Skip to content
This repository has been archived by the owner on Feb 15, 2024. It is now read-only.

Filevault? #158

Closed
Oujiii opened this issue Feb 3, 2020 · 22 comments
Closed

Filevault? #158

Oujiii opened this issue Feb 3, 2020 · 22 comments
Assignees
@myspaghetti
Labels
enhancement New feature or request

Comments

@Oujiii
Copy link

Oujiii commented Feb 3, 2020

Just enrolled the VM in my company's DEP and by their policy, Filevault needs to be enabled. After finishing the DEP enrollment and restarting, the machine does not boot up anymore.

Is there any known issue with encryption?

Thanks!
@myspaghetti myspaghetti self-assigned this Feb 3, 2020
@myspaghetti myspaghetti added the question Not necessarily an issue with the script label Feb 3, 2020
@myspaghetti myspaghetti mentioned this issue Feb 3, 2020
Closed
@vol24pl
Copy link

vol24pl commented Feb 3, 2020

@Oujiii can you say how did you enroll? Can you look at #133 and say which data you had to gave to roll into DEP on VM?

@Oujiii
Copy link
Author

Oujiii commented Feb 3, 2020

@vol24pl Yes. I got all the data that I could in order to enroll. SN, Model Name, Identifier, HW UUID, Boot Rom Version, Board ID, Board Serial, ROM and System UUID. I was able to sucessfully enroll using the company's network, but the VM fails booting after it, so I guess it may be related to the Filevault's encryption.

@myspaghetti
Copy link
Owner

What version of VirtualBox and macOS guest are you using Oujiii? I'll try to reproduce the issue.

@Oujiii
Copy link
Author

Oujiii commented Feb 3, 2020

@myspaghetti VBox 6.1 and MacOS Mojave 10.14.6

@myspaghetti
Copy link
Owner

The script is not compatible with FileVault, but VirtualBox is reported to work with FileVault. I'll see if I can find the required settings and implement them in the script.

@myspaghetti myspaghetti added enhancement New feature or request and removed question Not necessarily an issue with the script labels Feb 4, 2020
@Oujiii
Copy link
Author

Oujiii commented Feb 4, 2020

Let me know if you do find out! Thank you!

@myspaghetti
Copy link
Owner

Here's a minimal config.plist that works with OpenCore on VirtualBox 6.1.

Install it by picking a storage medium that's accessible from the EFI Internal Shell and copying /EFI/BOOT/BOOTx64.efi, /EFI/OC/OpenCore.efi and /EFI/OC/config.plist onto it. Boot it with fsN:\EFI\BOOT\BOOTx64.efi or load fsN:\EFI\OC\OpenCore.efi. The configuration has an entry for a Mojave base system and a Catalina base system, but it can be configured to boot anything that VirtualBox boots.

Unfortunately I couldn't get it to boot Catalina 10.15.2 or 10.15.3 or show the FileVault password prompt or store a FileVault key in the virtualized SMC.

@Oujiii
Copy link
Author

Oujiii commented Feb 7, 2020

Pardon me for the lack of knowledge, should I just install my VM, enroll into the DEP and after the Filevault I run those commands?

Thanks!

@myspaghetti
Copy link
Owner

I worded that poorly... The config I posted doesn't work for FileVault. It boots, but it doesn't show the FileVault password prompt and it doesn't store the key in the emulated SMC. There's no reason to do try it unless you want to fiddle with OpenCore yourself and find the right drivers/settings that enable FileVault on VirtualBox.

OpenCore should be able to at least store the FileVault key in the emulated SMC, but I gave up on trying to do it. It should also be able to load the FileVault boot password prompt, but I wasn't able to get that either.

@Oujiii
Copy link
Author

Oujiii commented Feb 11, 2020

Okay. Well, for now I will put that on hold. Someone more knowledgeable than me might find a solution in the future. Thanks for trying, though.

@myspaghetti
Copy link
Owner

Progress: OpenCore 0.5.6 loads (or attempts to load) the FileVault password prompt but displays a blank screen. This is a minimal config.plist for OpenCore 0.5.6 that works on VirtualBox.

