- Joined
- Jul 22, 2018
- Messages
- 9,286
- Motherboard
- Supermicro X11SPA-T
- CPU
- Intel Xeon W-3275 28 Core
- Graphics
- 2xAMD RX 580 8GB
- OS X/macOS
- 13.x
- Bootloader
- OpenCore (UEFI)
- Mac
- Mac mini
- MacBook Pro
- Mobile Phone
- Android
- iOS
How to Enable Secure Boot and TPM 2.0 for macOS and Windows Dual Boot Systems [OpenCore]
This guide covers enabling Secure Boot and TPM 2.0 for systems that are configured with macOS using OpenCore and Windows as dual boot. By following this guide, you'll be able to enable Secure Boot and TPM 2.0 for macOS and Windows for Dual Boot systems using OpenCore Bootloader.Overview
Users who are using Windows along with macOS on their systems, where macOS is used for productivity and Windows for gaming. With the release of Windows 11 which has tighten the system requirements gradually with the release. Certain games such as Call of Duty and Valorant requires Secure Boot and TPM 2.0 enabled. As Windows is widespread, the keys are already enrolled and regardless of the updates, it works fine if Secure Boot and TPM are enabled. Although, enabling TPM/fTPM doesn't create much issues on macOS side, enabling Secure Boot does. OpenCore will simply not load if Secure Boot is Enabled and Active or Default keys are installed.To overcome this situation, one can enroll the OpenCore files and macOS boot file to the db secure variable, which is a list of allowed signatures, that UEFI Secure accepts these files as safe and allows them to load. Modifying the files aren't necessary, we just configure the firmware to consider these files as sufficiently safe to boot even if UEFI Secure Boot and TPM 2.0 is enabled. One can also have the Secure Boot enabled on macOS as well to tighten the security, even if you're not using Windows. For environment like home, its not a absolute necessity but if you'e in enterprise environment, Secure Boot is a robust feature against malicious attacks and threats.
This guide assumes that you have Windows or macOS pre-installed.
Enabling Secure Boot
Following are the steps to enable Secure Boot on a system that is configured as Dual Boot with macOS and Windows 11.Disable Secure Boot
Before you configure the Secure Boot, you must disable the Secure Boot first so that you can boot normally into macOS.1. On your target computer, boot to BIOS. Refer to your user manual for the BIOS Key
2. Set Secure Boot to Disabled. The Secure Boot Option can be found in Security Tab for most of the UEFI firmwares.
3. Save & Exit Setup.
Update OpenCore
Its always recommended to have the latest OpenCore along with the kexts your system requires to boot and for other functionalities. Although not necessary, but still preferred. To update OpenCore, follow the guide linked below:
See OpenCore Updates for more info.
Obtain Required Files
Before you configure the Secure Boot, you must obtain the required files for configuring Secure Boot.1. Boot to macOS with Secure Boot disabled as described above.
2. Mount your ESP.
3. Navigate to
/usr/standalone/i386/ directory using Go>Go to Folder. You can use Command+G as a shortcut.3. Copy the
boot.efi file from the /usr/standalone/i386/ directory to the ESP/EFI directory.NOTE: Some firmware may not allow you to browse the .efi files directly from the ESP. A workaround for this is to copy the EFI along with the boot.efi from i386 to the C Drive or an external drive that is recognized by the BIOS.
Configure Secure Boot
1. On your target computer, boot to BIOS. Refer to your user manual for the BIOS Key2. Switch to Advanced Mode. Navigate to Security Tab and find Secure Boot Option.
3. Set Secure Boot to Enabled.
4. Set Secure Boot Mode to Custom (if exists). Some firmwares may require to set the Secure Mode to Custom.
5. Under Key Management, select Clear Secure Boot Keys and press enter key. When prompted, select Yes and press enter key.
6. From the Key Management page, Select Install default Secure Boot Keys and press enter key. When prompted, select Yes and press enter key.
7. Assuming you're on the Key Management page, select Enroll Efi Image and press enter key. When promoted, browse the following files:
- EFI/BOOT/bootx64.efi
- EFI/OC/OpenCore.efi
- EFI/OC/Driver/*.efi
- EFI/OC/Tools/*.efi
- EFI/boot.efi
Test Secure Boot
1. Boot to Boot Menu. Refer to your user manual for the Boot Key2. Select UEFI OS: Followed by your Drive name
3. OpenCore should load as expected and you should be able to boot into macOS normally as before.
4. Delete the EFI folder if you copied it to any other drive (such as C drive).
As the keys are enrolled now, you can use this specific EFI (OpenCore version) to boot into macOS from any internal or external drive with UEFI Secure Boot enabled.
NOTES:
Ignore all file names with the ._ prefix as these are irrelevant.
If you're not using any Tools from the OpenCore package, you can skip enrolling the .efi files in EFI/OC/Tools directory.
OpenCore Updates
Whenever you update OpenCore, you'll need to enroll the .efi files again under the Key Management. In addition, every time you update the macOS, you must grab theboot.efi from the i386 directory and enroll it again. It is highly recommended to clear the Secure Boot Keys, Reset to Default Keys before enrolling the new .efi files.Multiple macOS Versions
If you intent to boot multiple macOS versions on the same computer, you must enroll these multiple boot.efi files as these files vary from OS to OS versions and may prevent booting if either is missed.OpenCore Errors
If you get Secure boot violation, clear the Secure Boot keys, install the default keys and then enroll the OpenCore .efi files again.If you get OCB: LoadImage Failed - Access Denied error, it means the macOS
boot.efi from the /usr/standalone/i386/ directory has not been enrolled and you must enroll in order to boot into macOS from OpenCore picker.Enabling TPM 2.0
Following are the steps to enable TPM 2.0.Configure TPM 2.0
1. On your target computer, boot to BIOS. Refer to your user manual for the BIOS Key.2. Set Intel Platform Trust Technology to Enabled. Some UEFI firmware vendors may have this setting as Trusted Computing. Your mileage may vary depending on the vendor.
3. Set Security Device Support to Enabled (if exists, likely with Trusted Computing).
4. Set Physical Presence Spec Version to the highest (1.3).
5. Set TPM 2.0 InterfaceType to CRB.
6. Set Device Select to TPM 2.0
7. Save & Exit Setup.
Test TPM 2.0
There are several ways to check if the TPM 2.0 is present and enabled.
Last edited: