miliuco Posted July 11 Share Posted July 11 (edited) There are users who are not looking for an increase in security when booting OpenCore and macOS but only a way to have UEFI Secure Boot enabled and boot OpenCore without disabling it. This may be because they want to boot Windows with UEFI Secure Boot or because the machine they are using has it enabled and they cannot disable it (business computers especially). Although the level of security provided by this method is probably lower than the one already mentioned (creating our own keys on a Linux system, digitally signing the OpenCore files and including our secure keys in the firmware), it is a much simpler way and consumes much less time so, if you are one of those who only want to be able to boot OpenCore with UEFI Secure Boot enabled, this can be very useful. What is proposed is to enroll the OpenCore .efi files to the db secure variable, which is a list of allowed signatures, so that UEFI Secure Boot accepts these .efi files as safe. We do not modify .efi files, we just tell the firmware to consider them safe to boot even if UEFI Secure Boot is enabled. 1. BIOS: Disable UEFI Secure Boot 2. macOS Create a USB stick and put OpenCore on the EFI partition in the usual way Get the file /usr/standalone/i386/boot.efi and put it in the EFI folder of the USB stick Restart 3.BIOS: Secure Boot >> Key management >> Reset to Default Keys Secure Boot >> Key management >> Enroll EFI image Add the .efi files one by one from the EFI folder of the USB stick EFI/BOOT/bootx64.efi EFI/OC/OpenCore.efi EFI/OC/Driver/*.efi EFI/OC/Tools/*.efi EFI/boot.efi Restart 4. BIOS: Enable UEFI Secure Boot and reboot to select boot device 6. Select partition 1 of the USB stick and check if OpenCore and macOS boot as expected. If everything works well, you can boot with this same version of OpenCore from any internal or external drive with UEFI Secure Boot enabled. Whenever you update OpenCore, you need to replace OpenCore .efi files. And every time you update macOS you must get the new boot.efi file of the i386 folder and do Enroll EfI Image again. Maybe it's better to do Secure Boot >> Key management >> Reset to Default Keys before enrolling the new .efi files. Users who boot several versions of macOS on the same PC machine (e.g. I have 3 disks, Sonoma, Ventura and Sequoia beta) should know that the boot.efi file is different from one to another so you have to enroll in the firmware the boot.efi file for each system. If this is not done, you may get OCB StartImage Failed errors when selecting a disk in the OpenCore picker. Windows still boots fine with UEFI Secure Boot enabled as OEM secure variables and Microsoft certificates registered in the firmware have not been changed. This method seems to have a much lower risk of ending up with a locked or even bricked BIOS. Source slose1 (link not accessible anymore). This user proposes enrolling 5 macOS files to the db variable in addition to the OpenCore files, these are: /usr/standalone/i386/boot.efi /usr/standalone/i386/apfs_aligned.efi /usr/standalone/i386/apfs.efi /usr/standalone/firmware/FUD/MultiUpdater/MultiUpdater.efi /usr/standalone/firmware/FUD/USBCAccessoryFirmwareUpdater/HPMUtil.efi But I have tested with and without enrolling these macOS files in the firmware and I have seen that the only file required, at least in my case, is boot.efi. I have tried enrolling only boot.efi and OpenCore .efi files and OpenCore boots fine with UEFI Secure Boot enabled. Of course it also does enrolling the other 4 files too but to me they don't seem to be necessary. Edited July 23 by miliuco slose1 link not accessible anymore 8 Link to comment Share on other sites More sharing options...
STLVNUB Posted July 12 Share Posted July 12 Good Job, Should Help A LOT Of People 1 Link to comment Share on other sites More sharing options...
grandosegood Posted Tuesday at 06:44 AM Share Posted Tuesday at 06:44 AM hey there, i wanted to thank you for all your help in the community. can you please confirm if this is the most current/easiest method to dual boot windows 11 and sonoma with secure boot enabled in uefi bios? thanks. Link to comment Share on other sites More sharing options...
miliuco Posted Tuesday at 11:18 AM Author Share Posted Tuesday at 11:18 AM @grandosegood As far as I know, this is the easiest method. Far ahead of the next one. And with very little risk of having BIOS issues. 1 1 Link to comment Share on other sites More sharing options...
grandosegood Posted yesterday at 07:11 AM Share Posted yesterday at 07:11 AM (edited) hi there, thanks for your info. on my gigabyte z490 vision g, i did the following: built an opencore usb with recommended settings and install sonoma on ssd, secure boot off grab the file from ssd, /usr/standalone/i386/boot.efi, along with the other 4 optional files, and copy to usb efi folder boot to bios, select secure boot > reset default keys (did not reboot) enroll efi image, with your above recommendations plus the 4 optional files. once everything enrolled, switch secure boot on, save and exit/reboot out of bios. attempt to boot usb drive with opencore. selecting to boot the installer or the sonoma installation causes this: 00:000 00:000 OCS: Failed to parse data field as value with type mdata and <ESIzAAAAAA==> contents, context <ROM>! 03:098 03:098 OCB: LoadImage failed - Access Denied Edit: i also have securebootmodel to disabled in my OC config Edited yesterday at 09:14 AM by grandosegood Link to comment Share on other sites More sharing options...
grandosegood Posted yesterday at 10:14 AM Share Posted yesterday at 10:14 AM Hey there, it turns out i had applesecureboot to disabled, instead of default. Im guessing i will set applesecureboot and bios secure boot to disabled, perform updates as needed, re-enroll new boot.efi or opencore efi files, then re-enable bios secure boot and applesecureboot. Link to comment Share on other sites More sharing options...
Recommended Posts