@myspaghetti
Copy link
Owner

Upon a clean boot of the VM, OpenCore 0.5.6 boots the FileVault password prompt.

@myspaghetti myspaghetti mentioned this issue Mar 20, 2020
Closed
@myspaghetti
Copy link
Owner

OpenCore 0.5.8 sample config.plist for VirtualBox

@blastik
Copy link

blastik commented May 3, 2021
edited

@myspaghetti im in the same situation as you 🏴‍☠️ 😂
i know that with opencore it works but... do i have to perform a clean install in order to use opencore? or i can side load it ?
im running this virtual machine in a mac.

additionally, if you can give me info about how to send the Model Name, Identifier, HW UUID, Boot Rom Version, Board ID, Board Serial, ROM and System UUID values... that would be great

@myspaghetti
Copy link
Owner

You can "dump" the OpenCore executable and config in their proper folder on the EFI System Partition. You can mount the ESP from the macOS guest Terminal like so:

mkdir ESP
sudo su # this will prompt for a password
diskutil mount -mountPoint ESP disk0s1

Then copy the OpenCore.efi file and the properly formatted config.plist file to ./ESP/EFI/OC/ and you can manually run them from the VirtualBox EFI Internal Shell that can be accessed by pressing Esc when the VM powers up.

You can add a bunch of other OpenCore files if you wish but they are not necessary for FileVault 2.

For the EFI and NVRAM parameters, assuming you're running on a genuine Mac, I recommend following the directions in the script documentation:

These parameters may be manually set in the set_variables() function when the "get_parameters_from_macOS_host" is set to "no", which is the default setting. When the script is executed on macOS and the variable "get_parameters_from_macOS_host" is set to "yes", the script copies the parameters from the host.

Changing the EFI and NVRAM parameters after installation

The variables mentioned above may be edited and applied to an existing macOS virtual machine by deleting the .nvram file from the directory where the virtual machine .vbox file is stored, then executing the following command and copying the generated files to the macOS EFI System Partition:

./macos-guest-virtualbox.sh configure_vm create_nvram_files create_macos_installation_files_viso

After executing the command, attach the resulting VISO file to the virtual machine's storage through VirtualBox Manager or VBoxManage. Power up the VM and boot macOS, then start Terminal and execute the following commands, making sure to replace "[VISO_mountpoint]" with the correct path:

    mkdir ESP
    sudo su # this will prompt for a password
    diskutil mount -mountPoint ESP disk0s1
    cp -r /Volumes/[VISO_mountpoint]/ESP/* ESP/

After copying the files, boot into the EFI Internal Shell as described in the section "Applying the EFI and NVRAM parameters".

If you're not using a genuine Mac you'll have to get genuine-like parameters somewhere else. No support is offered for non-genuine parameters.

@blastik
Copy link

blastik commented May 4, 2021

@myspaghetti thanks. i got it booting up just by setting ProvideConsoleGop to true as indicated in https://www.virtualbox.org/ticket/19386
however, my keyboard and mouse do not work. any hints?

@myspaghetti
Copy link
Owner

my keyboard and mouse do not work

If you mean in the EFI shell, that needs to be configured in OpenCore and various keyboard/mouse EFIs are included in the release. If you mean on macOS, please start a separate issue, although very simply you have to set the VM mouse to usbtablet and keyboard to usb which is the default when using the script.

