-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UEFI Secure Boot compatibility #368
Comments
Is currently any possibility to run OpenCore from shim? |
Hi! I've just switched from Clover to OpenCore 0.5.9 and have got all the parts working apart from secure boot.
Sadly, when I get into OpenCore with secure boot enabled at the BIOS level, I see only the Windows drive and if I select it, the secure boot environment does not get passed through as far as I can tell, as Windows then asks for a bit locker key. Is there something else I'm missing here or is there a missing piece to the functionality that is not linked on this ticket? Thanks! |
|
Should be implemented in master for 10.13+ and all signed drivers, requires Apple Secure Boot. Will leave open till the documentation updates. |
the comments suggest a solution and or documentation update. I simply am looking for an example that force loads a kext from the config.plist in the kernel -> force part. IO80211Family.kext to be precise, as suggested in documentatio. can you please supply an example XML snippet for that and preferrably for dependencies? thanks |
Force is not compatible with 11+. You cannot inject custom IO80211Family on 11 (at all). |
I am on 10.15 currently
…On Sat, Dec 26, 2020, 02:30 Vitaly Cheptsov ***@***.***> wrote:
Force is not compatible with 11+. You cannot inject custom IO80211Family
on 11 (at all).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#368 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGB3CLR66FP7KJJ7JCGJILSWU4E3ANCNFSM4HWJSZCQ>
.
|
Then Sample.plist may be used as an example. |
We should make OpenCore compatible with UEFI secure boot by providing our custom loader for Apple-signed binaries. This comes in par with implementing AppleLoadedImageProtocol, binary whitelist (allowing tools, drivers, and specified hashes), trusted key list (Apple only and maybe custom), enforcing LoadPolicy. A proper threat model also needs to be finalised and documented afterwards.
Here are the legacy tasks, which are already mostly reconsidered.
This is blocking on hibernation and other concepts like immutablekernel loading, so we really need to address this soon, i.e. prior to July release.
The text was updated successfully, but these errors were encountered: