veracrypt / veracrypt-dcs Goto Github PK
View Code? Open in Web Editor NEWVeraCrypt EFI Bootloader for EFI Windows system encryption (LGPL)
License: GNU Lesser General Public License v3.0
VeraCrypt EFI Bootloader for EFI Windows system encryption (LGPL)
License: GNU Lesser General Public License v3.0
Hi guys,
I am trying to follow these steps:
- Enter BIOS configuration
- Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
- Boot Windows
- execute from admin command prompt
powershell -File sb_set_siglists.ps1
What I got after script is run:
PS C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot> powershell -File sb_set_siglists.ps1
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:4 знак:1
+ Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:5 знак:1
+ Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:6 знак:1
+ Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:7 знак:1
+ Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting self-signed PK...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:10 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting PK-signed KEK...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:13 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting KEK-signed DCS cert in db...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:16 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting KEK-signed MS cert in db...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:19 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting KEK-signed MS UEFI cert in db...
Set-SecureBootUEFI : Неправильные данные проверки подлинности: 0xC0000022
C:\Users\*****\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:22 знак:1
+ Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglis ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Hello,
I am using the EFI boot and wanted to hide the presence of veracrypt.
I changed the PasswordMsg, AuthStartMsg, AuthErrorMsg and PimMsg
Also changed the AuthorizeProgress to hide the "*" when the password is entered, but cannot do the same for entering the PIM, the asterix are still showing.
Is there a property like PimProgress to hide it please?
Thank you
The dumpEfiVars.exe
(obtained from https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) dumps manufacturer certificates named:
Lenovo UEFI CA 2014.der
ThinkPad Product CA 2012.der
And in \siglists
there are:
dbx_SigList.bin
db_SigList.bin
KEK_SigList.bin
PK_SigList.bin
References to these files are not listed in sb_set_siglists.ps1
. Could I just add them as new lines/change the existing lines? Note the files at \siglists
do not have any files with names referencing the manufacturer.
Edit: I just realized the idea is to cross-reference the output of dumpEfiVars.exe
to the siglists
on the VeraCrypt-DCS. So, in this case the correct lines to uncomment would be:
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scriptPath\siglists\Lenovo_ThinkPad_Product_CA_2012-06-29_SigList.bin -SignedFilePath $scriptPath\siglists\Lenovo_ThinkPad_Product_CA_2012-06-29_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
# Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scriptPath\siglists\Lenovo_UEFI_CA_2014-01-24_SigList.bin -SignedFilePath $scriptPath\siglists\Lenovo_UEFI_CA_2014-01-24_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
And as a last issue that is not totally clear, if I am using VeraCrypt 1.23-BETA2, do I still need to manually compile VeraCrypt-DCS or can I just use the boot loader included in the stock VeraCrypt 1.23-BETA2?
The readme.txt
at https://github.com/veracrypt/VeraCrypt/tree/master/src/Boot/EFI would indicate that compilation is needed.
If compilation is required, perhaps this should be listed in the readme.txt
for VeraCrypt-DCS also somewhere?
Hello. Sorry for opening a ticket, but after searching for days and trying at least 50 different configs, I've still not got it working, and I'm wondering whether it might be an actual bug.
Situation
I have an internal drive that is encrypted by VeraCrypt with standard system partition encryption. It's working absolutely fine so far. But I don't want to enter my password on every boot; rather I'd like to have an external drive that contains the bootloader and starts my encrypted system, just like the VeraCrypt bootloader that is present on the system disk would and is able to do.
What I've tried
I took the rescue image that was created during encryption and placed it on a USB drive. It can boot the minimal rescue shell fine, but completely ignores the DcsProp
file and offers no option whatsoever to boot the existing system, presenting me only with options to decrypt it or reset to the original boot loader. Through a few dozen forum posts, I've found out that overriding \EFI\Boot\bootx64.efi
with \EFI\VeraCrypt\DcsBoot.efi
will actually start the boot loader instead of the rescue disk, and it seems to respect the DcsProp
file placed on the USB drive. I was expecting the rescue disk to be able to boot the encrypted system as an option without replacing it manually with the boot loader, but nope. (Am I missing something here?)
