转/翻译自:https://github.com/perez987/OpenCore-UEFI-Secure-Boot
替换原文几处错误命令,完善了部分细节更适合小白
大体过程:
安装Windows Subsystem for Linux
↓
生成PK KEK ISK
↓
下载并签名OpenCore相关文件
↓
在主板Secure Boot配置中导入处理后的证书
↓
完成
1.安装Windows Subsystem for Linux
Win+X 打开 Windows 终端(管理员) 或者 PowerShell(管理员)
执行以下命令以安装WSL,等待安装完成
wsl --installInstalling: Virtual Machine Platform
Virtual Machine Platform has been installed.
Installing: Windows Subsystem for Linux
Windows Subsystem for Linux has been installed.
Downloading: WSL Kernel
Installing: WSL Kernel
WSL Kernel has been installed.
Downloading: GUI App Technical Support
Installing: GUI application technical support
GUI Application Support has been installed.
Downloading: Ubuntu
The requested operation was successful.
The changes will take effect after the system reboots.重启电脑,打开应用列表中的Ubuntu应用
设置用户名与密码,密码在输入过程不可见
2.安装相关软件,生成PK KEK ISK
设置完成后执行以下命令,替换并更新软件源, 安装软件
sudo sed -i 's/archive.ubuntu.com/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
sudo apt update
sudo apt-get install unzip sbsigntool efitools
生成PK KEK ISK
mkdir efykeys
cd efykeys
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=OpenCore PK Platform Key/" -keyout PK.key -out PK.pem
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=OpenCore KEK Exchange Key/" -keyout KEK.key -out KEK.pem
openssl req -new -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -subj "/CN=OpenCore ISK Image Signing Key/" -keyout ISK.key -out ISK.pem
chmod 0600 *.key
下载以下文件
Microsoft Windows Production CA 2011
Microsoft UEFI driver signing CA key
执行以下命令将其复制到当前文件夹(efykeys)
cp /mnt/c/Users/liurunliang/Downloads/Mic*.crt .其中 c/Users/liurunliang/Downloads/ 部分需要根据证书的位置进行修改,复制结束后结果如下
执行以下命令转换Microsoft 证书的格式
openssl x509 -in MicWinProPCA2011_2011-10-19.crt -inform DER -out MicWinProPCA2011_2011-10-19.pem -outform PEM
openssl x509 -in MicCorUEFCA2011_2011-06-27.crt -inform DER -out MicCorUEFCA2011_2011-06-27.pem -outform PEM
执行以下命令转换几个文件的格式
cert-to-efi-sig-list -g $(uuidgen) PK.pem PK.esl
cert-to-efi-sig-list -g $(uuidgen) KEK.pem KEK.esl
cert-to-efi-sig-list -g $(uuidgen) ISK.pem ISK.esl
cert-to-efi-sig-list -g $(uuidgen) MicWinProPCA2011_2011-10-19.pem MicWinProPCA2011_2011-10-19.esl
cert-to-efi-sig-list -g $(uuidgen) MicCorUEFCA2011_2011-06-27.pem MicCorUEFCA2011_2011-06-27.esl
执行以下命令生成数据库
cat ISK.esl MicWinProPCA2011_2011-10-19.esl MicCorUEFCA2011_2011-06-27.esl > db.esl执行结果如下
执行以下命令进行各种互相签名(?)
sign-efi-sig-list -k PK.key -c PK.pem PK PK.esl PK.auth
sign-efi-sig-list -k PK.key -c PK.pem KEK KEK.esl KEK.auth
sign-efi-sig-list -k KEK.key -c KEK.pem db db.esl db.auth
执行结果如下
3.下载并签名OpenCore相关文件
执行以下命令创建文件夹并复制需要用到的key
mkdir oc
cp ISK.key ISK.pem oc
cd oc
使用bash,vi等编辑器创建一个名为sign_opencore.sh的文件,以nano为例
nano sign_opencore.sh复制,在命令行窗口右键以粘贴以下代码
#!/bin/bash
# Copyright (c) 2021 by profzei
# Licensed under the terms of the GPL v3
# OpenCore download link
LINK=$1
# https://github.com/acidanthera/OpenCorePkg/releases/download/0.7.5/OpenCore-0.7.5-RELEASE.zip
VERSION=$2
# 0.7.5 current
# Terminal command in Linux
# sh ./sign_opencore.sh https://github.com/acidanthera/OpenCorePkg/releases/download/0.7.5/OpenCore-0.7.5-RELEASE.zip 0.7.5
echo "==============================="
echo "Creating required directories"
mkdir Signed
mkdir Signed/Drivers
mkdir Signed/Tools
mkdir Signed/Download
mkdir Signed/BOOT
echo "==============================="
echo Downloading HfsPlus
wget -nv https://github.com/acidanthera/OcBinaryData/raw/master/Drivers/HfsPlus.efi -O ./Signed/Download/HfsPlus.efi
#echo "==============================="
# uncomment the next 2 lines if you use OpenLinuxBoot
#echo Downloading ext4_x64.efi
