UEFI and Secure Boot
OpenCore is designed to provide a secure boot chain between firmware and operating system. On most x86 platforms trusted loading is implemented via UEFI Secure Boot model. Not only OpenCore fully supports this model, but it also extends its capabilities to ensure sealed configuration via vaulting and provide trusted loading to the operating systems using custom verification, such as Apple Secure Boot. Proper secure boot chain requires several steps and careful configuration of certain settings as explained below:
- Enable Apple Secure Boot by setting
SecureBootModel
to run macOS. Note, that not every macOS is compatible with Apple Secure Boot and there are several other restrictions as explained in Apple Secure Boot section. - Disable DMG loading by setting
DmgLoading
toDisabled
if users have concerns of loading old vulnerable DMG recoveries. This is not required, but recommended. For the actual tradeoffs see the details in DMG loading section. - Make sure that APFS JumpStart functionality restricts the loading of old vulnerable drivers by setting
MinDate
andMinVersion
to0
. More details are provided in APFS JumpStart section. An alternative is to installapfs.efi
driver manually. - Make sure that
Force
driver loading is not needed and all the operating systems are still bootable. - Make sure that
ScanPolicy
restricts loading from undesired devices. It is a good idea to prohibit all removable drivers or unknown filesystems. - Sign all the installed drivers and tools with the private key. Do not sign tools that provide administrative access to the computer, such as UEFI Shell.
- Vault the configuration as explained Vaulting section.
- Sign all OpenCore binaries (
BOOTX64.efi
,BOOTIa32.efi
,OpenCore.efi
, custom launchers) used on this system with the same private key. - Sign all third-party operating system (not made by Microsoft or Apple) bootloaders if needed. For Linux there is an option to install Microsoft-signed Shim bootloader as explained on e.g. Debian Wiki.
- Enable UEFI Secure Boot in firmware preferences and install the certificate with a private key. Details on how to generate a certificate can be found in various articles, such as this one, and are out of the scope of this document. If Windows is needed one will also need to add the Microsoft Windows Production CA 2011. To launch option ROMs or to use signed Linux drivers, Microsoft UEFI Driver Signing CA will also be needed.
- Password-protect changing firmware settings to ensure that UEFI Secure Boot cannot be disabled without the user’s knowledge.