Jump to content
Andy Vandijck

Secure boot signing tools for OS X (sbsigntool-0.6-Clover_V3 with updates and Apple based libraries)

30 posts in this topic

Recommended Posts

I ported and updated the secure boot tools from Linux.

This means we have tools to make signature lists, sign the signature lists, sign EFI files, ...

I updated also most tools (for example the signature list signer in order to be able to sign multi-signature databases) to work optimal and properly in OS X.

Recently I updated the sources for libuuid (1.0.3) and openssl (1.0.1i) so that it builds against the latest versions.

I built 32 and 64 bit versions.

Also included is my bioskeydump tool to dump PK, KEK, DB and DBX files and also their signature if they are signed.

Everything is compiled to run very fast (-O3).

Source is included.

Built results and Clovers signing certificate are included under Build.

 

Enjoy :D

 

@Slice: You might want to include these in Clover to sign the EFI files in the CloverPackage dir, I also included a recursive script and this can be slightly adapted to run sbsign from another directory.

This cloversign.sh script can sign any file you feed to it directly (even multiple files).

 

EDIT: New version V3 for Yosemite built with Apple optimisations.

ZLIB 1.2.8 58 with apple extensions, libuuid-1.0.3 with Xcode build project, OpenSSL 1.0.1j 52 with apple extensions and GMP 6.0.0 are used as renewed libraries in the installer.

The uuid library now has an Xcode project and is built with full optimisations on same as the ZLIB and OpenSSL parts.

Package build script is included in the Makefile under src/pkg.

One make installer command in this folder will generate and installer package automatically but you would have to edit the Makefile for changing the installer package signing identity.

Installer package included with Apple dev cert signed binaries and package.

All works optimal and fast, build flags are -g0 -arch x86_64 -Ofast which means no debugging, 64-bit intel and fastest possible code.

Enjoy this enormously fast release. :D

 

EDIT2:

Added a github repo.

https://github.com/andyvand/sbsigntool_osx

sbsigntool-0.6-Clover_R2.zip

sbsigntool-0.6-R3-installer.zip

sbsigntool-0.6-Clover_R3.zip

Share this post


Link to post
Share on other sites
Advertisement

awesome, i have no words :-)


I have PK, KEK, DB and DBX, Dumped from my Laptop, how do i sign Clover? sbsign somehow doesn't work for me, but maybe im doing something wrong, so thats why i ask you for an example...

 

I can update my PK, KEK, DB, and DBX in the laptop too, directly in the bios from a file... if that helps...

Share this post


Link to post
Share on other sites

Awesome, Andy, thanks for this. So what do we gain from using secureboot with a signed Clover? Doesn't Clover's ability to boot multiple operating systems defeat the purpose of secureboot?

Share this post


Link to post
Share on other sites

awesome, i have no words :-)

I have PK, KEK, DB and DBX, Dumped from my Laptop, how do i sign Clover? sbsign somehow doesn't work for me, but maybe im doing something wrong, so thats why i ask you for an example...

 

I can update my PK, KEK, DB, and DBX in the laptop too, directly in the bios from a file... if that helps...

sbsign is used to sign .efi files.

You can sign them using:

sbsign --key /path/to/something.rsa --cert /path/to/something.pem --output new_efi_file.efi old_efi_file.efi.

 

For appending Clover's certificate's to your BIOS keys, look in the package.

I included my custom PK, KEK, DB and DBX files and also the Clover-key.rsa and Clover-cert.pem files you need to sign the binaries.

You can just use my bioskeydump tools to look at the contents.

sbsiglist can make a new entry file (.siglist) containing a certificate.

You can then just append that to your database by concatenating it in the database.

NOTE: The type of certificate needed to make a signature list need to be in .der format.

My KEK contains Clover's exchange certificate, my DB contains Clover's certificate (with what it is signed) and PK is a self-signed Clover platform key.

These you can update thus in the BIOS.

PK: No mods, just use mine

KEK: Append Clover exchange certificate

DB: Append Clover signing certificate

Then use your BIOS menu to install these keys, after signing Clover and boot.efi of Apple you should have secure boot...

NOTE2: In order to be able to edit boot.efi in /System/Library/CoreServices you need to first unlock it using Terminal...

sudo chflags nouchg /System/Library/CoreServices/boot.efi

Should do the trick nicely (if you look then in the Finder, the lock item will be gone...)