#wget -nv https://github.com/acidanthera/OcBinaryData/raw/master/Drivers/ext4_x64.efi -O ./Signed/Download/ext4_x64.efi
echo "==============================="
echo Downloading and unziping OpenCore
wget -nv $LINK
unzip "OpenCore-${VERSION}-RELEASE.zip" "X64/*" -d "./Signed/Download"
echo "==============================="
# If you don't want to delete downloaded OpenCore zip file, comment next line
rm "OpenCore-${VERSION}-RELEASE.zip"
echo "==============================="
echo "Checking ISK files"
if [ -f "./ISK.key" ]; then
echo "ISK.key was decrypted successfully"
fi
if [ -f "./ISK.pem" ]; then
echo "ISK.pem was decrypted successfully"
fi
echo "==============================="
echo "Signing drivers, tools, BOOTx64.efi and OpenCore.efi"
sleep 2
# You can modify drivers and tools to be signed to your like
echo ""
sbsign --key ISK.key --cert ISK.pem --output ./Signed/BOOT/BOOTx64.efi ./Signed/Download/X64/EFI/BOOT/BOOTx64.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/OpenCore.efi ./Signed/Download/X64/EFI/OC/OpenCore.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/OpenRuntime.efi ./Signed/Download/X64/EFI/OC/Drivers/OpenRuntime.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/OpenCanopy.efi ./Signed/Download/X64/EFI/OC/Drivers/OpenCanopy.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/CrScreenshotDxe.efi ./Signed/Download/X64/EFI/OC/Drivers/CrScreenshotDxe.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Tools/OpenShell.efi ./Signed/Download/X64/EFI/OC/Tools/OpenShell.efi
sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/HfsPlus.efi ./Signed/Download/HfsPlus.efi
# You can sign also keytool to boot from USB with UEFI Secure Boot enabled
sbsign --key ISK.key --cert ISK.pem --output ./Signed/KeyTool.efi ./KeyTool.efi
# uncomment the next 2 lines if you use OpenLinuxBoot
#sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/OpenLinuxBoot.efi ./Signed/Download/X64/EFI/OC/Drivers/OpenLinuxBoot.efi
#sbsign --key ISK.key --cert ISK.pem --output ./Signed/Drivers/ext4_x64.efi ./Signed/Download/ext4_x64.efi
echo "==============================="
# Clean: remove downloaded files
rm -rf ./Signed/Download
echo "Cleaned."
按下Ctrl+X 输入Y 按下Enter 保存退出
执行以下命令下载安装并签名OpenCore,其中0.7.8为OpenCore版本可按照自己的需要进行修改
sh ./sign_opencore.sh https://github.com/acidanthera/OpenCorePkg/releases/download/0.7.8/OpenCore-0.7.8-RELEASE.zip 0.7.8过程如下,其中绝大部分警告和最后的Error可以忽略掉~
执行以下命令将签名完成的OpenCore文件复制到桌面等位置,结果如下
将db.auth KEK.auth PK.auth复制出来备用
cd ..
cp db.auth KEK.auth PK.auth /mnt/c/Users/liurunliang/Desktop/keys/结果如下
至此WSL部分结束,接下来覆盖引导文件
将signed文件夹中的BOOT文件夹替换掉EFI文件夹中的BOOT文件夹
将Drivers Tools文件夹和OpenCore.efi文件复制到OC文件夹中,并覆盖重复文件
将刚才复制出来的db.auth KEK.auth PK.auth复制到存放EFI的分区(方便识别,也可以放到其他好找的位置)
至此签名和处理OpenCore文件环节结束,下面进入bios安装刚才生成的keys,我这里只有华硕主板所以只演示华硕主板
4.在主板Secure Boot配置中导入处理后的证书
重启电脑进入BIOS界面-> BOOT ->Secure Boot -> Key Management
首先选择PK (本图有误 DBX Management请保持默认)
选择 Set New Key
选择No
找到存放EFI和三个key的盘符,建议一个一个找(
选择PK.auth
选择Authenticated Variable
Yes!
KEK Management,DB Management的操作和PK的操作流程一样,选择文件时请按照以下对应关系,DBX Management无需更改
KEK Management ->KEK.auth
DB Management ->db.auth
DBX Management -> 无需更改
Input File Format 都是选择 Authenticated Variable
完成!
PS:OpenCore部分,如果开机循环进入OpenCore界面可以参考这里修改config.plist
Misc -> Debug DisableWatchDog = false
NVRAM -> Add ->csr-active-config = 00000000
Misc -> Security -> DmgLoading = Signed
Misc -> Security -> SecureBootModel = Default 或 x86legacy
Misc -> Security -> ApECID = 随机一个64-bit 整数
Misc -> Security -> Vault = Secure
一般来讲后两个无需设置就能进系统,属于 Medium Security.
