - MacOS on this disk Kingston A2000 SSD 1TB M.2 2280 NVMe (PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/NVMe(0x1,15-AD-CD-26-28-B7-26-00)) - Windows on this disk  
      OpenCore 0.6.1 MacOS 10.15.7 both disks GPT UEFI  
      Both OSs boot nicely and work as a charm when selecting either of the disks as boot disks in the BIOS.
       
      However, trying to boot Windows 10 from the Opencore Bootmanager (no matter whether PickerMode=internal or OpenCanopy) causes a Windows Blue Screen ("SYSTEM THREAD EXCEPTION NOT HANDLED").
      To be on the safe side, I have added an appropriate entry to Misc->Entries:
      <key>Arguments</key> <string></string> <key>Auxiliary</key> <false/> <key>Comment</key> <string>Not signed for security reasons</string> <key>Enabled</key> <true/> <key>Name</key> <string>Windows 10</string> <key>Path</key> <string>PciRoot(0x0)/Pci(0x1,0x1)/Pci(0x0,0x0)/NVMe(0x1,15-AD-CD-26-28-B7-26-00)/HD(1,GPT,2E9695CB-0F9A-4005-AADB-2FF9C96AD02C,0x800,0x32000)/\EFI\Microsoft\Boot\bootmgfw.efi</string> It points to the Windows 10 bootmanager on the Windows disk's EFI partition.
       
      What's wrong with that? Why does this cause a BSOD? It is not clear to me why it works when booting from BIOS but not here.
       
      config.plist attached (but maybe it has no relevance for the problem).
      config.plist
    • By le332313
      Can someone share the dell 5593/5493 EFI ? I try to fit the graphics driver, but it not working please help me thanks
       
    • By jrbros1
      Hi there,
       
      So I have my Windows computer, used a USB with Clover setup to boot into Mojave OS that I installed on the SD card in the computer. The world was a great place and all was well!

      Then I did the steps to partition the pc system to now include the additional drive that I would put Clover on. Here's where I messed up: Instead of directly copying over the full Clover folder into the EFI folder of the new drive (which just had the Boot & Microsoft folders in it), I replaced the EFI's boot folder with Clover's boot folder. So the EFI folder now contains a Microsoft folder, a Clover folder, and Clover's Boot folder only.

      Now, I only can access the Clover boot up menu, the macOS, but no Windows at all. Even if I go into BIOS and pick Windows Boot Manager or Partition 1 for the start up, I get a black screen for both. I can still access the macOS as well as Shell, but I don't know what that does other than displaying all of the yellow text fly by..

      Is there a kind soul out there that can help me get Windows back to boot? Keep in mind I'm a bit of a newbie here so laying out the common-sense steps would be helpful!

      Thank you in advance!
×