Enable BIOS Secure Boot with OpenCore

UEFI Secure Boot vs. Apple Secure Boot model

As reported on OpenCore Configuration at Chapter 12.2, OpenCore is designed to provide a secure boot chain between firmware and operating system. On most x86 platforms trusted loading is implemented via UEFI Secure Boot model. Not only OpenCore fully supports this model, but it also extends its capabilities to ensure sealed configuration via vaulting and provide trusted loading to the operating systems using custom verification, such as Apple Secure Boot.

What does it mean? Apple Secure Boot is not equivalent to UEFI Secure Boot i.e. the Secure Boot option which could be enabled in BIOS menu.

Apple Secure Boot

Apple Secure Boot is the technology used in Macs to verify the integrity of the operating system at boot: boot loader -> kernel -> snapshot of the system volume.

• If this check fails, macOS won't boot.
• Apple Secure Boot only works during the boot process: once macOS is running it no longer performs any function.

Apple defines 3 Secure Boot modes:

• Full Security:
  • Only allows to boot the installed operating system or another signed version of macOS in which Apple currently trusts.
  • It also checks the integrity of the installed version.
  • If the check fails, the system offers to reinstall macOS or boot from a different disk.
• Medium Security:
  • Checks that the installed version of macOS is legitimate but not the integrity of the system.
  • Lets you boot any signed version of macOS in which Apple has ever trusted.
• No Security:
  • Other systems or versions different from those mentioned in the secure options are allowed.
  • There are no requirements on the boot operating system.

OpenCore has a SecureBootModel key that adjusts the Apple Secure Boot mode to make it similar to Macs.

To achieve Full Security with OpenCore v. 0.7.2+, in config.plist you need to:

1. set Debug -> DisableWatchDog to false
2. set NVRAM -> Add -> csr-active-config to <00000000> and check if SIP is properly enabled launching the command csrutil status in Terminal app
3. set Misc -> Security -> DmgLoading to Signed
4. set Misc -> Security -> SecureBootModel to
   • Default (which is the failsafe value equivalent to x86legacy) or (for example) j132 (which corresponds to MacBookPro15,2 with minimum macOS 10.13.6) for macOS 11 Big Sur
   • Default or x86legacy for macOS 12 Monterey
5. set Misc -> Security -> ApECID to a non-zero random 64-bit integer (which allows using personalised Apple Secure Boot identifiers) generated with a cryptographically secure random number generator
6. set Misc -> Security -> Vault to Secure value and then vaulting OC files using the script in default OC/Utilities/CreateVault folder

In OpenCore Configuration at Chapter 8.5 a list for valid values is reported:

• you can also set SecureBootModel to the value, from the list, that corresponds to the macOS version you want to boot
• you can always put the model that only supports the versions you need of macOS and not the previous ones
• remember that SMBIOS and SecureBootModel do not need to match: Apple Secure Boot model does not depend on the SMBIOS model so there is no point in trying to choose the same

It is up to you to decide whether enabling Full Security or not. Atm I recommend enabling Medium Security because it's easier to make changes to the config.plist and to the contents of the EFI/OC folder without having to reapply vaulting to OC files every time!

For enabling Medium Security, please apply steps 1 -> 4 mentioned above for Full Security.

If you would try now to enable UEFI/BIOS Secure Boot in your BIOS, you could not to boot your machine because you secured OpenCore boot phase but OpenCore is not recognized yet as a trusted OS from your BIOS!

Creating your own Secure Boot Keys

UEFI Secure Boot works by using a set of keys embedded in the computer's firmware. These keys (or more precisely, their private counterparts) are used to sign boot loaders, drivers, option ROMs, and other software that the firmware runs:

• All PCs sold today include keys that Microsoft controls.
• If you would like to enable UEFI Secure Boot for macOS, you need to replace your computer's standard keys with ones that you control.

In order to sign your OpenCore install with your own private keys, you'll need Linux! Why? Because atm (September 2021) there is no way to sign properly with macOS!

1. Download Ubuntu and create a bootable live USB drive using UNetbootin
2. Reboot your computer and boot your USB key (press F12 at boot)
3. Boot into your live Ubuntu distribution
4. Set your Wi-Fi credentials since you need a working Internet connection
5. Click on Show Applications -> Software Updater -> Settings
6. In Ubuntu Software tab, check first 4 repositories i.e. main, universe, restricted and multiverse, and uncheck Installation medium with Ubuntu; then click on Close button
7. Then click on Reload button to update from newly added or changed sources
8. Open a Terminal app and type the following commands

sudo apt-get update -y
sudo apt-get install -y efitools

9. Now you can create your own three Secure Boot key sets (public and private) PK, KEK and db:
   • you need to download Microsoft Certificates:
     • from a trusted repository (Microsoft Windows Production CA 2011 and Microsoft UEFI Driver Signing CA) as reported on OpenCore Configuration.pdf at Chapter 12.2
     • or from my local copy (MicWinProPCA2011_2011-10-19.crt and MicCorUEFCA2011_2011-06-27.crt)
   • you can download a short script for this purpose make_keys.sh
   • or you can copy-and-paste it from the following listing into a file (I call it make_keys.sh)

!/bin/bash
# Copyright (c) 2021 by profzei
# Licensed under the terms of the GPL v3

