From c2f7b3cea5a09db9d56ce7f08a8cdccbe5939283 Mon Sep 17 00:00:00 2001
From: vit9696 <vit9696@users.noreply.github.com>
Date: Thu, 20 Aug 2020 22:26:41 +0300
Subject: [PATCH] OpenCoreUefi: Prohibit unsigned DMG loading with secure boot

---
 Platform/OpenCore/OpenCoreUefi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Platform/OpenCore/OpenCoreUefi.c b/Platform/OpenCore/OpenCoreUefi.c
index 03623edd..a1fbb6ff 100644
--- a/Platform/OpenCore/OpenCoreUefi.c
+++ b/Platform/OpenCore/OpenCoreUefi.c
@@ -379,6 +379,18 @@ OcLoadAppleSecureBoot (
     SecureBootPolicy = AppleImg4SbModeMedium;
   }
 
+  //
+  // We blindly trust DMG contents after signature verification
+  // essentially skipping secure boot in this case.
+  // Do not allow enabling one but not the other.
+  //
+  if (SecureBootPolicy != AppleImg4SbModeDisabled
+    && AsciiStrCmp (OC_BLOB_GET (&Config->Misc.Security.DmgLoading), "Any") == 0) {
+    DEBUG ((DEBUG_ERROR, "OC: Cannot use Secure Boot with Any DmgLoading!\n"));
+    CpuDeadLoop ();
+    return;
+  }
+
   DEBUG ((
     DEBUG_INFO,
     "OC: Loading Apple Secure Boot with %a (level %u)\n",