Secure Boot EA

franton
Valued Contributor II

This is too good not to share, so if you need to test for Secure Boot (aka our new T2 overlords) and it's status then here you go:

#!/bin/bash

# Test Secure Boot status EA for Jamf.

test=$( nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy | awk '{ print $2 }' )

case "$test" in
    %02)
        echo "<result>Full</result>"
    ;;

    %01)
        echo "<result>Medium</result>"
    ;;

    %00)
        echo "<result>Disabled</result>"
    ;;

    *)
        echo "<result>Secure Boot Not Present</result"
    ;;
esac

Hope this helps.

8 REPLIES 8

sbirdsley
Contributor

Good stuff, just looks like you didn't close your last result

Believe should be echo "<result>Secure Boot Not Present</result>"

cwaldrip
Valued Contributor

Nice!

Now if we can figure out how to change that with a script life would be easier. πŸ˜‰

chris_kemp
Contributor III

@franton Can you explain what's going on here? Is that number the UDID? I just get an error trying to run nvram that way.

Look
Valued Contributor III

@chris.kemp I think that it will fail on a none T2 machines and older macOS versions as it won't have that value in nvram.
I would think something like this would be better as it would only return a value if it existed and return nothing if it doesn't.

nvram -p | awk '/94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy/ { print $2 }'

brunerd
Contributor

Why not bump this back to the top, this info is pretty much nowhere else on the web, quite a feat @franton!

Although this GUID does show up in IOPlatformExpert.cpp on Apple's Darwin XNU github,although not this keyname (AppleSecureBootPolicy)
You'll also find folks at TwoCanoes forums talking about this GUID and the AppleSecureBootWindowsPolicy key which controls whether your new T2 will boot Windows 10 (BootCamp Assistant sets this value for the boot magic)

@Look No need to filter the output from nvram, if the key does not exist (non-T2 Mac) the error is output to /dev/stderr so it is not captured by the command substitution, Richard's code is correct, it will match the last case (although note: the </result> tag needs closing). Also nvram -p does not list out GUID payloads, with exception of 7C436110-AB2A-4BBB-A880-FE41995C9F82 which seems to be what nvram -p lists out

UEFI GUIDs and their key names seem to be a dark art! nvram -p does not give up all it's contents
As some (government agencies) have noted:

However, the manpage does not tell you everything you need to know about nvram. Although nvram -p claims to print all of the firmware variables, it does not print any of the variables that belong to the Efi GUID. Similarly, by default, any NVRAM variable that you set from this tool will have the Apple GUID used by csr-active-config (in the table in the previous section.) However, if you are trying to set values like DriverOrder, they need to have the correct GUID, or they will not be processed by EFI like you want. Fortunately, you actually can set variables such as DriverOrder using the nvram as long as you specify the GUID. An example of this, which sets Driver order to load Driver5000 (endian-ness is important) and another command to set EnableDriverOrder are below:

And as a small contribution to this thread, here's another way to capture the output and just use shell built-ins to get the value by shunting it to an array, no awk required:

AppleSecureBootPolicy_Array=( $(nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy 2>/dev/null) )

case "${AppleSecureBootPolicy_Array[1]}" in
...

dfarnworth_barc
New Contributor III

@franton Don't suppose you figured out the GUID for External Boot as well did you?

brunerd
Contributor

You know... I've been wondering that same thing @dfarnworth_barc - and a thanks to @franton for getting the ball rolling and best of luck on your new endeavors! Thanks for all the fish! (Fist bumps on the obfuscation post, I've built those tools you theorized about and it's a problem indeed)

Anyway it turns out the answers were to be had all along if only one knew where to look!
An Apple engineer took the time to point out that it you run a sudo sysdiagnose and expand the archive it creates, look in securebootvariables.txt and all the GUIDs and key names one could want are right there.

To get the "External Boot" status this will do the trick, parse it however you will for your EA

nvram 5eeb160f-45fb-4ce9-b4e3-610359abf6f8:StartupManagerPolicy

%00 = External Boot Disallowed
%03 = External Boot Allowed

πŸ’₯Happy 4th of July :united_states: 😎

thefaded
New Contributor II

Just a quick contribution based on this thread; my EAs:

#!/usr/bin/env bash
############################################
# Collect Secure Boot status for T2 Macs   #
# https://support.apple.com/en-us/HT208330 #
############################################

STATUS=$( nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy | awk '{ print $2 }' )

case "$STATUS" in
    %02)
        RESULT="Full"
    ;;

    %01)
        RESULT="Medium"
    ;;

    %00)
        RESULT="Disabled"
    ;;

    *)
        RESULT="Not Present"
    ;;
esac

/bin/echo "<result>$RESULT</result>"
#!/usr/bin/env bash
############################################
# Collect External Boot status for T2 Macs #
# https://support.apple.com/en-us/HT208198 #
############################################

STATUS=$( nvram 5eeb160f-45fb-4ce9-b4e3-610359abf6f8:StartupManagerPolicy | awk '{ print $2 }' )

case "$STATUS" in
    %03)
        RESULT="Allowed"
    ;;

    %00)
        RESULT="Disallowed"
    ;;

    *)
        RESULT="Not Present"
    ;;
esac

/bin/echo "<result>$RESULT</result>"