veracrypt / veracrypt-dcs Goto Github PK

When I'm building DcsCfg under VS2017 (#13), I get the following error in DcsCfgCrypt.c:

d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1766): error C2220: warning treated as error - no 'object' file generated
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1766): warning C4459: declaration of 'SecRegionData' hides global declaration
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(49): note: see declaration of 'SecRegionData'
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1767): warning C4459: declaration of 'SecRegionSize' hides global declaration
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(50): note: see declaration of 'SecRegionSize'
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1768): warning C4459: declaration of 'SecRegionOffset' hides global declaration
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(51): note: see declaration of 'SecRegionOffset'

The local variables declared in SecRigionDump (sic) or the warning should be suppressed.

There is also typo in SecRigionXxx functions. Apparently they should be named SecRegionXxx.

Hello. Sorry for opening a ticket, but after searching for days and trying at least 50 different configs, I've still not got it working, and I'm wondering whether it might be an actual bug.

Situation
I have an internal drive that is encrypted by VeraCrypt with standard system partition encryption. It's working absolutely fine so far. But I don't want to enter my password on every boot; rather I'd like to have an external drive that contains the bootloader and starts my encrypted system, just like the VeraCrypt bootloader that is present on the system disk would and is able to do.

What I've tried
I took the rescue image that was created during encryption and placed it on a USB drive. It can boot the minimal rescue shell fine, but completely ignores the DcsProp file and offers no option whatsoever to boot the existing system, presenting me only with options to decrypt it or reset to the original boot loader. Through a few dozen forum posts, I've found out that overriding \EFI\Boot\bootx64.efi with \EFI\VeraCrypt\DcsBoot.efi will actually start the boot loader instead of the rescue disk, and it seems to respect the DcsProp file placed on the USB drive. I was expecting the rescue disk to be able to boot the encrypted system as an option without replacing it manually with the boot loader, but nope. (Am I missing something here?)

Anyways, now that the boot loader is properly starting from USB... I still can't get it to work. I've tried various different variations of the DcsProp file, which I've included at the end of this issue. Depending on the configuration, I've gotten various responses from the bootloader:

• "Can't find start partition" is the most common, and it happens after authentication success. The bootloader will authorize, print the correct drive offset and length (just like when I normally boot), and then stop with this error, while displaying a totally wrong UUID that is one-third ones, one-third zeroes and rest seems to be random.
• "CRC invalid" happens when I leave out postexec. What does that do anyway?
• "Not found" without further message happened a few times, I forgot which configs.

The possible bug
Please mind that albeit being a professional programmer, I've never really worked with C, so I might misunderstand parts of the code. But I think there might be a bug with the code that is figuring out the UUID of the partition to be booted from: https://github.com/veracrypt/VeraCrypt-DCS/blob/master/DcsBoot/DcsBoot.c#L193
The linked code seems to completely ignore any other drives that are present in the system. It will only try to find the partition UUID amongst the partitions of the bootloader file root's device, making it impossible to boot from a different drive than the one the bootloader is placed on.
I've dug a little deeper and found that EfiFindPartByGUID() (from https://github.com/veracrypt/VeraCrypt-DCS/blob/0342ec53dea13d16115fdb44ddc74724d82519c3/Library/CommonLib/EfiBio.c ) should probably be called before the above mentioned line, to find the correct device that the partition is placed on.

If that's not a bug, I don't really know where else to look. I think it's weird that the rescue disk offers no option to actually auto login according to the DcsProp file that is placed on the same partition, and it missing should be considered a bug as well. IMHO a rescue disk should always be able to boot the system, not only restore it. And technically it is, it's just missing the option in the menu, it seems.

Edit: looking further into the code I've talked about, I don't think anymore that this exact line is buggy. Later on in the code it seems to try to figure out whether the partition is on a different device and then search accordingly. But what has to be a bug is the fact that the UUID that I specify, is displayed incorrectly and randomly on each boot. It seems to me like this might be a pointer issue somewhere when reading the target UUID from DcsProp, or copying that afterwards.