Have fun :D

Share this post


Link to post
Share on other sites

Where is the DBX File? :-)

Not included.

I have no modules to block...

DBX = Unauthorized Database and is used for preventing certain drivers (signed with the certs included in the DBX) from loading.

Share this post


Link to post
Share on other sites

New hyper optimized version for Yosemite (V3).

Majorly updated with latest Apple based updates and other optimisations... ;)

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for these great tools, I have a few questions. I have my files dumped and can look at them with your bioskeydump tool. I have keytool image on a usb drive and can add certs to the various keys etc. I Just need to know how to proceed. Do I use my current dumped files as the base then add the clover-exchange cert to KEK(the canonical-isle of man cert from your KEK?) and clover-signing cert(from src?) to db, then at the end put the PK you provided in place to secure it? Do I have to do anything else to the keys like sign one with another etc? I then just sign all of the .efi binary files from my boot loader and the boot.efi from apple, as described above? You also mentioned that the boot.efi wouldn't verify and might need stripped? IF so how to do that? Or, should boot.efi still run as is once signed?

 

thanks.

 

 

Q

Share this post


Link to post
Share on other sites

I was able to use the sbsign tool provided here to get secure boot enabled on my Surface Pro 2. No More Red Screen!

 

First I had to download the software provided above as I have Mavericks installed I chose version 3, should also work for Yosemite. I just used the pre-built executables by moving them into my /usr/bin I made sure to have newer versions of openssl, etc. installed. Any how once I signed all my Binaries in my Clover folder and Boot Folder. And added Policy <string>Deny</string> and Secure <true/> to by boot section of config.plist, I still couldn't figure out how to make it work.

 

So I installed the latest version of shim-signed from my ubuntu VM.

 

sudo apt-get install shim-signed

 

I copied over shim-signd.efi to my EFI/Microsoft/Boot folder

and named it bootmgfw.efi

 

I already had a copy of Cloverx64.efi there so I re-named that first to grubx64.efi which is what shim looks for.

 

The original microsoft bootmgfw.efi I renamed to bootmgfw-orig.efi, I created a custom entry in my config.plist that points to it.

 

Surface Pro 2 is tricky as it doesn't come with the UEFI 3rdParty CA installed so I had to find this tool online and download it. It is a series of scripts and files that you can use in windows to upgrade and add the 3rd party DBs so that you can use the signed shim to chain-load Clover.

 

It usually needs mokmanager to install its certificates. But I found it easier to use a keytool.efi USB key that I was able to create from an easy to find image that is out there.(Google)

 

I converted the clover signing certificate to a format that shim could use using openssl

 

openssl -x509 -in /path-to-clover-sign.pem -inform PEM -out /path-to-converted-clover-cert.cer -outform DER

 

or something like that.

 

Keytool needs the file to be named .cer in order to use it even though it is DER format.

 

So the procedure to lock down the surface pro 2 once all the binaries are signed is:

 

-Clear all of the secure boot section by disableing secure boot.

 

-Open the long named UEFI script that installs the microsoft dbs with right-click>edit,

 then in powershell eliminate the final line that talks about the PK. save as OnlyDBs.ps1

 

-Close and open the same long ass file as above, this time eliminate everything except the final line about the PK, save as OnlyPK.ps1

 

-Then run the OnlyDBs script with a comand prompt as admin. It should run without any errors.

 

-Copy over all of the .cer files you can find in the sbsigntool package. to the usb keytool stick including the new one that you created above.

 There should be one called cannonical that is used to sign the KEK and DB, another one under /src called Clover-signed.der(Re-name it to .cer)

 

-shutdown and boot up into the usb keytool. Use the Edit keys>Add to find the .cer files you copied over. The main cert that you used to sign the binaries then converted is the one to add to Mok db. Add all of them, one at a time, to DB, adding is the same as appending. Then the Kek is only getting the Canonical one added.

 

-Then reboot up into windows and run the OnlyPK.ps1 script. using the Admin Cmd prompt.

 

-Reboot into UEFI bios and enable secure boot. Save>Re-boot.

 

Should see black screen. then Clover.

 

The reason we have to use Shim is cuz it's one of the few trusted loaders that Microsoft decided to sign. So by chain loading Clover with it we can eliminate the red screen. Which we wouldn't be able to do using a self signed key of our own.