@blastik
Copy link

blastik commented May 31, 2021

@myspaghetti maybe is out of the scope of your script but probably you can give me a hand on this.
so after my company policy enabled filevault into the macosx VM i have on virtualbox i couldn't make it to the login screen. then mounted opencore in a USB stick and (yay!) im able to boot to get to the password prompt however I cannot move mouse or keyboard.
virtualbox settings are set to usbtablet, for keyboard i honestly dont know where i can configure it.
any hints? opencore configs look like this:

FILES

.
└── EFI
    ├── BOOT
    │   └── BOOTx64.efi
    └── OC
        ├── ACPI
        ├── Drivers
        │   ├── HfsPlus.efi
        │   └── OpenRuntime.efi
        ├── Kexts
        │   └── USBInjectAll.kext
        │       └── Contents
        │           ├── Info.plist
        │           └── MacOS
        │               └── USBInjectAll
        ├── OpenCore.efi
        ├── Resources
        │   ├── Audio
        │   ├── Font
        │   ├── Image
        │   └── Label
        ├── Tools
        └── config.plist

CONFIG.PLIST

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>Misc</key>
   <dict>
   	<key>Security</key>
   	<dict>
   		<key>RequireVault</key>
   		<false/>
   		<key>RequireSignature</key>
   		<false/>
   		<key>Vault</key>
   		<string>Optional</string>
   	</dict>
   </dict>
   <key>UEFI</key>
   <dict>
   	<key>Output</key>
   	<dict>
   		<key>ProvideConsoleGop</key>
   		<true/>
   	</dict>
   </dict>
   <key>ACPI</key>
   <dict>
   	<key>Add</key>
   	<array/>
   </dict>
   <key>Kernel</key>
   <dict>
   	<key>Add</key>
   	<array/>
   </dict>
</dict>
</plist>

@myspaghetti
Copy link
Owner

From the OpenCore documentation:

On non-Apple firmware KeySupport, OpenUsbKbDxe, or similar drivers are required for key handling.

Enable either KeySupport or OpenUsbKbDxe (but not both, they conflict). If I recall correctly, OpenUsbKbDxe worked fine when I tried FileVault 2 on VirtualBox last year.

@blastik
Copy link

blastik commented Jun 3, 2021

no luck. here is my plist now:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Misc</key>
	<dict>
		<key>Security</key>
		<dict>
			<key>RequireVault</key>
			<false/>
			<key>RequireSignature</key>
			<false/>
			<key>Vault</key>
			<string>Optional</string>
		</dict>
		<key>Tools</key>
		<array/>
	</dict>
	<key>UEFI</key>
	<dict>
		<key>Output</key>
		<dict>
			<key>ProvideConsoleGop</key>
			<true/>
		</dict>
		<key>Drivers</key>
		<array>
			<string>HfsPlus.efi</string>
			<string>OpenRuntime.efi</string>
			<string>OpenUsbKbDxe.efi</string>
		</array>
	</dict>
	<key>ACPI</key>
	<dict>
		<key>Add</key>
		<array/>
	</dict>
	<key>Kernel</key>
	<dict>
		<key>Add</key>
		<array/>
	</dict>
</dict>
</plist>

the VM boots up to the login window (and very fast) but there is no way of getting keyboard or mouse to work 😡

@myspaghetti
Copy link
Owner

I recalled incorrectly, it was the first one that works, KeySupport. Here's a minimal config.plist that works with FileVault 2 on VirtualBox:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>Misc</key>
   <dict>
   	<key>Security</key>
   	<dict>
   		<key>RequireVault</key>
   		<false/>
   		<key>RequireSignature</key>
   		<false/>
   		<key>Vault</key>
   		<string>Optional</string>
   	</dict>
   </dict>
   <key>UEFI</key>
   <dict>
   	<key>Output</key>
   	<dict>
   		<key>ProvideConsoleGop</key>
   		<true/>
   	</dict>
	<key>Input</key>
	<dict>
		<key>KeySupport</key>
		<true/>
		<key>KeySupportMode</key>
		<string>V2</string>
	</dict>
   </dict>
   <key>ACPI</key>
   <dict>
   	<key>Add</key>
   	<array/>
   </dict>
   <key>Kernel</key>
   <dict>
   	<key>Add</key>
   	<array/>
   </dict>
</dict>
</plist>

@blastik
Copy link

blastik commented Jun 17, 2021

no luck. i forgot to say that im on big sur and seeing #479 the issue might be other...

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@myspaghetti myspaghetti

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@blastik @vol24pl @myspaghetti @Oujiii