This pages information has been heavily copied from user @badstorm's Surface Pro 7 page here and may contain links to other sites and images outside my control. I take no credit for the content on this page. Full credit due to @badstorm and anyone else that assisted in the creationof these steps.
For clarity and ease of use, I have modified some of the wording and steps below to fit this Github repository and my EFI releases. Starting with release 3.0.0 I will include the most recent version of the precompiled and signed Grub within the EFI as well as the key. The steps below have been modified to include that information.
The latest version is automatically included in each release but if you would like to do this process manually or for another device you can follow this step manually.
We need a version of Grub precompiled with the certificate used to sign the binary file. To accomplish this we will download Super UEFIinSecureBoot Disk. The latest releases can be found here.
- Extract the zip you just download which will expose an
"img"
file. - You now need to mount the img or if you prefer you may extract it with software such as 7zip.
- Mount your EFI containing OpenCore, and go to
\EFI\BOOT\
and rename"BOOTx64.efi"
to"grubx64_real.efi"
. - Copy all contents from the
"BOOT"
folder located in the"img"
you downloaded EXCEPT the"grubx64_real.efi"
file and paste and choose yes to overwrite the files in your OpenCore EFI under the\EFI\BOOT\
directory if asked. - Copy the folder
grub
to your OpenCore EFI folder. - Copy the file
*ENROLL_THIS_KEY_IN_MOKMANAGER.cer*
at the root of your EFI partition
- At this point whether you took the long manual way or just dropped the release EFI in your EFI partition, you can now reboot to your UEFI and enable
Secure Boot
making sure you select the option forMicrosoft and 3rd party keys
. 2.Reboot and you should now get a blue screen with the Access Denied error. PressOK
3.Press any key to perform MOK management - Select
Enroll key from disk
- Select
Continue
- Select the disk where you put the
.cer
file. If using my EFI it is located at\EFI\
on the EFI partition - Select
Yes
and thenReboot