# Common Name : Huawei MBXP 2018
echo -n "Enter a Common Name to embed in the keys: "
read NAME

openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=$NAME Platform Key" -keyout PK.key -out PK.pem
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=$NAME Key Exchange Key" -keyout KEK.key -out KEK.pem
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=$NAME Image Signing Key" -keyout ISK.key -out ISK.pem

GUID=`python3 -c 'import uuid; print(str(uuid.uuid1()))'`
echo $GUID > myGUID.txt

cert-to-efi-sig-list -g "$GUID" PK.pem PK.esl
cert-to-efi-sig-list -g "$GUID" KEK.pem KEK.esl
cert-to-efi-sig-list -g "$GUID" ISK.pem ISK.esl

openssl x509 -in MicWinProPCA2011_2011-10-19.crt -inform DER -out MsWin.pem -outform PEM
openssl x509 -in MicCorUEFCA2011_2011-06-27.crt -inform DER -out UEFI.pem -outform PEM
cert-to-efi-sig-list -g "$GUID" MsWin.pem MsWin.esl
cert-to-efi-sig-list -g "$GUID" UEFI.pem UEFI.esl
cat ISK.esl MsWin.esl UEFI.esl > db.esl

sign-efi-sig-list -k PK.key -c PK.pem PK PK.esl PK.auth
sign-efi-sig-list -k PK.key -c PK.pem KEK KEK.esl KEK.auth
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth

chmod 0600 *.key

echo ""
echo ""
echo "For use with KeyTool, copy the *.auth files to a FAT32 USB"
echo "flash drive or to your EFI System Partition (ESP)."
echo ""

10. Run make_keys.sh:

• Be sure to set the executable bit: chmod a+x make_keys.sh
• This script prompts you for a common name (which will help you identify your keys and differentiate them from other keys) to embed in your keys: I suggest, for example, Huawei MBXP 2018.
• please, check myGUID.txt is not empty (more myGUID.txt), otherwise you could have some issues with Python interpreter!

11. Save all the generated keys on a safe USB flash drive.

Signing OpenCore EFI Binaries

In order to sign OpenCore Efi binaries with your own keys (which have also embedded standard Microsoft Certificates for dual boot purpouses):

12. Create a new folder: mkdir Signing_OpenCore and

• download into this folder sign_opencore.sh script and set its executable bit: chmod a+x sign_opencore.sh
• copy into this folder ISK.key and ISK.pem files you generated before

13. The script sign_opencore.sh needs 2 arguments:

• URL for downloading OpenCore Release package
• OpenCore Release version

14. Run the following command in Terminal app:

./sign_opencore.sh https://github.com/acidanthera/OpenCorePkg/releases/download/0.7.3/OpenCore-0.7.3-RELEASE.zip 0.7.3

15. Note: you should see some warnings: do not worry about them since they do not harm! All Efi binaries signed (that have produced those warnings) will work fine!
16. Inside Signing_OpenCore/Signed folder you should find all needed OpenCore efi binaries signed with your own keys!
17. Save Signing_OpenCore/Signed folder content into a safe USB flash drive.
18. Now you don't need anymore your Ubuntu live distribution so you can reboot your machine!

Replacing UEFI keys

Some UEFIs provide the means to install your own keys using their own built-in user interfaces: for more details and explicative screenshots, please, refer to:

• http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
• https://habr.com/en/post/273497/ (Russian article)

Huawei Matebook X Pro Insyde Bios does not provide any Secure Boot key management interface, so we need a more general approach to perform such tasks using KeyTool.efi!

1. Download from my local repository KeyTool.zip file from here and unzip it into a FAT32 formatted USB flash drive: please, check to get a file structure similar to the following

2. Copy your own generated keys db.auth, KEK.auth and PK.auth into EFI folder on the same FAT32 formatted USB flash drive as shown in the previous figure
3. Reboot your computer and boot your FAT32 formatted USB flash drive (press F12 at boot); the result should resemble the following:

4. Select Edit Keys option

5. Start by replacing The Allowed Signature Database (db):
   • Select Replace Key(s) option
   • Navigate into your FAT32 formatted USB flash drive (for Matebook X Pro you should see a path like PciRoot(0)/Pci(0x14,0x0)/Usb ... which indicates your USB flash drive while the other path shown is your SSD)
6. Select the associated .auth file

7. Do the same for The Key Exchange Key Database (KEK) and The Platform Key (PK) in this order
8. Summarizing, you need to replace (repeating steps #5 + #6) first db.auth, then KEK.auth and finally PK.auth
9. Exit and shutdown your machine
10. Boot into the BIOS/UEFI settings and check if Secure Boot option is reported as Enabled: if all went right, you should not to enable Secure Boot option, but it should be already set as Enabled!
11. Now you could boot macOS using OpenCore Efi binaries previously signed with your own keys with UEFI Secure Boot enabled (since standard Microsoft Certificates have been included, you could also boot Windows 10 or Windows 11 from OpenCanopy Boot picker without any issues)

References

• https://github.com/acidanthera/OpenCorePkg/blob/master/Docs/Configuration.pdf @ Chapter 12.2
• https://habr.com/en/post/273497/ (Russian article)
• http://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
• https://blog.hansenpartnership.com/uefi-secure-boot/