miliuco Posted August 8, 2021 Share Posted August 8, 2021 (edited) Apple Secure Boot is the technology used in Macs to verify the integrity of the operating system at boot: boot loader > kernel > system volume snapshot. If this check fails, macOS won't boot. Apple Secure Boot only works during the boot process, once macOS is running it no longer performs any function. It is highly recommended to read the Dortania guides: applesecureboot.md, uefisecureboot.md and vault.md. OpenCore SecureBootModel Apple defines 3 Secure Boot modes: Full Security: Only allows to boot the installed operating system or another signed version of macOS in which Apple currently trusts. It also checks the integrity of the installed version. If the check fails, the system offers to reinstall macOS or boot from a different disk. Medium Security: Checks that the installed version of macOS is legitimate but not the integrity of the system. Lets you boot any signed version of macOS in which Apple has ever trusted. No Security: other systems or versions different from those mentioned in the secure options are allowed. There are no requirements on the boot operating system. Apple Secure Boot state on Intel-based Macs can be obtained from NVRAM: nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy If the variable is found, it can be one of the following: %02 - Full Security Mode %01 - Medium Security Mode %00 - No Security Mode If the variable is not found, Apple Secure Boot is not supported. OpenCore has a SecureBootModel key that adjusts the Apple Secure Boot mode to make it similar to Macs. This key has been changed in OpenCore version 0.7.2. In OpenCore 0.7.1, failsafe value for SecureBootModel is Default, this value sets Apple Secure Boot hardware model as j137 (iMacPro1,1 December 2017 macOS 10.13.2). This means that macOS versions older than 10.13.2 cannot be installed with this SecureBootModel value. In OpenCore 0.7.2, failsafe value for SecureBootModel remains Default, but this value sets Apple Secure Boot hardware model as x86legacy, new value (not existing in previous versions) that corresponds to macOS 11 Big Sur and 12 Monterey on hardware without T2 chips (hackintosh machines) and virtual machines. Notice that with OpenCore 0.7.2: x86legacy is designed for machines without T2 chip* with Big Sur and Monterey j137 doesn't work on Monterey j137 is the recommended value for macOS 10.13.2 through 10.15.x systems older than macOS 10.13.2 must set SecureBootModel=Disabled users who don't want to have Apple Secure Boot for any reason can set SecureBootModel=Disabled, even in Big Sur and Monterey. According to Apple, these Mac computers have Apple T2 security chip: iMac (2020) Mac Pro (2019) Mac Pro (Rack, 2019) Mac mini (2018) MacBook Air (2020) MacBook Air (2019) MacBook Air (2018) MacBook Pro (2020) MacBook Pro (2019) MacBook Pro (2018) iMac Pro (2017). Valid values in OpenCore 0.7.2 (all are models with T2 but x86legacy and disabled): Default — Recent available model, currently set to x86legacy Disabled — No model, Secure Boot will be disabled j137 — iMacPro1,1 (December 2017) Minimum macOS 10.13.2 j680 — MacBookPro15,1 (July 2018) Minimum macOS 10.13.6 j132 — MacBookPro15,2 (July 2018) Minimum macOS 10.13.6 j174 — Macmini8,1 (October 2018) Minimum macOS 10.14 j140k — MacBookAir8,1 (October 2018) Minimum macOS 10.14.1 j780 — MacBookPro15,3 (May 2019) Minimum macOS 10.14.5 j213 — MacBookPro15,4 (July 2019) Minimum macOS 10.14.5 j140a — MacBookAir8,2 (July 2019) Minimum macOS 10.14.5 j152f — MacBookPro16,1 (November 2019) Minimum macOS 10.15.1 j160 — MacPro7,1 (December 2019) Minimum macOS 10.15.1 j230k — MacBookAir9,1 (March 2020) Minimum macOS 10.15.3 j214k — MacBookPro16,2 (May 2020) Minimum macOS 10.15.4 j223 — MacBookPro16,3 (May 2020) Minimum macOS 10.15.4 j215 — MacBookPro16,4 (June 2020) Minimum macOS 10.15.5 j185 — iMac20,1 (August 2020). Minimum macOS 10.15.6 j185f — iMac20,2 (August 2020). Minimum macOS 10.15.6 x86legacy — Macs without T2 chip and VMs. Minimum macOS 11.0.1. iMac19,1 (March 2019 - Minimum macOS 10.14.4) isn't in the list because it has no T2 chip. Of course, you can also set Secure Boot Model to the value, from the list above, that corresponds to the macOS version you want to boot (example j160 for macOS Catalina 10.15.1). If you are suspicious of old operating systems, you can always put the model that supports only the macOS versions that you need and not the older ones. For example, j140k will filter 10.13 and lower, j152f will filter 10.14 and lower, x86legacy will filter 10.15 and lower. Apple Secure Boot in the hackintosh How to get Apple Secure Boot in the Hackintosh? OpenCore provides 3 keys to enable Secure Boot: Misc >> Security >> DmgLoading: to set load policy with DMGs in OpenCore; it can be Any (boot fails if Secure Boot is enabled), Signed and Disabled (both support Secure Boot) Misc >> Security >> SecureBootModel: to set the Apple Secure Boot hardware model and policy; SecureBootModel (not Disabled) gives Medium Security, for Full Security you must use ApECID Misc >> Security >> ApECID: Apple Enclave Identifier, to use personalized Apple Secure Boot identifiers and to have Full Security when paired with SecureBootModel. For ApECID value, you must get a 64 bit integer randomly generated in a cryptographically secure way. You can use the urandom bash command in Terminal. This tool can generate a random 32 bit integer, if we run the tool twice and combine the 2 32-bit integers we get a 64-bit value. Copy this text into a file, save it with sh extension and run it with double click: #!/bin/sh # first 32 bit integer low32=$(od -An -N4 -tu4 < /dev/urandom) # second 32 bit integer high32=$(od -An -N4 -tu4 < /dev/urandom) # joining the 2 numbers long=$(($low32 + ($high32 << 32))) # removing leading minus sign if exists echo $long | sed 's/-//' Now you can enter it under Misc -> ApECID in your config.plist. Don't use random instead of urandom, it isn't cryptographically secure. When using ApECID, SecureBootModel must have a defined value instead of default. I have found that x86legacy provides Medium Security and only values that correspond to Mac models that have T2 chip (example: j185, j137) allow you to personalize the boot volume and get Full Security. Remember that SecureBootModel and SMBIOS are different things, it is not mandatory to have the same Mac model in both keys and there are really no advantages or disadvantages if they are the same. First time that macOS boots with an ApECID value you must personalize the boot volume. To do this: boot into Recovery be sure you have an Internet connection open Terminal bless --folder "/Volumes/HD/System/Library/CoreServices" --bootefi --personalize (replace HD with the name of your system volume) reboot into macOS. SecureBootModel and ApECID: with SecureBootModel=Disabled>> no security (%00) with SecureBootModel=x86legacy or any of the valid values >> medium security (%01) with SecureBootModel= any of the T2 values plus ApECID non zero >> full security (%02). Vault It's a secure boot for OpenCore, digitally signing OpenCore.efi so no one can modify boot loader files except you. config.plist As first task, you must modify config.plist: Misc >> Security >> Vault: Basic: Requires just vault.plist file to be present, used for filesystem integrity verification Secure: Requires both vault.plist and vault.sig files, used for best security as vault.plist changes require a new signature Booter >> ProtectSecureBoot=Yes >> needed with Insyde firmwares for fixing secure boot keys and reporting violations. CreateVault Copy OpenCorePKG/Utilities/CreateVault folder next to the EFI folder inside the EFI partition. The resultant path must be: EFI partition/Utilities folder/CreateVault folder. . ├── EFI │ ├── BOOT │ └── OC ├── Utilities │ └── CreateVault │ ├── RsaTool │ ├── create_vault.sh │ └── sign.command └── Inside CreateVault there are 3 files: create_vault.sh, RsaTool and sign.command. Run sign.command >> to generate a hash for each file in the EFI folder, write them to the vault.plist file and create a 256-byte signature of vault.plist that will be inserted into the OpenCore.efi file. How to disable Vault? Get a new copy of OpenCore.efi Misc >> Security >> Vault >> Optional Remove vault.plist and vault.sig. UEFI Secure Boot option in BIOS UEFI Secure Boot allows to boot only OS's that are signed and trusted. PC Bios comes with Microsoft keys as trusted. So, to boot Windows with Secure Boot, you need to enable Secure Boot in BIOS and to have Windows 10/11 keys (usually included in the motherboard firmware). But this is only for Windows. macOS has its own implementation Apple Secure Boot, this feature can be done with Secure Boot disabled in BIOS. So, these are 2 separate systems: PC BIOS Secure Boot and Apple Secure Boot. Windows boots fine with Secure Boot enabled or disabled in BIOS. But Opencore only boots with Secure Boot disabled in BIOS (as expected). This is not important for users who only use macOS. But since Windows 11, nearing its final release, seems to require Secure Boot enabled in BIOS, it's important for users who want to have macOS and Windows together and plan to upgrade to Windows 11. By default our hacks work with BIOS secure boot disabled since always, this is one of the BIOS options required to boot with OpenCore or Clover, but I wanted to find some not very complicated way of running OpenCore with PC BIOS Secure Boot enabled (if possible, probably not for now at least in a simple way). When booting OpenCore with Secure Boot mode enabled in BIOS, a warning saying "Secure boot violation. Invalid signature detected. Check secure boot policy in setup" is displayed by the firmware before OpenCore that fails and does not boot. UEFI Secure Boot with OpenCore has its own post: [GUIDE] OpenCore and UEFI Secure Boot using Windows Subsystem for Linux. OpenCore Vault + UEFI Secure Boot At the moment it is not possible to have UEFI Secure Boot + Vault at the same time. Since both systems sign or modify the OpenCore.efi file, when the second applied modifies this file breaks the integrity kept by the first applied. It doesn't matter which of 2 is applied first, after doing digital signature + vault (or in reverse order) OpenCore doesn't boot with a corruption notice of OpenCore.efi. There is a way to have UEFI Secure Boot and OpenCore vault at the same time, it's in the OpenCore Configuration.pdf file although the instructions are short and confusing in my opinion. It is a heavy task but at least it is possible to carry it out. The key is in the order the files are signed, both with personal keys for the UEFI firmware and hashes created from vault. This requires moving from macOS to Windows and viceversa a few times. In order not to have to switch from mac to windows so many times, I have installed Ubuntu 14.04 virtual machine with UTM on macOS. The steps are: On Ubuntu >> digitally sign all OC 0.8.5.efi files except OpenCore.efi On macOS >> vault the EFI folder with the signed files, including OpenCore.efi not digitally signed yet On Ubuntu >> sign the OpenCore.efi file which already has Vault applied Back in macOS >> copy the EFI folder into the EFI partition Reboot >> enable UEFI Secure Boot >> OpenCore. It is a tedious task. The most boring part is copying files between macOS and Ubuntu. UTM in theory has the option to define a shared folder to exchange files but I have not been able to make it work. I have used Wetransfer in Mac and Linux browsers to exchange files between both systems. The shared clipboard between Mac and Linux does work so at least text can be exchanged. Spoiler Edited October 13, 2022 by miliuco 5 Link to comment Share on other sites More sharing options...
Guest 5T33Z0 Posted September 11, 2021 Share Posted September 11, 2021 "Monterey and Big Sur require x86legacy (Default now)" >> This is a bit misleading. You can still use other values or disable it so it is not a requirement per se. Installing Monterey only does work when SecureBootModel is "Disabled" in a lot of cases otherwise the installer crashes. Link to comment Share on other sites More sharing options...
