#!/usr/bin/env bash rm -rf edk2 rm -rf output git clone https://github.com/tianocore/edk2.git cd edk2 git checkout fc0fffa7e9089e7b79b9ae7babb950f1f153e0ae # 0) Make sure LLVM is installed brew install llvm acpica nasm brew install lld # 1) Point PATH and tool vars to Homebrew’s LLVM (Apple Silicon path shown) export LLVM_PREFIX="/opt/homebrew/opt/llvm" # Intel Macs: /usr/local/opt/llvm export LLD_PREFIX="/opt/homebrew/opt/lld" export PATH="$LLVM_PREFIX/bin:$LLD_PREFIX/bin:$PATH" hash -r # 2) Explicitly select LLVM tools so EDK2 doesn’t fall back to Apple’s export CC="$LLVM_PREFIX/bin/clang" export CXX="$LLVM_PREFIX/bin/clang++" export LD="$LLD_PREFIX/bin/ld.lld" export AR="$LLVM_PREFIX/bin/llvm-ar" export RANLIB="$LLVM_PREFIX/bin/llvm-ranlib" export NM="$LLVM_PREFIX/bin/llvm-nm" export STRIP="$LLVM_PREFIX/bin/llvm-strip" export OBJCOPY="$LLVM_PREFIX/bin/llvm-objcopy" export OBJDUMP="$LLVM_PREFIX/bin/llvm-objdump" # 3) Sanity check — these MUST point into .../opt/llvm/bin which clang; clang --version which ld.lld which llvm-ar # 4) Rebuild tools & firmware make -C BaseTools -j source ./edksetup.sh build -a AARCH64 -t CLANGDWARF \ -p ShellPkg/ShellPkg.dsc \ -m ShellPkg/Application/KeyTools/KeyTool/KeyTool.inf \ -b RELEASE cd .. mkdir -p output/keys/EFI/Boot openssl x509 -in "microsoft corporation kek 2k ca 2023.crt" -outform DER -out output/keys/kek2023.cer openssl x509 -in "windows uefi ca 2023.crt" -outform DER -out output/keys/db2023.cer open /Users/artur/projs/edk2 exit 0 # (Optional) clean the previous failed build to avoid stale flags/objects rm -rf Build/ArmVirtQemu-AARCH64 build -a AARCH64 \ -t CLANGDWARF \ -p ArmVirtPkg/ArmVirtQemu.dsc \ -D SECURE_BOOT_ENABLE=TRUE \ -b DEBUG # CODE="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_EFI.fd" # VARS="/Volumes/Cache/vms/image/win11-arm64/win11/QEMU_VARS.fd" # # Make blank 64 MiB raws # qemu-img create -f raw QEMU_EFI-pflash.raw 64M # qemu-img create -f raw QEMU_VARS-pflash.raw 64M # # Copy firmware into the front of each file without truncating the 64 MiB size # dd if="$CODE" of=QEMU_EFI-pflash.raw conv=notrunc # dd if="$VARS" of=QEMU_VARS-pflash.raw conv=notrunc # # Confirm size is exactly 67108864 bytes # stat -f "%z %N" QEMU_EFI-pflash.raw QEMU_VARS-pflash.raw # https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11 # https://go.microsoft.com/fwlink/?linkid=2239775 # https://go.microsoft.com/fwlink/?linkid=2239776 # -drive if=none,id=mskeys,format=raw,file=fat:rw:keys # -device usb-storage,drive=mskeys # 5. Enroll the certs in firmware # Boot into UEFI shell, run FS0:\EFI\Boot\KeyTool.efi. # In KeyTool: # Go to Edit Keys → KEK → Add New Key, pick kek2023.cer. # Go to Edit Keys → db → Add New Key, pick db2023.cer. # If no PK is present yet, you must enroll a Platform Key (PK) first (can be self-signed with OpenSSL; KeyTool can also generate). Without a PK, Secure Boot remains “greyed out.” # ✅ After PK + KEK + DB are enrolled, reboot → go into firmware setup → Secure Boot option will be toggleable → set it to Enabled. # Now Windows 11 installer/bootloader should run under Secure Boot. # Ref: 68adf715-f29c-832e-89d7-a37025f63cf3