Jump to content

[HOW TO] SecureBootModel changes in OpenCore 0.7.2


miliuco
 Share

7 posts in this topic

Recommended Posts

Note: it is highly recommended to read the Dortania guide where this process is explained in detail. This post is based on this guide next to my personal experience. I'm also interested in the relationship between BIOS secure boot and OpenCore secure boot.

 

OpenCore SecureBootModel

 

Apple Secure Boot is the technology used in Macs to verify the integrity of the operating system at boot: boot loader > kernel > snapshot of the system volume. If this check fails, macOS won't boot.
Apple Secure Boot only works during the boot process, once macOS is running it no longer performs any function.
 

Apple defines 3 Secure Boot modes:

  • Full Security: Only allows to boot the installed operating system or another signed version of macOS in which Apple currently trusts. It also checks the integrity of the installed version. If the check fails, the system offers to reinstall macOS or boot from a different disk.
  • Medium Security: Checks that the installed version of macOS is legitimate but not the integrity of the system. Lets you boot any signed version of macOS in which Apple has ever trusted.
  • No Security: other systems or versions different from those mentioned in the secure options are allowed. There are no requirements on the boot operating system.


OpenCore has a SecureBootModel key that adjusts the Apple Secure Boot mode to make it similar to Macs. This key has been changed in OpenCore version 0.7.2.

  • In OpenCore 0.7.1, failsafe value for SecureBootModel is Default, this value sets Apple Secure Boot hardware model as j137 (iMacPro1,1 December 2017 macOS 10.13.2). This means that macOS versions older than 10.13.2 cannot be installed with this SecureBootModel value.
  • In OpenCore 0.7.2, failsafe value for SecureBootModel remains Default, but this value sets Apple Secure Boot hardware model as x86legacy, new value (not existing in previous versions) that corresponds to macOS 11 Big Sur and 12 Monterey on hardware without T2 chips.

 

Notice that with OpenCore 0.7.2:

  • x86legacy (Default now) is designed for machines without T2 chip* with Big Sur and especially Monterey if we want to have Apple Secure Boot (minimum macOS 11)
  • j137 doesn't work with Monterey
  • j137 is the recommended value for macOS 10.13.2 through 10.15.x
  • systems older than macOS 10.13.2 must set SecureBootModel=Disabled
  • users who don't want to have Apple Secure Boot for any reason can set SecureBootModel=Disabled, even in Big Sur and Monterey.

 

*According to Apple, these Mac computers have Apple T2 security chip:

  • iMac (2020)
  • Mac Pro (2019)
  • Mac Pro (Rack, 2019)
  • Mac mini (2018)
  • MacBook Air (2020)
  • MacBook Air (2019)
  • MacBook Air (2018)
  • MacBook Pro (2020)
  • MacBook Pro (2019)
  • MacBook Pro (2018)
  • iMac Pro (2017).


Valid values in OpenCore 0.7.2 (all are models with T2 but x86legacy and disabled):

  • Default — Recent available model, currently set to x86legacy
  • Disabled — No model, Secure Boot will be disabled
  • j137 — iMacPro1,1 (December 2017) Minimum macOS 10.13.2
  • j680 — MacBookPro15,1 (July 2018) Minimum macOS 10.13.6
  • j132 — MacBookPro15,2 (July 2018) Minimum macOS 10.13.6
  • j174 — Macmini8,1 (October 2018) Minimum macOS 10.14
  • j140k — MacBookAir8,1 (October 2018) Minimum macOS 10.14.1
  • j780 — MacBookPro15,3 (May 2019) Minimum macOS 10.14.5
  • j213 — MacBookPro15,4 (July 2019) Minimum macOS 10.14.5
  • j140a — MacBookAir8,2 (July 2019) Minimum macOS 10.14.5
  • j152f — MacBookPro16,1 (November 2019) Minimum macOS 10.15.1
  • j160 — MacPro7,1 (December 2019) Minimum macOS 10.15.1
  • j230k — MacBookAir9,1 (March 2020) Minimum macOS 10.15.3
  • j214k — MacBookPro16,2 (May 2020) Minimum macOS 10.15.4
  • j223 — MacBookPro16,3 (May 2020) Minimum macOS 10.15.4
  • j215 — MacBookPro16,4 (June 2020) Minimum macOS 10.15.5
  • j185 — iMac20,1 (August 2020). Minimum macOS 10.15.6
  • j185f — iMac20,2 (August 2020). Minimum macOS 10.15.6
  • x86legacy — Macs without T2 chip and VMs. Minimum macOS 11.0.1.

