How to Enable Apple Secure Boot for macOS using OpenCore
This guide covers enabling Secure Boot for non-Apple systems that are configured with macOS using OpenCore. By following this guide, you'll be able to enable Apple Secure Boot for macOS using OpenCore Bootloader.Overview
Unlike Windows 11, Apple has also its own implementation for Secure Boot on Apple Macs. When we talk about Secure Boot implementation, this is implemented at two levels: Hardware/Firmware based Secure Boot and Software based Secure Boot. The Secure Boot function is typically handled by the T2 chip (found on newer Macs) at the hardware/firmware level and the rest is handled by the macOS. OpenCore, which is a popular bootloader that is capable of booting macOS on non-Apple systems and widely used for this purpose has also a similar mechanism to implement Secure Boot on non-Apple systems when using macOS with OpenCore. OpenCore is designed to provide a Secure Boot functionality between the firmware and macOS. On most of the x86 platforms, trusted loading is implemented via UEFI Secure Boot model. OpenCore not only fully supports this model, but it also provides additional capabilities to ensure intact configuration via vaulting and provide trusted loading to the macOS using custom verification.Let's have a look at how these both function and how these vary from each other.
Although, not all these verifications are required to boot into macOS or macOS installer, but its for users who want to have maximum security when using macOS on their non-Apple computers.
Enabling Apple Secure Boot at macOS Level
Following are the steps to enable Apple Secure Boot at macOS level.STEP 1: Update OpenCore
Its always recommended to have the latest OpenCore along with the kexts your system requires to boot and for other functionalities. Although not necessary, but still preferred. To update OpenCore, follow the guide linked below:
See OpenCore Updates for more info.
STEP 2: Set SecureBootModel
The first setting which enables Apple Secure Boot and controls what macOS version can boot by verifying the boot.efi file. It should be noted that not every macOS is compatible with Apple Secure Boot and there are several restrictions as explained in this guide. Enabling SecureBootModel is equivalent to Medium Security configuration found on T2 chip based real Mac models.1. Mount your ESP.
2. Open your config.plist using any XML editor from the EFI/OC directory.
3. Set the SecureBootModel according to the table below under Misc>Security section of your config.plist:
| Disabled | No model, Secure Boot will be disabled. | N/A |
| Default | Currently set to x86legacy | 11.0.1 (20B29) |
| j137 | iMacPro1,1 (December 2017) | 10.13.2 (17C2111) |
| j680 | MacBookPro15,1 (July 2018) | 10.13.6 (17G2112) |
| j132 | MacBookPro15,2 (July 2018) | 10.13.6 (17G2112) |
| j174 | Macmini8,1 (October 2018) | 10.14 (18A2063) |
| j140k | MacBookAir8,1 (October 2018) | 10.14.1 (18B2084) |
| j780 | MacBookPro15,3 (May 2019) | 10.14.5 (18F132) |
| j213 | MacBookPro15,4 (July 2019) | 10.14.5 (18F2058) |
| j140a | MacBookAir8,2 (July 2019) | 10.14.5 (18F2058) |
| j152f | MacBookPro16,1 (November 2019) | 10.15.1 (19B2093) |
| j160 | MacPro7,1 (December 2019) | 10.15.1 (19B88) |
| j230k | MacBookAir9,1 (March 2020) | 10.15.3 (19D2064) |
| j214k | MacBookPro16,2 (May 2020) | 10.15.4 (19E2269) |
| j223 | MacBookPro16,3 (May 2020) | 10.15.4 (19E2265) |
| j215 | MacBookPro16,4 (June 2020) | 10.15.5 (19F96) |
| j185 | iMac20,1 (August 2020) | 10.15.6 (19G2005) |
| j185f | iMac20,2 (August 2020) | 10.15.6 (19G2005) |
| x86legacy | Non-T2 Macs in 11.0(Recommended for VMs) | 11.0.1 (20B29) |
[th]
Value
[/th][th]
SMBIOS
[/th][th]
Minimum macOS Version
[/th]
| macOS Version | SecureBootModel | Notes |
|---|---|---|
| macOS Sonoma - macOS Tahoe (14.4 - 26.x) | In order to update the system using OTA, set SecureBootModel to Disabled. | |
| Big Sur - Sonoma (11.0 - 14.3) | Default | |
| High Sierra - Catalina (10.13.x - 10.15.x) | If your SMBIOS is not listed in the T2 Mac Models table below, it is recommended to set SeureBootModel to Disabled.If you're using NVIDIA WebDrivers, it is also recommended to set SecureBootModel to Disabled.If you're using a SMBIOS that is listed, then its advised to compare the minimum version of macOS with the macOS version you're trying to boot or install. If the installer or installed macOS is below the minimum macOS version listed for the SMBIOS, then it is recommended to set the SecureBootModel to Disabled in order to boot. | |
| macOS Sierra and Below (10.12.x - 10.4) |
NOTES:
- The SMBIOS will be limited by the minimum version listed in the table listed above.
