Note: it is highly recommended to read the Dortania guide where this process is explained in detail. This post is based on this guide next to my personal experience by implementing it and clarifying the relationship between BIOS secure boot and OpenCore secure boot.
UEFI Secure Boot only allows to boot OS's that are signed and trusted. PC Bios comes with Microsoft keys as trusted. So, to boot Windows with Secure Boot, you need to enable Secure Boot in BIOS and to have Windows 8/10 keys (usually included in the motherboard firmware). But this is only required for Windows. macOS has its own implementation named Apple Secure Boot, this feature can be done with Secure Boot disabled in BIOS. So, these are 2 separate systems: PC BIOS Secure Boot and Apple Secure Boot.
How to get Apple Secure Boot in the Hackintosh? OpenCore is able to provide secure boot regardless of this BIOS option setting. OpenCore includes 3 keys to enable Secure Boot:
- Misc >> Security >> DmgLoading: to set load policy with DMGs in OpenCore; it can be Any (boot fails if Secure Boot is enabled), Signed and Disabled (both support Secure Boot)
- Misc >> Security >> SecureBootModel: to set the Apple Secure Boot hardware model and policy; SecureBootModel equate to Medium Security, for Full Security you must use ApECID
- Misc >> ApECID: Apple Enclave Identifier, to use personalized Apple Secure Boot identifiers and to have Full Security when paired with SecureBootModel.
For ApECID value, you must get a 64 bit integer randomly generated in a cryptographically secure way.
If you have Python 3 installed, you can use this command in Terminal:
python3 -c 'import secrets; print(secrets.randbits(64))'
If you don't have Python 3, you can use the urandom bash command in Terminal. This tool can generate a random 32 bit integer, if we run the tool twice and combine the 2 32-bit integers we get a 64-bit value. Copy this text into a file, save it with sh extension and run it with double click:
#!/bin/sh
# first 32 bit integer
low32=$(od -An -N4 -tu4 < /dev/urandom)
# second 32 bit integer
high32=$(od -An -N4 -tu4 < /dev/urandom)
# joining the 2 numbers
long=$(($low32 + ($high32 << 32)))
# removing leading minus sign if exists
echo $long | sed 's/-//'
Now you can enter it under Misc -> ApECID in your config.plist.
Note: don't use random instead of uramdom, it isn't cryptographically secure.
When using ApECID, SecureBootModel must have a defined value instead of default (default can change in following versions of OpenCore).
It's advisable to personalize the boot volume the first time that macOS boots with an ApECID value. To do this:
- boot into Recovery
- be sure you have an Internet connection
- open Terminal
- bless --folder "/Volumes/HD/System/Library/CoreServices" --bootefi --personalize
(replace HD with the name of your system volume) - reboot into macOS.
If I disable Secure Boot in Bios:
- with SecureBootModel=Disable I have no security (%00)
- with SecureBootModel=x86legacy or any of the valid values I have medium security (%01)
- with SecureBootModel=x86legacy or any of the valid values plus ApECID non zero value I have full security (%02).
Checked in Terminal by the command:
nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy

Post a Comment