Jump to content

OC UEFI SecureBoot status


Alex HQuest
 Share

4 posts in this topic

Recommended Posts

Hi all.

 

I understand @miliuco has put out a really helpful guide to sign OC binaries and allow UEFI SecureBoot of osx. However this requires Linux subsystem on Windows and cannot be easily done on the osx itself.

 

Then there is this year old feature request from @vit9696 on Acidanthera’s bug tracker to implement the same feature however as part of OC. 
 

I understand there are more pressing priorities on what needs delivered, but I was wondering if the native OC implementation of UEFI SecureBoot has any sights to leave the wish list at this point.


Thanks.

Edited by Alex HQuest
Link to comment
Share on other sites

The linked issue actually requests that OpenCore itself implements secure boot (i.e. so that OpenCore itself would determine what should or should not be loaded according to secure boot rules, rather than passing on these decisions to the firmware image loader as currently, and with the required signature databases configured in the OpenCore config file, not in the firmware settings). The issue does not specifically request adding image signing abilities to macOS, and since that relies on some established tools I believe it is quite possible that these would NOT be added to macOS, even if that task was completed. But no, there's no progress on it currently afaik.

 

It's pretty lightweight to add a Linux install (e.g. Ubuntu or Fedora, perhaps) on an external drive or on a new, separate partition which you make on your main drive (30GB should be more than enough, if you're not planning to use it for much else), which is probably the lightest-weight way to set up a signing environment. (Assuming you don't already have Windows - if you do then adding WSL to it is definitely also a perfectly good option. There are also some native Windows signing tools which you can download, for use in PowerShell/cmd, but they are obscure and less well documented, so I'd steer clear!)

 

And yes, you definitely have to manually re-sign after each OC update, that's in the nature of taking over your own security and not passing it on to others, such as Microsoft, to decide what should and should not be loaded on your machine! 🙂

Edited by Bmju
  • Like 2
  • Thanks 1
Link to comment
Share on other sites

6 hours ago, Bmju said:

The linked issue (…) does not specifically request adding image signing abilities to macOS,

Then I completely misinterpreted the issue. Thanks for clarifying. I was trying to avoid the resign at every update, however considering I don’t do frequent updates unless necessary, that should not be too much of a problem (and I always keep a working USB thumb drive as a loader backup).


Thanks again.

  • Like 2
Link to comment
Share on other sites

 Share

×
×
  • Create New...