Please help me get this fixed, as it's driving me crazy. I'd love to help with writing a bit of documentation about this part as soon as I've got it working.

Appendix A: My DcsProp file
The following is the config I've placed on the USB in \EFI\VeraCrypt\DcsProp (already existed with defaults). All private data is replaced by ***. I've tried both EFI partition and OS partition UUIDs in all combinations. The multiple ActionSuccess values are all variations I've tried.

<?xml version="1.0" encoding="utf-8"?>
<VeraCrypt>
	<configuration>
		<config key="PasswordType">0</config>
		<config key="PasswordMsg">PW: </config>
		<config key="Hash">***</config>
		<config key="HashRqt">0</config>
		<config key="PimMsg">PIM: </config>
		<config key="Pim">***</config>
		<config key="PimRqt">0</config>
		<config key="AutoLogin">1</config>
		<config key="AutoPassword">***</config>
		<config key="AuthorizeVisible">0</config>
		<config key="AuthorizeRetry">10</config>
		<config key="DcsBmlLockFlags">0</config>
		<config key="DcsBmlDriver">0</config>
		<config key="PartitionGuidOS">***-***-***-***-***</config>
		<config key="ActionSuccess">postexec guid(***-***-***-***-***) file(\EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
		<!--<config key="ActionSuccess">postexec guid(***-***-***-***-***) file(EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
		<config key="ActionSuccess">guid(***-***-***-***-***) file(\EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
		<config key="ActionSuccess">guid(***-***-***-***-***) file(EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
		<config key="ActionSuccess">postexec guid(***-***-***-***-***)</config>
		<config key="ActionSuccess">guid(***-***-***-***-***)</config>-->
	</configuration>
</VeraCrypt>

Hi,
Would you please update build instructions for latest version.
The version in the current build instruction is 1.18.

I have ASUS Vivobook 14 Flip is 2-in-1 laptop with keyboard and touch screen. Touch screen works in Windows and also in the BIOS.

For the following DcsProp config, the image with the circles is shown, but touch interaction doesn't work. You can't type by touching the circles, though you can move the cursor with the arrow keys and enter a password that way, even when TouchSimulate is set to 0.

<?xml version="1.0" encoding="utf-8"?>
<VeraCrypt>
	<configuration>
		<config key="PasswordType">1</config>
		<config key="PasswordMsg">Password: </config>
		<config key="PasswordPicture">login.bmp</config>
		<config key="HashMsg">(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256
                                      (4) RIPEMD160 (5) STREEBOG Hash:</config>
		<config key="Hash">1</config>
		<config key="HashRqt">0</config>
		<config key="PimMsg">PIM (Leave empty for default): </config>
		<config key="Pim">0</config>
		<config key="PimRqt">0</config>
		<config key="AuthorizeVisible">0</config>
		<config key="AuthorizeRetry">10</config>
		<config key="DcsBmlLockFlags">0</config>
		<config key="DcsBmlDriver">0</config>
		<config key="ActionSuccess"></config>
		<config key="TouchDevice">0</config>
                <config key="TouchSimulate">0</config>
	</configuration>
</VeraCrypt>

This is the relevant bit from PlatformInfo:

 <TouchDevices count="1">
  <TouchDevice index="0" minx="0" miny="0" minz="0" maxx="800" maxy="589" maxz="0" attr="0x00"/>
 </TouchDevices>

I tried changing TouchDevice to -1, but it makes no difference. (I looked at the source code, so I see why it doesn't matter.) Also note that the cursor can be moved by arrow keys even if TouchSimulate is 0, as I've set it.

Has the code been tested on any actual touch platforms? I suppose I can build it myself, but I'm not set up with VS2019 so it's going to take some work to install the relevant tools, and that's if they're all free - I'm not sure that the Community version allows UEFI development.