Note: iMac19,1 (March 2019 -  Minimum macOS 10.14.4) isn't in the list because it has no T2 chip.

 

Of course, you can also set Secure Boot Model to the value, from the list above, that corresponds to the macOS version you want to boot (example j160 for macOS Catalina 10.15.1).

If you are suspicious of old operating systems, you can always put the model that only supports the versions you need of macOS and not the previous ones. For example, j140k will filter 10.13 and lower, j152f will filter 10.14 and lower, x86legacy will filter 10.15 and lower.

Remember that SMBIOS and SecureBootModel do not need to match, Apple Secure Boot model does not depend on the SMBIOS model so there is no point in trying to choose the same. But x86legacy is a must for Monterey and Big Sur if you want to have Apple Secure Boot.

 

Apple Secure Boot in the hackintosh

 

How to get Apple Secure Boot in the Hackintosh? OpenCore provides 3 keys to enable Secure Boot:

  • Misc >> Security >> DmgLoading: to set load policy with DMGs in OpenCore; it can be Any (boot fails if Secure Boot is enabled), Signed and Disabled (both support Secure Boot)
  • Misc >> Security >> SecureBootModel: to set the Apple Secure Boot hardware model and policy; SecureBootModel equate to Medium Security, for Full Security you must use ApECID
  • Misc >> ApECID: Apple Enclave Identifier, to use personalized Apple Secure Boot identifiers and to have Full Security when paired with SecureBootModel.

 

For ApECID value, you must get a 64 bit integer randomly generated in a cryptographically secure way. If you have Python 3 installed, you can use this command in Terminal:

python3 -c 'import secrets; print(secrets.randbits(64))'

If you don't have Python 3, you can use the urandom bash command in Terminal. This tool can generate a random 32 bit integer, if we run the tool twice and combine the 2 32-bit integers we get a 64-bit value. Copy this text into a file, save it with sh extension and run it with double click:

#!/bin/sh
# first 32 bit integer
low32=$(od -An -N4 -tu4 < /dev/urandom)
# second 32 bit integer
high32=$(od -An -N4 -tu4 < /dev/urandom)
# joining the 2 numbers
long=$(($low32 + ($high32 << 32)))
# removing leading minus sign if exists
echo $long | sed 's/-//'

Now you can enter it under Misc -> ApECID in your config.plist.

Note: don't use random instead of uramdom, it isn't cryptographically secure.

 

When using ApECID, SecureBootModel must have a defined value instead of default (default can change in following versions of OpenCore).

 

It's advisable to personalize the boot volume the first time that macOS boots with an ApECID value. To do this:

  • boot into Recovery
  • be sure you have an Internet connection
  • open Terminal
  • bless --folder "/Volumes/HD/System/Library/CoreServices" --bootefi --personalize
    (replace HD with the name of your system volume)
  • reboot into macOS.

 

SecureBootModel and ApECID:

  • with SecureBootModel=Disabled I have no security (%00)
  • with SecureBootModel=x86legacy or any of the valid values I have medium security (%01)
  • with SecureBootModel=x86legacy or any of the valid values plus ApECID non zero value I have full security (%02).

