Jump to content
Andy Vandijck

Secure boot signing tools for OS X (sbsigntool-0.6-Clover_V3 with updates and Apple based libraries)

30 posts in this topic

Recommended Posts

I really think that with this knowledge, Clover installation should give you an option to sign the EFI files or not, for secure boot.

I don't dare to mess up my install with Linux tools running on Mac OS X and modifying my EFI files, which gave me so much work......

Is it a lot to ask, that secure boot is implemented as a standard in CLOVER?

Share this post


Link to post
Share on other sites
Advertisement

I really think that with this knowledge, Clover installation should give you an option to sign the EFI files or not, for secure boot.

I don't dare to mess up my install with Linux tools running on Mac OS X and modifying my EFI files, which gave me so much work......

Is it a lot to ask, that secure boot is implemented as a standard in CLOVER?

It is optional feature not included in official Clover release.

Share this post


Link to post
Share on other sites
On 10/2/2014 at 6:04 AM, Andy Vandijck said:

I ported and updated the secure boot tools from Linux.

This means we have tools to make signature lists, sign the signature lists, sign EFI files, ...

I updated also most tools (for example the signature list signer in order to be able to sign multi-signature databases) to work optimal and properly in OS X.

Recently I updated the sources for libuuid (1.0.3) and openssl (1.0.1i) so that it builds against the latest versions.

I built 32 and 64 bit versions.

Also included is my bioskeydump tool to dump PK, KEK, DB and DBX files and also their signature if they are signed.

Everything is compiled to run very fast (-O3).

Source is included.

Built results and Clovers signing certificate are included under Build.

 

Enjoy :D

 

@Slice: You might want to include these in Clover to sign the EFI files in the CloverPackage dir, I also included a recursive script and this can be slightly adapted to run sbsign from another directory.

This cloversign.sh script can sign any file you feed to it directly (even multiple files).

 

EDIT: New version V3 for Yosemite built with Apple optimisations.

ZLIB 1.2.8 58 with apple extensions, libuuid-1.0.3 with Xcode build project, OpenSSL 1.0.1j 52 with apple extensions and GMP 6.0.0 are used as renewed libraries in the installer.

The uuid library now has an Xcode project and is built with full optimisations on same as the ZLIB and OpenSSL parts.

Package build script is included in the Makefile under src/pkg.

One make installer command in this folder will generate and installer package automatically but you would have to edit the Makefile for changing the installer package signing identity.

Installer package included with Apple dev cert signed binaries and package.

All works optimal and fast, build flags are -g0 -arch x86_64 -Ofast which means no debugging, 64-bit intel and fastest possible code.

Enjoy this enormously fast release. :D

 

EDIT2:

Added a github repo.

https://github.com/andyvand/sbsigntool_osx

sbsigntool-0.6-Clover_R2.zip

sbsigntool-0.6-R3-installer.zip

sbsigntool-0.6-Clover_R3.zip

Hello Andy Vandijck,

before going through your guide I just would like a clarification: can I use my existing keys (PK, KEK, DB and DBX) stored on the TPM module connected to my motherboard? I can export them from my BIOS with no problem, but I don't really understand if what I want to do is possible (use existing keys stored in TPM module).

Any help would be much appreciated!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By ErmaC
      Slice is glad to present a new EFI bootloader.

      CLOVER
      Now version 2 rEFIt based.


      It is open source based on different projects: Chameleon, rEFIt, XNU, VirtualBox. The main is EDK2 latest revision.
      I also want to thank all who help Slice with the development. Credits and copyrights remain in the sources.
      https://sourceforge.net/projects/cloverefiboot/?source=directory
      There is a WIKI 
      http://clover-wiki.zetam.org/
      Main features:


      If you have a question please provide outputs from DarwinDumper (formed from Trauma tool). Thanks Trauma!
      Continued by blackosx and STLVNUB.
      Post#2 CloverGrower - create Clover by yourself Post#3 Downloads Post#4 Installation of the bootloader Post#5 How to do UEFI boot Post#6 How to use - common words Post#7 Calculator for Automatic DSDT fix Post#8 Instructions for GraphicsInjector Post#9 ATIConnector patching Post#10 Any kexts patching with some Samples Post#11 CustomEDID Post#12 Hiding unnecessary menu entries Post#13 Instruction for DSDT corrections to do DeviceInjection works Post#14 Development Post#15 Themes Post#16 About kexts injection Post#17 Instructions for P- and C-states generator Post#18 Patching DSDT to get Sleep working Post#19 CPU settings and geekbench Post#20 ACPI tables loading Post#21 DSDTmini Post#22 Custom SMBios Post#23 F.A.Q. Post#24 iCloudFix Post#25 Using mouse. Post#26 How to make orange icons to be metallic Post#27 How to make software RAID (by Magnifico) Post#28 How to modify InstallESD.dmg (by shiecldk) Post#29 Config.plist settings Post#30 Using extra kexts and skipping kernelcache Post#31 Choosing EFI drivers Post#32 Configuration files Post#33 Automatic config.plist creating Post#34 Custom DSDT patches Post#35 How to do sleep/wake working with UEFI BOOT Post#36 DeviceID substitution (FakeID) Post#37 Using Custom OS Icons Post#38 Hibernation Post#39 Floating regions Post#41 Property List Editor Post#42 Blocking Bad Kext Post#43 AAPL,slot-name Post#44 FakeCPUID for unsupported CPU Post#45 Multiple Boot Options - to write into UEFI BIOS boot menu Post#46 How to install Windows UEFI Post#47 How to speedup Clover boot Post#48 Info.plist patching Post#49 Arbitrary device injection Post#50 Non-Standard Legacy Boot Files Post#51 Reboot to Windows UEFI from Mac OSX Post#52 Deprecated Features Post#53 Using UDK2018 Post#54 Device Properties Post#55 Scalable themes Post#56 How to search Clover mistakes (bisection) -----------------
       
      Slice:
      I edited all posts in the thread to correspond to actual Clover revision.
      Please install Clover at least 2652 and use new instructions.
    • By metaphysician
      hi folks! i'm just checking for opinions here on a Clover based install of High Sierra. currently i can't boot directly from the internal drive on my hackbook, an ASUS ROG GL502-VS laptop (with the replaced WiFi card), though i can boot from the USB bootloader/installer

      i installed 10.13.6 fine using a prepared vanilla installer on HFS+ (not APFS), but my configuration is somewhat unusual. i have two drives. the first SSD has the Windows system, the second has two partitions with the 2nd partition holding the macOS system. when i ran Clover installer i could not use the UEFI option to copy to the EFI partition because it couldn't find one on that drive. so it installed the EFI folder on the root of the macOS partition instead.
       
      however, after a bit of tinkering around, i found out that there is an existing EFI partition on the primary drive called SYSTEM. it has a EFI folder and underneath that is a Windows folder, a Boot folder, and one called APPLE. i can mount this partition with Clover Configurator and copy files to it, but i don't know if this is a good or risky solution. i was thinking i would manually copy the CLOVER folder and the uefi64.boot file to this partition , making sure not to overwrite anything existing. using the UEFI setup, i can create a boot path from the SYSTEM partition to the Clover boot file, but i'm just curious if this is a useful solution or not, and i don't want to ruin the existing Windows 10 installation for sure. any advice appreciated!
×