Need to specify change for firmwares without writable nvram. Without external bootloader, manual setup leads to bootloop.

Feature Request: Allow this option to be read from a text file or configuration file.

veracrypt/Veracrypt-dcs/DcsBoot/DcsBoot.c

line 28: CHAR16 *gEfiExecCmdDefault = L"\EFI\Microsoft\Boot\Bootmgfw.efi";

ex: installing ubuntu requires renaming ubuntu efi boot file in \EFI\Microsoft\Boot\Bootmgfw.efi , to allow to boot ubuntu, then chaning bootmgfw.efi to a different directory so ubuntu grub can load windows. FDE on these systems does not "work" without manually loading the veracrypt EFI file each time, and will fail preboot test, unless user intervene's and selects proper boot file for verqcrypt EFI loader.

Problem: Currently you can create your own login screen via login.bmp, but only with touch support which is very unattractive.

For possible branding, I would like to see a login screen without touch support. That means without the green circles and other fields.

Hi,

I tried to build Vera but confess that I'm trouble. What is edk? And I do have nasm installed but the setenv.bat batch won't find it, see

where nasm
C:\programs\nasm-2.11.05\nasm.exe
C:\j\bin\nasm.exe

V:\VeraCrypt-DCS-master>echo %NASM_PREFIX%
c:\Tools\nasm\

also, when I run the setenv.bat it asks for a edksetup.bat that I do not know what it is

setenv.bat
Setting environment for using Microsoft Visual Studio 2010 x86 tools.
The system cannot find the path specified.
'edksetup.bat' is not recognized as an internal or external command,
operable program or batch file.

Thanks for any enlightenment

Hi,

I made dual-boot full system encryption setup on EFI. Windows is encrypted using VeraCrypt, everything works, EFI and stuff. On other system I configured Arch GNU/Linux, which is LVM on LUKS, also requires password during boot, even automounts Windows partition. I also use EFI and systemd-boot to load this OS.

Everything works except small annoying feature.

My desired configuration is to have systemd-boot as default bootloader. And it works. I can choose Arch and boot it or "chainload" VeraCrypt and it also works like a charm. But, when I boot Windows and turn off my computer, after next start that darn VeraCrypt boots. When I wanna boot Arch, I need to go to EFI settings, turn off VeraCrypt bootloader manually and make sure that systemd-boot is default. Darn! Disabling VeraCrypt bootloader also doesn't help – it just keeps reappear.

I tried to find some docs, but EFI case is nonexistient. Everything works awesome, but documentation doesn't say a word about full system encryption on EFI. I thought it is only for BIOS and learned I was mistaken on 3rd party website.

Your tool is awesome, I am very grateful and stuff, but I have two requests :)

• please add/describe option, how I can disable this annoying feature or choose my own bootloader of choice
• please add description in your docs, that VeraCrypt full system encryption is supported on EFI.

I can quote:

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot drive and on the VeraCrypt Rescue Disk (see below).

Seems to me like "no, EFI is not supported, we created this tool before EFI".

Thanks for your hard work
Damjes

Hello,

I seen DCS has support for sending APDUs over to a smart card reader, and I'd be interested in adding more support for smart cards, hopefully up to being able to fetch a keyfile registered by VeraCrypt.

It's my first project with smart cards, so please feel free to correct me if I say anything wrong.
The way I'm thinking of doing it is by bypassing the need for a PKCS#11 interface and directly using ISO 7816-4 APDUs to login with a PIN entered by the user, and then fetching the keyfile from the card.

Maybe the VeraCrypt app could set the file ID corresponding to the keyfile it registered in the DCS config?

I'll try more things when I actually get a keycard, though!