miliuco Posted September 11, 2021 Author Share Posted September 11, 2021 (edited) On 9/11/2021 at 7:46 AM, 5T33Z0 said: "Monterey and Big Sur require x86legacy (Default now)" >> This is a bit misleading. You can still use other values or disable it so it is not a requirement per se. Installing Monterey only does work when SecureBootModel is "Disabled" in a lot of cases otherwise the installer crashes. You're right. The text is not clear although it is inspired by the first comments about x86legacy by people of the OpenCore team. Thanks for the comment. Currently we can say that: x86legacy is designed for machines without T2 with Big Sur and especially Monterey if we want to have Apple Secure Boot Big Sur, Monterey and other versions of macOS since 10.13.2 can boot with Disabled (as in my post "users who don't want to have Apple Secure Boot for any reason can set SecureBootModel=Disabled, even in Monterey") Systems older than macOS 10.13.2 must set SecureBootModel=Disabled Big Sur and Monterey can boot with different values to x86legacy or Disabled as in my post "you can also set Secure Boot Model to the value, from the list above, that corresponds to the macOS version you want to boot (example j160 for macOS Catalina 10.15.1)". Corrected in my first post. Edited September 16, 2021 by miliuco 1 1 Link to comment Share on other sites More sharing options...
Henties Posted September 11, 2021 Share Posted September 11, 2021 @miliucoGreat stuff, now it sheds some light on this, which for me has been sort of a mystery till now. Greetings Henties 1 Link to comment Share on other sites More sharing options...
miliuco Posted September 16, 2021 Author Share Posted September 16, 2021 (edited) @5T33Z0 I have joined the 3 posts into a single one according to your suggestion. I think it's better now. But when deleting the other 2 posts also disappear your comments and those of @antuneddu, sorry Edited September 16, 2021 by miliuco 1 Link to comment Share on other sites More sharing options...
miliuco Posted September 17, 2021 Author Share Posted September 17, 2021 (edited) Added Vault in the first post. Edited October 11, 2022 by miliuco Link to comment Share on other sites More sharing options...
miliuco Posted September 18, 2021 Author Share Posted September 18, 2021 (edited) This is moving in Acidanthera. UEFI secure boot. I hope useful changes, as usual. Thanks! Support UEFI SecureBoot within OpenCore by @vit9696 Edited September 28, 2021 by miliuco 1 Link to comment Share on other sites More sharing options...
miliuco Posted October 2, 2021 Author Share Posted October 2, 2021 It seems that: macOS doesn't support full security on non T2 Mac models Monterey beta can't have full security even with ApECID + boot volume personalized, only medium security. See bug tracker: Full Security install in macOS Monterey In fact, I can have full security in Big Sur with T2 SecureBootModel + ApECID but in Monterey I only have medium security. 1 Link to comment Share on other sites More sharing options...
miliuco Posted October 3, 2021 Author Share Posted October 3, 2021 On 10/2/2021 at 2:32 PM, miliuco said: It seems that: Monterey beta can't have full security even with ApECID + boot volume personalized, only medium security. See bug tracker: Full Security install in macOS Monterey Fixed in last OpenCore commits, current 19aea59, alongside with RestricEvents 466fab9: RestrictEvents not required for updates to be displayed even using T2 SecureBootModel and SMBIOS (MacPro7,1...), now it's fixed inside OpenCore Monterey can now have full security when using T2 SecureBootModel and SMBIOS SecureBootModel=Default in Monterey now picks the SMBIOS model. SMBIOS non T2 (iMac19,1) + SMB=Default + ApECID non zero: only medium security. SMBIOS T2 model (MacPro7,1) + SMB=Default + ApECID non zero: full security. This can be as expected in real Macs, Macs without T2 only achieve medium security. 1 Link to comment Share on other sites More sharing options...
miliuco Posted October 11, 2022 Author Share Posted October 11, 2022 (edited) Added comment about OpenCore Vault + UEFI Secure Boot in the first post, not possible at this moment. Edited October 13, 2022 by miliuco 2 Link to comment Share on other sites More sharing options...
miliuco Posted October 13, 2022 Author Share Posted October 13, 2022 Edited comment about OpenCore Vault + UEFI Secure Boot in the first post, it's possible to have both at the same time. Link to comment Share on other sites More sharing options...
Recommended Posts