Anyways, now that the boot loader is properly starting from USB... I still can't get it to work. I've tried various different variations of the DcsProp
file, which I've included at the end of this issue. Depending on the configuration, I've gotten various responses from the bootloader:
postexec
. What does that do anyway?The possible bug
Please mind that albeit being a professional programmer, I've never really worked with C, so I might misunderstand parts of the code. But I think there might be a bug with the code that is figuring out the UUID of the partition to be booted from: https://github.com/veracrypt/VeraCrypt-DCS/blob/master/DcsBoot/DcsBoot.c#L193
The linked code seems to completely ignore any other drives that are present in the system. It will only try to find the partition UUID amongst the partitions of the bootloader file root's device, making it impossible to boot from a different drive than the one the bootloader is placed on.
I've dug a little deeper and found that EfiFindPartByGUID()
(from https://github.com/veracrypt/VeraCrypt-DCS/blob/0342ec53dea13d16115fdb44ddc74724d82519c3/Library/CommonLib/EfiBio.c ) should probably be called before the above mentioned line, to find the correct device that the partition is placed on.
If that's not a bug, I don't really know where else to look. I think it's weird that the rescue disk offers no option to actually auto login according to the DcsProp
file that is placed on the same partition, and it missing should be considered a bug as well. IMHO a rescue disk should always be able to boot the system, not only restore it. And technically it is, it's just missing the option in the menu, it seems.
Edit: looking further into the code I've talked about, I don't think anymore that this exact line is buggy. Later on in the code it seems to try to figure out whether the partition is on a different device and then search accordingly. But what has to be a bug is the fact that the UUID that I specify, is displayed incorrectly and randomly on each boot. It seems to me like this might be a pointer issue somewhere when reading the target UUID from DcsProp
, or copying that afterwards.
Please help me get this fixed, as it's driving me crazy. I'd love to help with writing a bit of documentation about this part as soon as I've got it working.
Appendix A: My DcsProp file
The following is the config I've placed on the USB in \EFI\VeraCrypt\DcsProp
(already existed with defaults). All private data is replaced by ***
. I've tried both EFI partition and OS partition UUIDs in all combinations. The multiple ActionSuccess
values are all variations I've tried.
<?xml version="1.0" encoding="utf-8"?>
<VeraCrypt>
<configuration>
<config key="PasswordType">0</config>
<config key="PasswordMsg">PW: </config>
<config key="Hash">***</config>
<config key="HashRqt">0</config>
<config key="PimMsg">PIM: </config>
<config key="Pim">***</config>
<config key="PimRqt">0</config>
<config key="AutoLogin">1</config>
<config key="AutoPassword">***</config>
<config key="AuthorizeVisible">0</config>
<config key="AuthorizeRetry">10</config>
<config key="DcsBmlLockFlags">0</config>
<config key="DcsBmlDriver">0</config>
<config key="PartitionGuidOS">***-***-***-***-***</config>
<config key="ActionSuccess">postexec guid(***-***-***-***-***) file(\EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
<!--<config key="ActionSuccess">postexec guid(***-***-***-***-***) file(EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
<config key="ActionSuccess">guid(***-***-***-***-***) file(\EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
<config key="ActionSuccess">guid(***-***-***-***-***) file(EFI\Microsoft\Boot\bootmgfw_ms.vc)</config>
<config key="ActionSuccess">postexec guid(***-***-***-***-***)</config>
<config key="ActionSuccess">guid(***-***-***-***-***)</config>-->
</configuration>
</VeraCrypt>
On a ThinkPad T430 (2342-CTO) with Nvidia Optimus (an NVIDIA NVS 5400M paired with an Intel HD4000) running Windows 10, booting in UEFI mode with Compatibility Support Module disabled using the VeraCrypt boot loader causes the NVIDIA NVS 5400M to stop working with device status "Windows has stopped this device because it has reported problems. (Code 43)" in Device Manager. Switching back to the Windows boot loader (by disabling "Encrypt System Partition/Drive") resolves the error and restores functionality.