I created PR #12 that adds support for building DCS package with Visual Studio 2017 toolset. This blindly copies the existing definitions for VS2010 and VS2015, however it becomes a bit messy. I think it could be simplified by using the wildcards, so eg. the following lines

RELEASE_VS2010x86_X64_CC_FLAGS    =  /D_UEFI
DEBUG_VS2010x86_X64_CC_FLAGS    = /D_UEFI
NOOPT_VS2010x86_X64_CC_FLAGS    = /D_UEFI

RELEASE_VS2015x86_X64_CC_FLAGS    =  /D_UEFI
DEBUG_VS2015x86_X64_CC_FLAGS    = /D_UEFI
NOOPT_VS2015x86_X64_CC_FLAGS    = /D_UEFI

RELEASE_VS2017_X64_CC_FLAGS    =  /D_UEFI
DEBUG_VS2017_X64_CC_FLAGS    = /D_UEFI
NOOPT_VS2017_X64_CC_FLAGS    = /D_UEFI

could be rewritten as

MSFT:*_*_X64_CC_FLAGS = /D_UEFI

Would you be interested if I further modify the INF files in this way?

Is there any solution to boot loader from network(pxe)?
I've got grub2 over pxe, any idea?
In case It's unpossible, how I can build bootables uefi iso with DCS ?

Hello,
I am using the EFI boot and wanted to hide the presence of veracrypt.
I changed the PasswordMsg, AuthStartMsg, AuthErrorMsg and PimMsg
Also changed the AuthorizeProgress to hide the "*" when the password is entered, but cannot do the same for entering the PIM, the asterix are still showing.
Is there a property like PimProgress to hide it please?
Thank you

Hey , does anyone know the phone number or email address of Alex Kolotnikov ? Is he the creator of DcsFV tool? https://sourceforge.net/projects/dc5/ ?

I'm reporting this from having used the arrow key navigation (touch "simulation") to enter a password, since actual touch interaction doesn't work (reported separately).

The problem is that if you're entering a long phrase, and the keys are not in a standard keyboard layout (as they are not by default), then you're not going to be able to find the key to press if it's repeated in your password, because the circles are filled up as you type, and the letters are shown inside the circles So, to avoid this problem, you should only keep the last circle touched filled (since you need some visual feedback as you go).

A workaround from the user side would be to supply a background bmp that has letters in it outside the circles, but that would defeat the feature you have that allows the letters/layout to be supplied as configuration in DcsProp, and it would be a lot of work to build such a bmp.

This could be solved in other ways as well, such as by just making the circle thicker, but not completely filled so it no longer obfuscates the letter inside the circle when touched. However, thinking more about this, I'm not sure of the point of keeping all the keys typed marked, since it doesn't really help you enter your password due to the possibility of repeated symbols.

When I'm building DcsTpmLib under VS2017 (#13), I get the following error in Tpm20.c:

d:\shared\edk2\DcsPkg\Library\DcsTpmLib\Tpm20.c(544): error C2220: warning treated as error - no 'object' file generated
d:\shared\edk2\DcsPkg\Library\DcsTpmLib\Tpm20.c(544): warning C4459: declaration of 'gCELine' hides global declaration
d:\shared\edk2\DcsPkg\Include\Library/CommonLib.h(30): note: see declaration of 'gCELine'

I can see no re-declaration of gCELine variable here.

Even if I look at preprocessed output, I can't see whats going on. The same CE macro a few lines above causes no problem.

I'm tempted to simply disable the warning, but I would like to know what's really going on. Can anybody share a hint?

Bootloader does not reset watchdog and if the password is not entered within 5 minutes then the entire system is reset.

I found that the touch screen not working for me on the Vivobook 14 was a hardware/firmware issue. Even with the latest firmware, it's not able to see the touch screen inside a UEFI app unless it's launched through the UEFI bootloader menu by pressing ESC. If I launch through the on-screen boot menu, then the VeraCrypt DCS app (and also any other app) is then able to see the touch screen.

However, I still have some suggestions for changes to the VeraCrypt DCS bootloader app, which is why I've created this issue. This can serve as a summary of my suggestions and I will attempt to close the other two. I've made most of these locally in the UDK2015 build environment required for VeraCrypt DCS and deployed the updated app locally to my laptop:

• Not everyone has a custom "password picture" on which the various touch circles have special meaning based on their location against the background picture. If you're using just the standard login.bmp VeraCrypt background, then you're going to need to see the letters for each touch circle to know where to touch. Therefore, "hide password" should really have different behavior depending on whether you have a custom picture or not. There should be a separate "showKeynames" config option that draws the letters on each touch circle but does not show the password letters at the top of the screen. Then at least you know what keys to press but if someone glances at the screen for a second, they won't see your password.
• When hiding the password at the top by showing blocks instead of letters, you should show the length of the password right below it. When blocks are being shown it's difficult to know what you've typed so showing the current password length helps a lot.
• Instead of leaving all the touch circles that you've used in the password marked, only the last one touched should show a mark. The previous one should be restored to how it looked before (showing the letter if "showKeynames" is true). This helps in two ways. First, if someone glances at your screen, they won't see all the locations/letters you've used in your password, just the current one. Second, if your password uses the same letter more than once, you won't be able to find it easily if it's left marked. This approach solves that. A corner case here is if the same letter is used twice in a row. For this, I suggest toggling the mark between green and red to give positive feedback that the touch has triggered. This is not as critical as the main fix, and having double letters is probably not that common, but it ensures that all passwords can be entered easily without making mistakes.
• Can you explain your motivation in the different layouts of characters on the touch circles? I see in the committed code that there is one random-like ordering, and then a more conventional ordering A-Z, a-z, 0-9. Is this to make it difficult to tell what keys are being touched from a distance?

Hi,

The password prompt of the UEFI bootloader uses a very small font size.

It is already small on displays with a large/standard pixel pitch (i.e. low DPI/PPI).

But on small displays and/or displays with a high resolution, i.e. with a low pixel pitch (i.e. high DPI/PPI), the text becomes very tiny.

Is there any chance this could be fixed?

Or is the font/size caused by the UEFI firmware itself?

Regards

DscVeraCrypt.c

#define VCCONFIG_ALLOC(data, size)
if(data == NULL) MEM_FREE(data);
data = MEM_ALLOC(size);

Whats the point of calling MEM_FREE on NULL?
The code looks to me as if the intention was to do
if(data != NULL) MEM_FREE(data);
i.e. to free the data if there was any...

the way it is when called with a data not null you will end up with a memory leak.

The dumpEfiVars.exe (obtained from https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) dumps manufacturer certificates named:

• Lenovo UEFI CA 2014.der
• ThinkPad Product CA 2012.der

And in \siglists there are:

• dbx_SigList.bin
• db_SigList.bin
• KEK_SigList.bin
• PK_SigList.bin

References to these files are not listed in sb_set_siglists.ps1. Could I just add them as new lines/change the existing lines? Note the files at \siglists do not have any files with names referencing the manufacturer.

Edit: I just realized the idea is to cross-reference the output of dumpEfiVars.exe to the siglists on the VeraCrypt-DCS. So, in this case the correct lines to uncomment would be:

# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scriptPath\siglists\Lenovo_ThinkPad_Product_CA_2012-06-29_SigList.bin -SignedFilePath $scriptPath\siglists\Lenovo_ThinkPad_Product_CA_2012-06-29_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scriptPath\siglists\Lenovo_UEFI_CA_2014-01-24_SigList.bin -SignedFilePath $scriptPath\siglists\Lenovo_UEFI_CA_2014-01-24_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true

And as a last issue that is not totally clear, if I am using VeraCrypt 1.23-BETA2, do I still need to manually compile VeraCrypt-DCS or can I just use the boot loader included in the stock VeraCrypt 1.23-BETA2?
The readme.txt at https://github.com/veracrypt/VeraCrypt/tree/master/src/Boot/EFI would indicate that compilation is needed.

If compilation is required, perhaps this should be listed in the readme.txt for VeraCrypt-DCS also somewhere?