Share this post


Link to post
Share on other sites

I was able to use the sbsign tool provided here to get secure boot enabled on my Surface Pro 2. No More Red Screen!

 

...

Awesome job, man! by chain loading Clover with Shim, it works in non secure boot at the moment for me. I signed Cloverx64.efi with sbsign and rename to grubx64.efi under the same folder of shim.efi, then enrolled the clover certificates using mokmanager. With secure boot on, it shows "binary is whitelisted" and does not load the secondary bootloader(clover in my case). You have any ideas?

 

Could you help me to about the long named UEFI script (OnlyDBs.ps1) you mention in the instruction please. I did not find it in any resources. I am also interested about what it does in windows's cmd.

Secondly, is it necessary to sign the boot.efi in /System/Library/CoreServices ?

Last, I am on a surface pro 3, it seems to come with the UEFI 3rdParty CA installed, does it mean I will only have to register the clover certificates using mokmanager (or keytool)?

Share this post


Link to post
Share on other sites

Richard,

 

Hello, the script I edited with powershell to install only the DBs is originally named InstallSecureBootWithMsftUefiCertAuthToDB.ps1, so a long name for sure. Yes it is a part of the special tool MS came up with for the Surface Pros 1 & 2. Since you use a Pro 3 you may not need to find the special Tool for UEFI CA, but I like the control it gives us for customization. Keytool only lets you update .cer files to the DB while in setup mode. If your built in UEFI bios lets you add in the DBs separate from the PK, then no problem, otherwise do as I did above and find the tool to add CA to the early Surface Pros. Edit it similar to me then you can use keytool, which I find easier to use. Keytool will only allow adding certs in setup mode which means the system will be in un-secure mode. Once PK is added it will not allow you to add in the .cers to the Db and KEK.

 

Mokmanager may let you add the .cers to MOK and try that as an alternative, you never know it may work for the DBs to have then there instead of in the MS DBs? Then you can lock down everything and see if you have Clover and Black screen.

 

Yes you need to sign the boot.efi with sbsign as the example towards the top of this thread. Also any boot.efi you might have in a recovery partition.

 

Also, sbsign everything .efi under /EFI/Clover and /EFI/Boot

 

as far as shim-signed, make sure it's from a recent version of Ubuntu or equiv. 64 bit version. I used the one from 14.04, I had trouble with an earlier shim I originally found on the internet.

 

The UEFI CA tool from MS also has a savepk.ps1 script which can be edited to save all current DBs and the PK. That is usefull once you have all the cool new certs added and you want to save everything in the combined .bins it creates from the new combined dbs. The original script only saves the current dbx and PK.

 

You can then create a new lockdown.ps1 script that is based on the newly created combined db.bins. When you download the UEFI tool look at the documentation that comes with it and the scripts themselves to determine how to edit them for this type of customization. The new lockdown.ps1 could then have the PK line added back into it once all the newly combined DBs and Kek are created. Greatly simplifying application in the future.

 

I have since updated my machine to Windows 10 and both the upgrade, and a further update overwrote my shim-signed(re-named to bootmgfw.efi) in /EFI/Microsoft/boot. So keep a copy of it handy to move back over to SYSTEM each time.

Share this post


Link to post
Share on other sites

I finally managed to secure boot CLOVER on surface pro 3, no more red screen. Thanks Andy for the amazing signing tool and Quattro for the detail instruction&help !!!

 

I boot directly from CLOVER, no shim.efi is required. (Specifically, chain loading with shim.efi dosen't work for me somehow, dunno why). And since sp3 already have the UEFI 3rdParty CA installed, one have to first delete all the platform key in order to start from scratch.

 

There are the steps I followed:

1. Use sbsigntool to sign all the necessary binary (*.efi) under /EFI/Clover (also /EFI/Boot/ if on a usb key), /System/Library/CoreServices/boot.efi, Recovery HD/com.apple.xx/boot.efi

2. Use Microsoft's OEM_PK_Surface to backup current dbs and PK.

3. go into bios and delete all the platform key.

4. back into window use modified Onlydbs.ps1 script to first append OEM db, KEK , dbx.