 

Apple Secure Boot state on Intel-based Macs can be obtained from NVRAM:
nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy

 

If the variable is found, it can be one of the following:

  • %02 - Full Security Mode
  • %01 - Medium Security Mode
  • %00 - No Security Mode

If the variable is not found, Apple Secure Boot is not supported.

 

Vault

 

It's a secure boot for OpenCore, digitally signing OpenCore.efi so no one can modify boot loader files except you.

 

config.plist

As first task, you must modify config.plist:

  • Misc >> Security >> Vault:
    - Basic: Requires just vault.plist file to be present, used for filesystem integrity verification
    - Secure: Requires both vault.plist and vault.sig files, used for best security as vault.plist changes require a new signature
  • Booter >> ProtectSecureBoot=Yes >> needed with Insyde firmwares for fixing secure boot keys and reporting violations.

 

CreateVault

Copy OpenCorePKG/Utilities/CreateVault folder next to the EFI folder inside the EFI partition. The resultant path must be: EFI partition/Utilities folder/CreateVault folder.

 

Inside CreateVault there are 3 files: create_vault.sh, RsaTool and sign.command.
Run sign.command to generate a hash for every OpenCore file, write them into vault.plist and a 256 byte signature of vault.plist will be shoved into OpenCore.efi file.

/Volumes/EFI/Utilities/CreateVault > ./sign.command
../../EFI/OC for hashing...
Hashing files in ../../EFI/OC...
ACPI\\SSDT-AWAC-DISABLE.aml: 68de84a90faa6948f7be97a229908460da0aafb90afcf8a49dea9804e1ffc88c
... / ...
Drivers\\OpenRuntime.efi: 84289c9187273e9fe20bf48e1ebee95a98740c9e3320e1f198da467189192457
... / ...
Kexts\\Lilu.kext\\Contents\\MacOS\\Lilu: bbe867b06c523551460decbf5e760662c057fc004fe65bb138d59135729ab167
... / ...
Resources\\Label\\Shell.lbl: ef2b6cd9fc4e11c3ed558555fcfbe9fb3377fd5d87212ceb5e1dc1fa945e0445
... / ...
config.plist: ae9f0b531b1c1aeeb692b67c8cd120eba9d67cf161978f44c1c87b5666708c6b
Tools\\OpenShell.efi: 4c0f9209bb3b0a1ce369848690e0480bb80b3d5880f9cceba5e8af74dcf68cdf
config-ok.plist: 51645ec8117668763bcec3ba826cc9ab0554805c0367a8644f3031cb5a0d5786
All done!
Generating RSA private key, 2048 bit long modulus
... / ...
e is 65537 (0x10001)
Issuing a new private key...
Getting public key based off private key...
Signing ../../EFI/OC/OpenCore.efi...
Bin-patching ../../EFI/OC/OpenCore.efi...
528+0 records in
528+0 records out
528 bytes transferred in 0.000660 secs (799781 bytes/sec)
All done!
Cleaning up keys
/Volumes/EFI/Utilities/CreateVault >

How to disable Vault?

  • Get a new copy of OpenCore.efi
  • Misc >> Security >> Vault >> Optional
  • Remove vault.plist and vault.sig.

 

Secure Boot option in BIOS

 

UEFI Secure Boot only allows to boot OS's that are signed and trusted. PC Bios comes with Microsoft keys as trusted. So, to boot Windows with Secure Boot, you need to enable Secure Boot in BIOS and to have Windows 8/10 keys (usually included in the motherboard firmware). But this is only required for Windows. macOS has its own implementation named Apple Secure Boot, this feature can be done with Secure Boot disabled in BIOS. So, these are 2 separate systems: PC BIOS Secure Boot and Apple Secure Boot.

 

By default our hacks work with BIOS secure boot disabled since always, this is one of the BIOS options required to boot with OpenCore or Clover, but I wanted to find some not very complicated way of running OpenCore with PC BIOS Secure Boot enabled (if possible, probably not for now) but, until now, all the attempts I have made to do so have failed. Every time I enable Secure Boot mode in BIOS, a warning saying "Secure boot violation. Invalid signature detected. Check secure boot policy in setup" is displayed by the firmware before OpenCore that fails and does not boot.