Hello @idrassi ,
I noticed that there are no secure boot keys for my Gigabyte mainboard available,
so here are the necessary files in a ZIP.
Thanks 👍
Gigabyte-GA-Z97-HD3.zip

On a ThinkPad T430 (2342-CTO) with Nvidia Optimus (an NVIDIA NVS 5400M paired with an Intel HD4000) running Windows 10, booting in UEFI mode with Compatibility Support Module disabled using the VeraCrypt boot loader causes the NVIDIA NVS 5400M to stop working with device status "Windows has stopped this device because it has reported problems. (Code 43)" in Device Manager. Switching back to the Windows boot loader (by disabling "Encrypt System Partition/Drive") resolves the error and restores functionality.

After some experimentation, I can confirm that this only occurs when configured to boot in UEFI mode with CSM disabled. If CSM is enabled, or when booting in Legacy/BIOS mode, the error does not occur. It also does not occur when the pre-boot configuration is set to "Discrete Graphics" (which only exposes the NVIDIA NVS 5400M to the OS). I can also confirm that the error occurs with both VeraCrypt Boot Loader 1.23 (from 1.23-Hotfix-2) and 1.18 (from 1.18a).

Let me know if there is anything I can do to help isolate or fix the issue.

Thanks,
Kevin

P.S. It appears this issue was also reported on the forums on a W530 by vondatuh.

I just wanted to note that I followed the VeraCrypt-DCS/SecureBoot/readme.txt and can confirm that this works (that is, on my system and now having Secure Boot Enabled again). However, I did have some red console output errors before it sets the platform and key exchange key. I didn't log them, so I can't share them, but maybe someone else can tell me what that was about and if it could have had any significance to the signing process of the bootloader files or otherwise, any side effects that may occur.

The dumpEfiVars.exe (obtained from https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) dumps manufacturer certificates named:

• Dell Bios DB Key.der
• Dell Bios FW Aux Authority 2018.der

powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1
Setting KEK-signed content of dbx...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:18 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting KEK-signed DCS cert in db...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:21 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting KEK-signed MS cert in db...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:24 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting KEK-signed MS UEFI cert in db...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:27 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:54 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:55 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting PK-signed KEK...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:97 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting self-signed PK...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:100 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Dell-Precision-3581.zip

when run setenv.bat command said to me PYTHONHOME not found!
Attached and python has installed on my system.

Hi,

Configuration:

• MS Surface Pro 7 tablet (with latest firmware) docked to Dell P2419HC USB-C monitor (with latest firmware) using USB-C cable for power+video+data.
• External USB keyboard and mouse connected to built-in USB hub of Dell P2419HC monitor.

Observation:

• USB Keyboard and mouse are working fine in UEFI firmware settings (where boot order etc. can be configured).
• USB Keyboard does not work in VeryCrypt UEFI bootloader password prompt.

Workaround:

• Since the MS Surface Pro 7 has a touchscreen, it's possible to enter the password on the VeryCrypt UEFI bootloader using the on-screen touch-keyboard 👍 .
• The detachable external physical MS Surface Type Cover attached via the magnetic connector also works on the VeraCrypt UEFI bootloader password prompt (but the external USB keyboard connected to the USB-C monitor's built-in hub does not).

Is this expected to not work or can it be fixed?

Regards

Hi,

I encountered a strange behavior regarding my hard drive encrypted with VeraCrypt.

First of all, please let me explain the situation: I have one internal SSD with Windows 10 encrypted with VeraCrypt, and another unencrypted external SSD with Windows10 on it. After upgrading Windows 10 on my unencrypted SSD, I rebooted and choosed to use my encrypted SSD. The prompt for VeraCrypt appeared as normal (with "password OK"), but after I got a BSOD with the message "Unable to boot error: 0x000000F".

I tried to decrypt the partition using my external SSD with VeraCrypt tool on the encrypted SSD, but VeraCrypt seems to not recognize the encryption.