After some experimentation, I can confirm that this only occurs when configured to boot in UEFI mode with CSM disabled. If CSM is enabled, or when booting in Legacy/BIOS mode, the error does not occur. It also does not occur when the pre-boot configuration is set to "Discrete Graphics" (which only exposes the NVIDIA NVS 5400M to the OS). I can also confirm that the error occurs with both VeraCrypt Boot Loader 1.23 (from 1.23-Hotfix-2) and 1.18 (from 1.18a).
Let me know if there is anything I can do to help isolate or fix the issue.
Thanks,
Kevin
P.S. It appears this issue was also reported on the forums on a W530 by vondatuh.
Hi,
The password prompt of the UEFI bootloader uses a very small font size.
It is already small on displays with a large/standard pixel pitch (i.e. low DPI/PPI).
But on small displays and/or displays with a high resolution, i.e. with a low pixel pitch (i.e. high DPI/PPI), the text becomes very tiny.
Is there any chance this could be fixed?
Or is the font/size caused by the UEFI firmware itself?
Regards
When I'm building DcsTpmLib under VS2017 (#13), I get the following error in Tpm20.c:
d:\shared\edk2\DcsPkg\Library\DcsTpmLib\Tpm20.c(544): error C2220: warning treated as error - no 'object' file generated
d:\shared\edk2\DcsPkg\Library\DcsTpmLib\Tpm20.c(544): warning C4459: declaration of 'gCELine' hides global declaration
d:\shared\edk2\DcsPkg\Include\Library/CommonLib.h(30): note: see declaration of 'gCELine'
I can see no re-declaration of gCELine
variable here.
Even if I look at preprocessed output, I can't see whats going on. The same CE
macro a few lines above causes no problem.
I'm tempted to simply disable the warning, but I would like to know what's really going on. Can anybody share a hint?
I created PR #12 that adds support for building DCS package with Visual Studio 2017 toolset. This blindly copies the existing definitions for VS2010 and VS2015, however it becomes a bit messy. I think it could be simplified by using the wildcards, so eg. the following lines
RELEASE_VS2010x86_X64_CC_FLAGS = /D_UEFI
DEBUG_VS2010x86_X64_CC_FLAGS = /D_UEFI
NOOPT_VS2010x86_X64_CC_FLAGS = /D_UEFI
RELEASE_VS2015x86_X64_CC_FLAGS = /D_UEFI
DEBUG_VS2015x86_X64_CC_FLAGS = /D_UEFI
NOOPT_VS2015x86_X64_CC_FLAGS = /D_UEFI
RELEASE_VS2017_X64_CC_FLAGS = /D_UEFI
DEBUG_VS2017_X64_CC_FLAGS = /D_UEFI
NOOPT_VS2017_X64_CC_FLAGS = /D_UEFI
could be rewritten as
MSFT:*_*_X64_CC_FLAGS = /D_UEFI
Would you be interested if I further modify the INF files in this way?
Hi,
Would you please update build instructions for latest version.
The version in the current build instruction is 1.18.
Hi,
I tried to build Vera but confess that I'm trouble. What is edk? And I do have nasm installed but the setenv.bat batch won't find it, see
where nasm
C:\programs\nasm-2.11.05\nasm.exe
C:\j\bin\nasm.exe
V:\VeraCrypt-DCS-master>echo %NASM_PREFIX%
c:\Tools\nasm\
also, when I run the setenv.bat it asks for a edksetup.bat that I do not know what it is
setenv.bat
Setting environment for using Microsoft Visual Studio 2010 x86 tools.
The system cannot find the path specified.