5. boot from keytool USB key and append all the cert files from sbsigntool into db and KEK. (one clover signing certificate convert from pem using openssl,  two *.der files under /src, and all the rest *.der is under /src/EFI_SECDB. change extension name from der to cer)

6. back into window use modified OnlyPK.ps1 script to add the finishing PK key.

7. use EasyUEFI to create a new entry pointing to /EFI/CLOVER/CLOVERX64.efi on SYSTEM partiotion, move it above Microsoft's boot entry. (This is a work around than renaming CLOVERX64.efi to bootmgfw.efi, so that future windows update will not break it)

8. reboot, voila! secure boot enabled and Clover is up.

9.(optional) as suggested by Quattro, in Windows backup the new KEK, db, dbx and PK using a modified SavePlatformKey.ps1 script.

Share this post


Link to post
Share on other sites

Hello. I have a surface pro 3 that i purchased from ebay. They never gave me the uefi password But I can install windows just fine. Should I be able to sign the clover bootloader and efi files to install osx and then boot off of the usb every time if I want to run osx? Many thanks.

Share this post


Link to post
Share on other sites

WM,

 

Your best bet is to follow the instructions on Surface Pro OSX, android and Windows triple boot thread to get OSX installed and working correctly, which means dis-ableing secure boot for now. When all of those other things are working to your satisfaction then come back here to lock it down.

 

EDIT: or in your case one of the Surface Pro 3 OSX threads ; )

Share this post


Link to post
Share on other sites

Thank you for your reply! But since i do not have the uefi password as stated in my first post.. I cannot disable secure boot :/ I can boot off usb.. (only in secure mode). I do not want a selectable system at boot.. only when i plug in the usb and boot from clover usb. so basically my osx partition will stay hidden or unused unless i plug in the propper usb. I have 7 100% running hackintosh systems so i will not have a problem installing once I get a clover usb to boot.. All i want to know is can i get an osx usb with the clover bootloader in the /efi partition to boot in secure mode. Thank you so much for your input.

Share this post


Link to post
Share on other sites

Hi again WM,

 

If you can boot now off of USB in secure mode it is a secure USB key right? Then maybe all you need is a way to get a secured clover on a USB stick? Sounds to me like you'd have to do this anyway just to create the proper OS X insall USB key. So yeah once that is created installing OS X is the easy part. You may need another computer to help troubleshoot the USB key creation.

Share this post


Link to post
Share on other sites

Correct. All I need is a secured clover on a usb stick. Since I have never created a "secure" version of clover for usb booting I gues that is where my problem lies. This secure business is where I am running into some confusion. I see where you daisy chained a few bootloaders to work on your surface pro.. but that was only to boot your system without any external drive right? I shouldn't have the same issues with a usb clover should I? Forgive my ignorance.. but I think all I have to do is run this tool on the clover efi files and I should be golden right? Or am I missing a big step(s)? Many thanks for your help and sorry for my lack of understanding in this. 

Share this post


Link to post
Share on other sites

Hi WM,

My experience is that even on a usb drive if a bootloader is not properly signed (or signed but uncertificates in the uefi), my surface pro 3 won't be able to boot it. it will show binary unauthorized error and boot the second entry which is Windows. While getting Clover to boot in secure mode not only require a signed .efi, but also adding the certificates you use into UEFI databases. The latter step absolutely requires an access to uefi. I don't think there is much you can do if you can not go into bios to disable the secure boot or remove all the platform key.

Installing OSX will not be any issue after you fix the bios, i.e either by getting the uefi password, or maybe there is a hidden OEM way to do a hard reset.

Share this post


Link to post
Share on other sites

I am actually able to boot ubuntu with a live usb (latest). I wonder if I daisy chain shim to clover if It will work Kinda like how quattro74 got his to work but just on the usb level. Does that make sense? Anyone else think I should go for it? I think I will try this weekend. Messy messy hack lol

Share this post


Link to post
Share on other sites

Wm,

 

You still have no way to access the uefi and install the certificates to your db? If not you won't be able to get to clover regardless where it is installed. That is your main issue. Get the certificates into the db and you can do what you want. Having a working Ubuntu means you can get a working shim-signed and get that to boot OK from where-ever but you can't get past it w/o the clover certs being added.

Share this post


Link to post
Share on other sites

Hi, can someone please post an example of how to sign and a list of certs in the sbsigntools as the V3 installer only works in 10.10 and the ubuntu way keeps saying file not found ..

   thanks!