- If you're booting multiple macOS versions, then you must set the SecureBootModel to Disabled to be able to boot. Else, it will fail to boot the macOS either from installer or installed disk.
- It's recommended to set a proper value (closet to your SMBIOS and the macOS version you plan to boot). The Default setting is not recommended if you plan to use it with ApECID for Full Security.
- The Default is currently set to x86legacy which will not allow booting macOS High Sierra to macOS Catalina.
- Unsigned and several signed drivers cannot be used including NVIDIA WebDrivers.
- If you're using Virtual Machine, then it's recommended to set the SecureBootModel as x86legacy.
STEP 3: Set DmgLoading
DmgLoading is an important setting in regard to Apple's Secure Boot. This setting controls what kind of DMGs (Online Recoveries mostly) is allowed to boot using OpenCore.1. Assuming the config.plist is still open, set the DmgLoading according to the table below under Misc>Security section of your config.plist:
| Any | Allows all DMGs to boot from OpenCore. However, this will cause a boot failure when Apple Secure Boot is Enabled. |
| Signed | Allows only Apple signed DMGs (Online Recoveries) to boot from OpenCore. |
| Disabled | Disables all external DMG loading. However, internal recovery is still allowed with this option. |
[th]
Value
[/th][th]
Notes
[/th]
STEP 4: Set ApECID
ApECID is used as Apple Enclave Identifier which allows to use the personalized Apple Secure Boot identifiers and achieve Full Security configuration found on T2 chip based real Mac models, when paired with SecureBootModel.1. Install Python
2. Open Terminal and execute the following command:
Python:
sudo python -c 'import secrets; print(secrets.randbits(64))'4. Assuming the config.plist is still open, set the ApECID by pasting the output value generated in the previous step under Misc>Security section of your config.plist.
NOTES:
- Replace python with python3 if you're using macOS Monterey or later.
- Pre-existing macOS installations will need to personalize the volume. To personalize the volume, you'll have to boot into Recovery and execute the command in Terminal
bless /Volumes/Macintosh HD/System/Library/CoreServices" --bootefi --personalize. You'll also require an active network connection in recovery. - When installing macOS 10.15 or below, you may receive "Unable to verify macOS" error message. To fix this error, you'll have to allocate a dedicated RAM disk of 2MB for macOS personalization by entering the commands below in the macOS Recovery Terminal before starting the installation:
Code:
disk=$(hdiutil attach -nomount ram://4096)
diskutil erasevolume HFS+ SecureBoot $disk
diskutil unmount $disk
mkdir /var/tmp/OSPersonalizationTemp
diskutil mount -mountpoint /var/tmp/OSPersonalizationTemp $diskSTEP 5: Set Vault
STEP 6: Set Scan Policy
ScanPolicy is another important setting that controls what device the OpenCore will allow to boot from. For maximum security, it's advised to prohibit all removable drivers, unknown filesystems and devices.1. Assuming the config.plist is still open, set the Scan Policy according to the table below under Misc>Security section of your config.plist:
STEP 7: Set System Integrity Protection
When you want to implement the Apple Secure Boot, its advised to disable the System Integrity Protection as well.1. Assuming the config.plist is still open, set the csr-active-config value to
00000000 (DATA) under the 4D1EDE05-38C7-4A6A-9CC6-4BCCA8B38C14 UUID list in the NVRAM section of your config.plist.STEP 8: Set APFS Jumpstart
Since macOS High Sierra, Apple has a new File System (APFS). Each macOS version has a different AFPS version and when you want to have the full security, it is advised to restrict the loadng of old vulnerable drivers.1. Assuming the config.plist is still open, enable
EnableJumpstart under UEFI>APFS section of your config.plist.2. In the same window, set the MinDate and MinVersion to
0.Now that the Apple Secure Boot is enabled on the macOS side, it is also recommended to enable the Secure Boot at the hardware/firmware level. To enable Secure Boot at the hardware/firmware level, see the guide linked below:
NOTE:
- TPM is irrelevant to macOS and is only required for other Operating Systems (such as Windows 10/11). If you're using Dual boot with Windows 10/11, its advised to enable TPM as well.
Last edited: