Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UEFI Secure Boot compatibility #368

Closed
4 tasks
vit9696 opened this issue Jun 9, 2019 · 8 comments
Closed
4 tasks

UEFI Secure Boot compatibility #368

vit9696 opened this issue Jun 9, 2019 · 8 comments
Assignees
@savvamitrofanov
Labels
priority:high project:oc

Comments

@vit9696
Copy link
Contributor

vit9696 commented Jun 9, 2019

We should make OpenCore compatible with UEFI secure boot by providing our custom loader for Apple-signed binaries. This comes in par with implementing AppleLoadedImageProtocol, binary whitelist (allowing tools, drivers, and specified hashes), trusted key list (Apple only and maybe custom), enforcing LoadPolicy. A proper threat model also needs to be finalised and documented afterwards.

Here are the legacy tasks, which are already mostly reconsidered.

  • OcBootManagementLib: Old dmg signatures, like mavericks, are not accepted due to untrusted certificate, we want to implement full LoadPolicy support
  • OcAppleImageVerificationLib: review & fix, it should be able to properly truncate the image when it has garbage in the end (consider ExtractVerifiedAppleImage interface with mutable Image/Size interface)
  • OcDirectImageLoadLib: implement based off CoreImage files we already use in AppleImageLoader (see below); export OcDirectLoadImage, OcDirectStartImage, OcDirectUnloadImage as EFI gBS equivalents
  • OcAppleImageSupportLib: implements EFI_BOOT_SERVICES hook to its own functions, which implements Apple signature verification and FAT image loading (still need that for 10.8). Apple images should be loaded directly.

This is blocking on hibernation and other concepts like immutablekernel loading, so we really need to address this soon, i.e. prior to July release.
@vit9696 vit9696 mentioned this issue Jun 9, 2019
Closed
33 tasks
@vit9696 vit9696 mentioned this issue Aug 10, 2019
Closed
22 tasks
@bittantone
Copy link

Is currently any possibility to run OpenCore from shim?

@vit9696 vit9696 mentioned this issue Nov 14, 2019
Closed
@vit9696 vit9696 mentioned this issue Jan 24, 2020
Closed
@emlynmac
Copy link

emlynmac commented Jul 8, 2020

Hi!
First of all, thanks for all the amazing hard work on this project and all the others - it's truly epic what has been done.

I've just switched from Clover to OpenCore 0.5.9 and have got all the parts working apart from secure boot.
I've signed all my .efi files in OpenCore with the custom key (same as I did for Clover) and also the parts of Catalina that I could find:

"$PREBOOT/System/Library/CoreServices/boot.efi"
"$RECOVERY/boot.efi"
"/usr/standalone/i386/boot.efi"
"/usr/standalone/i386/apfs.efi"

Sadly, when I get into OpenCore with secure boot enabled at the BIOS level, I see only the Windows drive and if I select it, the secure boot environment does not get passed through as far as I can tell, as Windows then asks for a bit locker key.

Is there something else I'm missing here or is there a missing piece to the functionality that is not linked on this ticket?

Thanks!

@andrewnicolalde
Copy link

Hi!
First of all, thanks for all the amazing hard work on this project and all the others - it's truly epic what has been done.

I've just switched from Clover to OpenCore 0.5.9 and have got all the parts working apart from secure boot.
I've signed all my .efi files in OpenCore with the custom key (same as I did for Clover) and also the parts of Catalina that I could find:

"$PREBOOT/System/Library/CoreServices/boot.efi"
"$RECOVERY/boot.efi"
"/usr/standalone/i386/boot.efi"
"/usr/standalone/i386/apfs.efi"

Sadly, when I get into OpenCore with secure boot enabled at the BIOS level, I see only the Windows drive and if I select it, the secure boot environment does not get passed through as far as I can tell, as Windows then asks for a bit locker key.

Is there something else I'm missing here or is there a missing piece to the functionality that is not linked on this ticket?

Thanks!

https://www.reddit.com/r/hackintosh/comments/g76o9t/secureboot_using_custom_keys_with_opencore/fofm7uv/

@vit9696
Copy link
Contributor Author

vit9696 commented Aug 24, 2020
edited
Loading

Should be implemented in master for 10.13+ and all signed drivers, requires Apple Secure Boot. Will leave open till the documentation updates.

@vit9696 vit9696 closed this as completed Aug 29, 2020
@VGerris
Copy link

VGerris commented Dec 26, 2020

the comments suggest a solution and or documentation update. I simply am looking for an example that force loads a kext from the config.plist in the kernel -> force part. IO80211Family.kext to be precise, as suggested in documentatio. can you please supply an example XML snippet for that and preferrably for dependencies? thanks

@vit9696
Copy link
Contributor Author

vit9696 commented Dec 26, 2020

Force is not compatible with 11+. You cannot inject custom IO80211Family on 11 (at all).

@VGerris
Copy link

VGerris commented Dec 26, 2020 via email

@vit9696
Copy link
Contributor Author

vit9696 commented Dec 26, 2020

Then Sample.plist may be used as an example.

@acidanthera acidanthera locked and limited conversation to collaborators Dec 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@savvamitrofanov savvamitrofanov

Labels
priority:high project:oc
Milestone
No milestone
Development

No branches or pull requests
6 participants
@VGerris @savvamitrofanov @emlynmac @vit9696 @andrewnicolalde @bittantone