After that, I tried to use VeraCrypt rescue disk, but I made a big mistake on it, as I wanted to repair the bootloader from the rescue disk prompt ("option : m"), but I choosed the MBR of the rescue disk itself...as such, my rescue disk is not working anymore....

Do you have any clue regarding this particular situation?

EDIT : I was able to boot on my VeraCrypt rescue disk again. I tried many restoration options, and even a decrypt process (which was taking 2hours with a final message : "Decrypt ok"). However, it seems that I still could not boot on Windows...instead, a new error messaged is displayed: "Error 0x000000e"

Thanks,

Douliah

Hi guys,

I am trying to follow these steps:

1. Enter BIOS configuration
2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
3. Boot Windows
4. execute from admin command prompt
   powershell -File sb_set_siglists.ps1

What I got after script is run:

PS C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot> powershell -File sb_set_siglists.ps1
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:4 знак:1
+ Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:5 знак:1
+ Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:6 знак:1
+ Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:7 знак:1
+ Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting self-signed PK...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:10 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting PK-signed KEK...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:13 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting KEK-signed DCS cert in db...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:16 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting KEK-signed MS cert in db...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:19 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Setting KEK-signed MS UEFI cert in db...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:22 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
    + FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand

Rationale

When using a hardware password manager such as the OnlyKey, the default typing speed is too fast to enter the VeraCrypt bootloader password successfully. The 100 ms debounce delay intended for human keyboard entry causes the OnlyKey to miss some of the characters.

In addition, the 100 ms debounce delay seems to include the time between pressing shift and pressing another key. This means you can't use a VeraCrypt boot password with capital letters or symbols when entering it with the OnlyKey.

Workaround

• The OnlyKey typing speed can be slowed down to 6 out of 10, which puts more than 100 ms between each keystroke. However a long password can take up to 6 seconds to be keyed in this way. In addition, as the OnlyKey only has a global typing speed setting, this then affects all other uses of the OnlyKey as well. So this isn't a very good solution.
• In addition, you must choose a VeraCrypt password that includes only numbers and lowercase letters.

Forum Threads Referencing This Issue

https://sourceforge.net/p/veracrypt/discussion/general/thread/4d99b60aa6/
https://sourceforge.net/p/veracrypt/discussion/general/thread/6ecab98a30/

Thanks ever so much! I'm happy to test anything with the OnlyKey.

Please see my issue opened today in the main veracrypt thread. Who can help? @idrassi @kavsrf @alex085

I'm trying to build veracrypt-DCS using Visual studio 2015 tool set.
I'm facing below issues, is it because of the visual studio 2015 tool set version?
Is there any documentation to build with visual studio 2015.
I followed the below documentation to build it, but it looks a bit old.
(https://github.com/veracrypt/VeraCrypt/blob/master/src/Boot/EFI/Readme.txt)

-----ISSUE-----

Tpm12.c
Microsoft (R) Incremental Linker Version 14.00.24225.1
Copyright (C) Microsoft Corporation. All rights reserved.

/out:Tpm12.exe
c:\edk2\Build\DcsPkg\RELEASE_VS2015x86\X64\DcsPkg\Library\DcsTpmLib\DcsTpmLib\OUTPUT.\Tpm12.obj
LINK : fatal error LNK1561: entry point must be defined
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 14.0\Vc\bin\x86_amd64\cl.exe"' : return code '0x2'
Stop.

----ISSUE----

Thank you.

void HaltPrint(const CHAR16* Msg)
its triggered when something goes terribly wrong with the disk hook,
so its the last thing happens and it triggers CleanSensitiveData() so far so good, but what with the bootParams they contain sensitive data to and are not being cleared.
so the call should also MEM_BURNthe bootParams variable.

Hello,
I need do this "Use it with PlatformLocked or TPMLocked enabled to lock password to the computer." and set
1.
After this, the password always invalid , however, I sure the password is ok.
After disable this, the password is ok, too.

So, any issue or something I missed?