Jump to content
7 posts in this topic

Recommended Posts

There are users who are not looking for an increase in security when booting OpenCore and macOS but only a way to have UEFI Secure Boot enabled and boot OpenCore without disabling it. This may be because they want to boot Windows with UEFI Secure Boot or because the machine they are using has it enabled and they cannot disable it (business computers especially).

 

Although the level of security provided by this method is probably lower than the one already mentioned (creating our own keys on a Linux system, digitally signing the OpenCore files and including our secure keys in the firmware), it is a much simpler way and consumes much less time so, if you are one of those who only want to be able to boot OpenCore with UEFI Secure Boot enabled, this can be very useful.

 

What is proposed is to enroll the OpenCore .efi files to the db secure variable, which is a list of allowed signatures, so that UEFI Secure Boot accepts these .efi files as safe. We do not modify .efi files, we just tell the firmware to consider them safe to boot even if UEFI Secure Boot is enabled.

 

1. BIOS: Disable UEFI Secure Boot
 

2. macOS

  • Create a USB stick and put OpenCore on the EFI partition in the usual way
  • Get the file /usr/standalone/i386/boot.efi and put it in the EFI folder of the USB stick
  • Restart

3.BIOS:

  • Secure Boot >> Key management >> Reset to Default Keys
  • Secure Boot >> Key management >> Enroll EFI image
  • Add the .efi files one by one from the EFI folder of the USB stick
    • EFI/BOOT/bootx64.efi
    • EFI/OC/OpenCore.efi
    • EFI/OC/Driver/*.efi
    • EFI/OC/Tools/*.efi
    • EFI/boot.efi
  • Restart

4. BIOS: Enable UEFI Secure Boot and reboot to select boot device
 

6. Select partition 1 of the USB stick and check if OpenCore and macOS boot as expected.

 

If everything works well, you can boot with this same version of OpenCore from any internal or external drive with UEFI Secure Boot enabled.

 

Whenever you update OpenCore, you need to replace OpenCore .efi files. And every time you update macOS you must get the new boot.efi file of the i386 folder and do Enroll EfI Image again. Maybe it's better to do Secure Boot >> Key management >> Reset to Default Keys before enrolling the new .efi files.

 

Users who boot several versions of macOS on the same PC machine (e.g. I have 3 disks, Sonoma, Ventura and Sequoia beta) should know that the boot.efi file is different from one to another so you have to enroll in the firmware the boot.efi file for each system. If this is not done, you may get OCB StartImage Failed errors when selecting a disk in the OpenCore picker.

 

Windows still boots fine with UEFI Secure Boot enabled as OEM secure variables and Microsoft certificates registered in the firmware have not been changed.

 

This method seems to have a much lower risk of ending up with a locked or even bricked BIOS.

 

Source

 

slose1 (link not accessible anymore).
 

This user proposes enrolling 5 macOS files to the db variable in addition to the OpenCore files, these are:

  • /usr/standalone/i386/boot.efi
  • /usr/standalone/i386/apfs_aligned.efi
  • /usr/standalone/i386/apfs.efi
  • /usr/standalone/firmware/FUD/MultiUpdater/MultiUpdater.efi
  • /usr/standalone/firmware/FUD/USBCAccessoryFirmwareUpdater/HPMUtil.efi

But I have tested with and without enrolling these macOS files in the firmware and I have seen that the only file required, at least in my case, is boot.efi. I have tried enrolling only boot.efi and OpenCore .efi files and OpenCore boots fine with UEFI Secure Boot enabled. Of course it also does enrolling the other 4 files too but to me they don't seem to be necessary.
 

Edited by miliuco
slose1 link not accessible anymore
  • Like 8
  • 4 months later...

hi there, thanks for your info. on my gigabyte z490 vision g, i did the following:

 

built an opencore usb with recommended settings and install sonoma on ssd, secure boot off

grab the file from ssd, /usr/standalone/i386/boot.efi, along with the other 4 optional files, and copy to usb efi folder

boot to bios, select secure boot > reset default keys (did not reboot)

enroll efi image, with your above recommendations plus the 4 optional files.
once everything enrolled, switch secure boot on, save and exit/reboot out of bios.

attempt to boot usb drive with opencore. selecting to boot the installer or the sonoma installation causes this:

 

00:000 00:000 OCS: Failed to parse data field as value with type mdata and <ESIzAAAAAA==> contents, context <ROM>!
03:098 03:098 OCB: LoadImage failed - Access Denied

 

Edit: i also have securebootmodel to disabled in my OC config 
 

Edited by grandosegood

Hey there, it turns out i had applesecureboot to disabled, instead of default. Im guessing i will set applesecureboot and bios secure boot to disabled, perform updates as needed, re-enroll new boot.efi or opencore efi files, then re-enable bios secure boot and applesecureboot. 

@grandosegood

Not sure why you are getting this error.

/usr/standalone/i386/boot.efi enrolled into the firmware is from the same macOS version that you want to boot, right?

 

I'm pretty sure that SecureBootModel has nothing to do with this.

 

Note: did you enroll too all .efi OpenCore files present in the EFI folder on the USB?

Remember:

  • Secure Boot >> Key management >> Reset to Default Keys
  • Secure Boot >> Key management >> Enroll EFI image
  • Add the .efi files one by one from the EFI folder of the USB stick
    • EFI/BOOT/bootx64.efi
    • EFI/OC/OpenCore.efi
    • EFI/OC/Driver/*.efi
    • EFI/OC/Tools/*.efi
    • EFI/boot.efi (got from the same macOS version that you are booting).

 

  • Like 1
×
×
  • Create New...