Windows 10 boots fine with BIOS secure boot enabled or disabled. But OpenCore only boots with BIOS secure boot disabled (as expected). This is not important for users who only use Macos. But since Windows 11, close to its final release, requires BIOS Secure Boot enabled, it is important for users who use Macos and Windows together and are planning to upgrade to Windows 11.


The problem is caused because PC BIOS comes with Microsoft keys as trusted (often, motherboard manufacturer keys as well). These keys can boot Windows in secure mode but not OpenCore.

 

I've tried all posible OpenCore options related to secure boot:

  • Secure Boot mode enabled in BIOS
    - SecureBootModel disabled >> fail
    - SecureBootModel enabled >> fail
    - SecureBootModel enabled + ApECID enabled >> fail
    - SecureBootModel enabled + ApECID enabled + Vault enabled >> fail
  • Secure Boot mode disabled in BIOS
    - SecureBootModel disabled >> macOS boots with no security
    - SecureBootModel enabled >> macOS boots with medium security
    - SecureBootModel enabled + ApECID enabled >> macOS boots with full security
    - SecureBootModel enabled + ApECID enabled + Vault enabled >> macOS boots with full security and OpenCore files are signed and protected.

 

Khronokernel has a file uefisecureboot.md with instructions about how to add custom Secure Boot keys into your firmware and I've found some sites on Internet with instructions to digitally sign boot loader files and to include the signature inside the firmware but all of them use Linux systems and the process seems very hard and away from the knowledge of an average user (like me).

 

So for now, secure boot mode in BIOS will remain disabled in order to boot OpenCore and macOS.

 

Edited by miliuco
  • Thanks 3

  • 1 month later...

"Monterey and Big Sur require x86legacy (Default now)"

 

>> This is a bit misleading. You can still use other values or disable it so it is not a requirement per se. Installing Monterey only does work when SecureBootModel is "Disabled" in a lot of cases otherwise the installer crashes.


On 9/11/2021 at 7:46 AM, 5T33Z0 said:

"Monterey and Big Sur require x86legacy (Default now)"

>> This is a bit misleading. You can still use other values or disable it so it is not a requirement per se. Installing Monterey only does work when SecureBootModel is "Disabled" in a lot of cases otherwise the installer crashes.

 

You're right. The text is not clear although it is inspired by the first comments about x86legacy by people of the OpenCore team. Thanks for the comment.


Currently we can say that:

  • x86legacy is designed for machines without T2 with Big Sur and especially Monterey if we want to have Apple Secure Boot
  • Big Sur, Monterey and other versions of macOS since 10.13.2 can boot with Disabled (as in my post "users who don't want to have Apple Secure Boot for any reason can set SecureBootModel=Disabled, even in Monterey")
  • Systems older than macOS 10.13.2 must set SecureBootModel=Disabled
  • Big Sur and Monterey can boot with different values to x86legacy or Disabled as in my post "you can also set Secure Boot Model to the value, from the list above, that corresponds to the macOS version you want to boot (example j160 for macOS Catalina 10.15.1)".

Corrected in my first post.

 

Edited by miliuco
  • Like 1
  • Thanks 2

  • miliuco changed the title to [HOW TO] SecureBootModel changes in OpenCore 0.7.2

Added Vault in the first post.

Added this text at the end of the first post:
Khronokernel has a file uefisecureboot.md with instructions about how to add custom Secure Boot keys into your firmware and I've found some sites on Internet with instructions to digitally sign boot loader files and to include the signature inside the firmware but all of them use Linux systems and the process seems very hard and away from the knowledge of an average user (like me).
So for now, secure boot mode in BIOS will remain disabled in order to boot OpenCore and macOS.


 Share

×
×
  • Create New...