A lockpicking set opening a deadbolt lock in front of the Apple logo. 🅭

Should you trust a third-party bootloader to run newer MacOS versions?

Apple periodically drops support for its older hardware, and customers get left with an increasingly insecure and outdated system. The Hackintosh scene, a community dedicated to running MacOS on unsupported hardware, might help extend the life of your Mac. However, can you trust its community-developed software to the same degree as you blindly trust Apple?

My MacBook Pro (a 2013 model) won’t receive any more love (updates) from Apple as the company left it behind with the release of MacOS version 12 “Monterey”. However, the hardware is still perfectly capable of running Monterey. Sure, it has needed some maintenance and a battery swap, but it’s otherwise in good condition.

A Hackintosh usually refers to a computer from another manufacturer running Apple software. Apple includes all sorts of software-based copy protections to make sure its software only runs on its hardware products. That’s more of an encouragement than anything to dedicated folks who want to do exactly that.

The current star in the Hackintosh community is the OpenCore UEFI emulator and bootloader project. The Unified Extensible Firmware Interface (UEFI) is low-level software that sits in between the hardware’s firmware and the operating system (OS) software. Among other things it’s responsible for booting the OS, and it also provides services to the OS afterwards.

OpenCore is a free and open-source replacement for Apple UEFI and iBoot (Apple’s bootloader) software. OpenCore works by replicating the behaviors MacOS expects from UEFI and iBoot on a supported Mac on an unsupported system. It can run on legacy Mac products and computers from other manufacturers.

It’s deeply weird to me that I have to turn my MacBook into a Hackintosh to continue running Apple’s latest software. I paid extra for the Apple experience. To me, the Apple experience doesn’t involve installing third-party UEFI and bootloaders.

The first software that runs on your computer after it’s been powered on runs in absolute unrestricted security (“God”) mode. It can do anything it wants on your computer. It is your computer.

You implicitly trust your hardware vendor’s firmware. Bought a Dell running Windows? Then you trust Dell and Microsoft. Bought a Mac? Then you trust Apple. Customers rarely think about the required trust levels. (It may be deeply uncomfortable to pause and give it some thought.)

Things get a bit more complicated if you’ve bought a computer and you run Linux on it. Linux is a free and open-source OS developed by a loosely organized collective of individual contributors and organizations. Linux users assume everything is fine and that enough skeptical eyes are scrutinizing every little contribution.

Linux runs on one of many community-developed bootloaders started from the UEFI by whoever happens to have developed the hardware. Trust is still absolute, but it can be quite unclear who you’re trusting.

The Linux ecosystem has layers of trust and validation. The software developers rarely delivers software directly to their end users. Instead, software developers release software which is then picked up by another group of people: package maintainers. The package maintainers prepare and package the software for a Linux distribution. The packaged software is staged for testing before eventually being pushed to end-users.

On top of this, security researchers eagerly await the release of key packages. Finding a vulnerability in a program that can be expected to be installed on millions of computers can be a huge carer boost.

OpenCore is a much smaller project where the software gets delivered directly to end-users. There are fewer eyes and steps from the project to its end users. Crucially, there are fewer (if any?) corporate users. There’s less time and money invested into scrutinizing the software and the project’s security practices.

You should always be distrustful of alternative firmware. You should always ask yourself: do I trust this firmware to not steal my email and passwords, credit cards and banking information, and cryptocurrency wallets? For most people, the answer should be: I don’t know and I’m not qualified to answer that question.

OpenCore documentation (from the project and third party) references “security audits”, but I haven’t found any indication of a security audit of the project. A security audit is a thorough, time-consuming, (and expensive) process where a specialist consulting agency reviews a software project. An audit typically involves validating security best practices, identifying unsafe/exploitable areas of the code, and suggesting other improvements to strengthen its resistance to exploitation

I’m not saying there’s any malicious intent from the OpenCore or other alternative UEFI or bootloader communities. However, even the best developers and intentions can make mistakes. That mistake could be exploitable.

The OpenCore Legacy Patcher app makes it easy for users on older versions of MacOS to download and prepare a USB drive that they can use to update their unsupported Macs to the latest version. Its first operation just downloads and installs the MacOS Installer from Apple onto the USB drive. It creates verifiably genuine installers.

In the second step, it installs OpenCore onto the USB drive. Now, it’s up to you to blindly trust it, restart your Mac, and hope for the best.

I’d recommend most users who’re considering a Hackintosh approach to install a popular Linux distribution instead. The Linux community is motivated to support your aging hardware instead of actively trying to break it with every update.

Apple actively wants to sabotage OpenCore and the Hackintosh community’s efforts. OpenCore works around and bypasses security measures, and it can prolong the life of your unsupported Apple products. However, you have no guarantee of how long it’ll last. Installing OpenCore may grant your Mac another lease on life, but you’ll always be on borrowed time.

Unfortunately, the WiFi chipset in this generation of MacBooks is poorly supported in Linux. Otherwise, I’d recommend you switch to Linux instead of continuing to use Apple’s OS. However, I too want to continue using MacOS and I don’t need another Linux computer. So, I went down the lesser-traveled OpenCore path.

Whether you install OpenCore or Linux (or even Windows) on your Mac, you should be prepared for shark encounters. You’re not an Apple customer anymore; the magic is no more.

In my opinion, hardware vendors should continue supporting their old hardware for at least 10–15 years. There’s no need for my MacBook to become electronics waste at this point in its life. Assuming I can run still-maintained and secure software on it, it still has years of use ahead of it.