Hackintosh secure as a real Mac for business use?

[T16]

I am considering using the Hackintosh I just built for everyday business use. But was curious as to whether or not it is secure as a real mac which uses Secure Boot and SIP. Any input would be appreciated. Thanks.

Edited May 24, 2023 by T16

[MICKHAEL]

well, sip could be enabled. but, with secure boot its another story
clover boot loader binary needs to be signed.... and I think also all efi drivers

@Slice could answer this question

[Avery B]

OpenCore has support for Apple's Secure boot enabled by default. For that to be beneficial though, you would need to sign OpenCore's EFI files and enable vaulting. Section 12.2 in the Configuration.pdf for OpenCore has the steps you would need to go through.

[Allan]

For what kind of business you're gonna use? Video/photo editing, accounting...

You need pay attention about the laws of your country, if doing it will or not violate the Apple's EULA

[T16]

Also, I am kinda concerned about the origin of the Kexts. How would I know if one of Kexts has some type of Malware? 
The system will be used for Accounting,

and will have sensitive data that needs to be protected. Maybe I should just use the Hackintosh as a hobby machine,

and use a real mac for business purposes. 

[Avery B]

If your concerned about kexts, you can build them yourself (all the normal kexts people use are open source, so you can view their source code). I havent seen a Kext with malware. I doubt those kexts are going to be an attack source either, there is a very limited number of Hackintoshes out there compared to Macs.

[T16]

Thants for the idea of writing my own Kexts, but I honestly have no idea how to do that.

[Slice]

What kind of attack do you affraid? Virus attack during boot time? Nonsense. Secure Boot is for paranoids.

If you want to protect your computer from unauthorized access then use strong password or you may use FileVault. This technology is supported by Clover on Hackintoshes.

If you afraid kexts then you can made it from sources. They are mostly all to be open source. You should not write kext, you have to compile them. Or just not afraid because Github guaranteed they are safe because they are open source.

Are you OK? Do you know what is open source? I can repeat. All our solutions are malware free because they are open source.

[aben]

OR just use a Mac (if absolutely feasible, that is) given that your line-of-business actually involves having to work with sensitive/confidential data and you want real peace of mind; sometimes it's just better to be safe than sorry especially when it involves work/business. 

 

P.S: Not discrediting the security of hackintoshes whatsoever, I believe they can be as secure as a Mac however cannot deny the fact that hackintoshes are fragile systems that are prone to breakage especially on the firmware/software side of things.

Edited December 1, 2022 by aben

[mnfesq]

I use my hack for business, sort of.  I run parallels and do all my business on a VM of Windows 11 because my line of work requires me to use a type of software that runs only on Windows.  Because I make regular snapshots of my VM, I can always revert to an earlier snapshot if I accidentally click on something I shouldn't have.  I think regular and frequent back ups is the best solution to any security concern, particularly ransomware, which I have been hit with on my desktop computer twice.

[T16]

Have you had any issues with your Hackintosh Security?

[BALDY_MAN]

Rule for all computers. whatever flavour you use. make a good back up plan use it often

[mhaeuser]

@Slice I am glad that you seem to have ascended beyond actual security engineers to give advice like this. It appears from Clover’s source code that software security as a whole is paranoia, isn’t it?

 

If someone here is paranoid however,  a “strong password” will be a strong protection against password bruteforce attacks and nothing else, so basic physical attackers more or less. Software-based attacks will exploit vulnerabilities or socially engineer you into entering the password (be that a prompt or unknowingly enabling a keylogger), not bruteforce it. And any sophisticated physical attacker with access to the disk can just disable the password without knowing it for unencrypted storage. So if physical attackers are a concern (especially with laptops), encrypt your storage (which is ineffective if the decryption process can be messed with).

 

If you’re super paranoid and believe the CosmicStrand hoax, you may actually consider enabling Secure Boot (it is not a full protection without Boot Guard, obviously). Unlike lots of past disinformation, it works just fine with Linux and such.

 

I guess the gist is: Stay in your lane. Security doesn’t appear to be it.

[Slice]

@mhaeuser

I see you tell about FileVault. It will protect your data from external attacks.

But the question is about SecureBoot. WTF? Is it protect from something?

I agree about FileVault, no need to repeat arguments for it.

[Planet X]

The biggest security issue on the Computer is the user. The Operating System is as secure as on a real Mac because of the OS isn't modified to be able to run on a PC. But the user does take decisions for the source of the installed software to work with or the websites visited. I use only legal software on my self build HackMac and never had any issues like malware or virus on mac OS. But why don't you buy a Mac if you can't sleep well with your own build?

[deeveedee]

On 2/24/2023 at 2:16 AM, mhaeuser said:

Stay in your lane.

 

Probably the worst advice that I've seen given in this forum.  We're all here putting ourselves out there for all others to judge, criticize, comment ... Nothing could thwart growth more than "staying in our lanes" and then being ridiculed for attempting to venture out of them.  A polite correction would suffice.  As long as the mistake isn't fatal, it's a learning experience.

 

Your bedside manner leaves much to be desired.  I haven't been this disappointed with a post in a long time.  Please troll elsewhere.

Edited March 4, 2023 by deeveedee

[mhaeuser]

@deeveedee You would be correct if this was an attempt at growth, as you called it. There is an immeasurable difference between a rookie trying to get something right and a reputable senior who many trust dishing out terrible advice with misplaced confidence. When you’re in a position of perceived or displayed seniority, you’re expected to choose your words with caution. Would you want a teacher with no connection to the subject preaching wrong things to your children? I don’t, and certainly not for the N-th time. Picking out individual sentences that are the conclusion of a text with situational context doesn’t make sense.

 

FYI, there are firmware implementations out in the wild that for some reason treat USB devices with a higher priority than inbuilt media. This is legacy behaviour from when autobooting Windows install DVDs was something important to people. If you have a USB flash drive inserted with a user-writable FS and Secure Boot is off, you’re a file copy operation and a reboot away from ring 0 with no software exploit or physical access required (the user running a script or copying the file themselves, maybe due to social engineering, is enough). This is *terrible*, especially as there are only few reasons to not enable it.

 

EDIT

@Planet X No, it is not as secure, for missing hardware assistance like with T2 and M1 (transparent SSD encryption using a hardware key, hardware attestation, firmware authentication, etc.) alone.

Edited March 29, 2023 by mhaeuser