Share this post


Link to post
Share on other sites

Have you tried copying the pre-built executables? Once I had the right programming env on my 10.9.2 install I was able to just run the sbsign tool after copying it and any .lib files it needs over to the /use/bin and /use/lib directories, respectively. If it is still giving you an error about 10.10 then maybe it won't work on your Mavericks version. Don't try to run the installer and compile your own. Much too hard. It might still fail due to needing some other .libs though. Good luck.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By kingoffright
      Dear all,
       
      I have a external harddisk about 500GB, I installed the clover into it and the harddisk is GPT format, below is the 3 partitions details:
      FS01: EFI - disk0s1 - fat32
      FS02: install mac  image - disk0s2 -  hfs+
      FS03: install windows 10 - disk0s3 - fat32
       
      I can use this external harddisk to install Mac without issue, I use below steps to install windows 10
      enter the FS03:
      cd to efi/boot/ and excuete bootx64.efi
      after pop up the windows install screen, i click next and it shows error 'A media driver your computer needs is missing...' and the installation can not go any further.
      Firstly I use ultraiso to write the windows 10 image to a flash disk and no issue to start install window 10 so the image is working fine. Since I dont know how to write
      a wiindow installation image into harddisk partition, I used winrar extra all the files into disk0s3, am I missing some steps or actually clover not support to install windows
      by partitions, apprecating any helps.
       
    • By ErmaC
      Slice is glad to present a new EFI bootloader.

      CLOVER
      Now version 2 rEFIt based.


      It is open source based on different projects: Chameleon, rEFIt, XNU, VirtualBox. The main is EDK2 latest revision.
      I also want to thank all who help Slice with the development. Credits and copyrights remain in the sources.
      https://sourceforge.net/projects/cloverefiboot/?source=directory
      There is a WIKI 
      http://clover-wiki.zetam.org/
      Main features:


      If you have a question please provide outputs from DarwinDumper (formed from Trauma tool). Thanks Trauma!
      Continued by blackosx and STLVNUB.
      Post#2 CloverGrower - create Clover by yourself Post#3 Downloads Post#4 Installation of the bootloader Post#5 How to do UEFI boot Post#6 How to use - common words Post#7 Calculator for Automatic DSDT fix Post#8 Instructions for GraphicsInjector Post#9 ATIConnector patching Post#10 Any kexts patching with some Samples Post#11 CustomEDID Post#12 Hiding unnecessary menu entries Post#13 Instruction for DSDT corrections to do DeviceInjection works Post#14 Development Post#15 Themes Post#16 About kexts injection Post#17 Instructions for P- and C-states generator Post#18 Patching DSDT to get Sleep working Post#19 CPU settings and geekbench Post#20 ACPI tables loading Post#21 DSDTmini Post#22 Custom SMBios Post#23 F.A.Q. Post#24 iCloudFix Post#25 Using mouse. Post#26 How to make orange icons to be metallic Post#27 How to make software RAID (by Magnifico) Post#28 How to modify InstallESD.dmg (by shiecldk) Post#29 Config.plist settings Post#30 Using extra kexts and skipping kernelcache Post#31 Choosing EFI drivers Post#32 Configuration files Post#33 Automatic config.plist creating Post#34 Custom DSDT patches Post#35 How to do sleep/wake working with UEFI BOOT Post#36 DeviceID substitution (FakeID) Post#37 Using Custom OS Icons Post#38 Hibernation Post#39 Floating regions Post#41 Property List Editor Post#42 Blocking Bad Kext Post#43 AAPL,slot-name Post#44 FakeCPUID for unsupported CPU Post#45 Multiple Boot Options - to write into UEFI BIOS boot menu Post#46 How to install Windows UEFI Post#47 How to speedup Clover boot Post#48 Info.plist patching Post#49 Arbitrary device injection Post#50 Non-Standard Legacy Boot Files Post#51 Reboot to Windows UEFI from Mac OSX Post#52 Deprecated Features Post#53 Using UDK2018 Post#54 Device Properties Post#55 Scalable themes Post#56 How to search Clover mistakes (bisection) -----------------
       
      Slice:
      I edited all posts in the thread to correspond to actual Clover revision.
      Please install Clover at least 2652 and use new instructions.
×