Adding functionality to macOS pre-boot process

Is anyone familiar with adding functionality to the macOS pre-boot process? I'm trying to supplement FileVault's functionality so that it can integrate with a user directory service, which isn't really an Apple-supported or well-documented type of task.

My goal is to allow remote users to unlock and login to the device without having a local account setup yet. FileVault currently only allows users with existing local accounts to unlock a device. I'm working on a Mac Pro running macOS High Sierra 10.13.6 with APFS.

Based on Apple's documentation of the boot process and Eclectic Light Co's articles on the topic, my understanding is that pre-boot procedures such as kernel loading and FileVault decryption are handled by the boot.efi file in the Preboot APFS disk partition.

So as far as I can tell, I need to modify how boot.efi works to achieve my goals. Is there a way I can build my own boot.efi with additional functionality and then safely replace the existing one, or can I add a supplemental EFI file with additional functionality that is run in conjunction with boot.efi?

Along those lines, the only resource I have found so far is Piker Alpha's boot loader source tree, but I'm hesitant to use this project since it appears to be outdated/only for HFS+ based Macs (and also only builds using Visual Studio).

Does anyone have other resources or suggestions on how I can modify macOS pre-boot procedures?


Solution 1:

Apple doesn’t prevent you from running other EFI unless you have trusted OS / T2 chips. You can disable these security steps on Mojave and current T2, but that’s pretty manual and not automated.

You’ll want to look at tools like BootRunner or the two canoes MDS with automaton to automate the pre-boot environment for all modern Mac hardware and modern macOS.

Much easier to handle things with the tools Apple gives than trying to re-engineer EFI / customize things that don’t have sanctioned support. Extending PAM / authentication is long supported, but changing EFI is not something most enterprises take on in my experience.