'edksetup.bat' is not recognized as an internal or external command,
operable program or batch file.
Thanks for any enlightenment
I'm trying to build veracrypt-DCS using Visual studio 2015 tool set.
I'm facing below issues, is it because of the visual studio 2015 tool set version?
Is there any documentation to build with visual studio 2015.
I followed the below documentation to build it, but it looks a bit old.
(https://github.com/veracrypt/VeraCrypt/blob/master/src/Boot/EFI/Readme.txt)
-----ISSUE-----
Tpm12.c
Microsoft (R) Incremental Linker Version 14.00.24225.1
Copyright (C) Microsoft Corporation. All rights reserved.
/out:Tpm12.exe
c:\edk2\Build\DcsPkg\RELEASE_VS2015x86\X64\DcsPkg\Library\DcsTpmLib\DcsTpmLib\OUTPUT.\Tpm12.obj
LINK : fatal error LNK1561: entry point must be defined
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 14.0\Vc\bin\x86_amd64\cl.exe"' : return code '0x2'
Stop.
----ISSUE----
Thank you.
I'm reporting this from having used the arrow key navigation (touch "simulation") to enter a password, since actual touch interaction doesn't work (reported separately).
The problem is that if you're entering a long phrase, and the keys are not in a standard keyboard layout (as they are not by default), then you're not going to be able to find the key to press if it's repeated in your password, because the circles are filled up as you type, and the letters are shown inside the circles So, to avoid this problem, you should only keep the last circle touched filled (since you need some visual feedback as you go).
A workaround from the user side would be to supply a background bmp that has letters in it outside the circles, but that would defeat the feature you have that allows the letters/layout to be supplied as configuration in DcsProp, and it would be a lot of work to build such a bmp.
This could be solved in other ways as well, such as by just making the circle thicker, but not completely filled so it no longer obfuscates the letter inside the circle when touched. However, thinking more about this, I'm not sure of the point of keeping all the keys typed marked, since it doesn't really help you enter your password due to the possibility of repeated symbols.
Hello,
I seen DCS has support for sending APDUs over to a smart card reader, and I'd be interested in adding more support for smart cards, hopefully up to being able to fetch a keyfile registered by VeraCrypt.
It's my first project with smart cards, so please feel free to correct me if I say anything wrong.
The way I'm thinking of doing it is by bypassing the need for a PKCS#11 interface and directly using ISO 7816-4 APDUs to login with a PIN entered by the user, and then fetching the keyfile from the card.
Maybe the VeraCrypt app could set the file ID corresponding to the keyfile it registered in the DCS config?
I'll try more things when I actually get a keycard, though!
Hi,
I encountered a strange behavior regarding my hard drive encrypted with VeraCrypt.
First of all, please let me explain the situation: I have one internal SSD with Windows 10 encrypted with VeraCrypt, and another unencrypted external SSD with Windows10 on it. After upgrading Windows 10 on my unencrypted SSD, I rebooted and choosed to use my encrypted SSD. The prompt for VeraCrypt appeared as normal (with "password OK"), but after I got a BSOD with the message "Unable to boot error: 0x000000F".
I tried to decrypt the partition using my external SSD with VeraCrypt tool on the encrypted SSD, but VeraCrypt seems to not recognize the encryption.
After that, I tried to use VeraCrypt rescue disk, but I made a big mistake on it, as I wanted to repair the bootloader from the rescue disk prompt ("option : m"), but I choosed the MBR of the rescue disk itself...as such, my rescue disk is not working anymore....
Do you have any clue regarding this particular situation?
EDIT : I was able to boot on my VeraCrypt rescue disk again. I tried many restoration options, and even a decrypt process (which was taking 2hours with a final message : "Decrypt ok"). However, it seems that I still could not boot on Windows...instead, a new error messaged is displayed: "Error 0x000000e"
Thanks,
Douliah
DscVeraCrypt.c
#define VCCONFIG_ALLOC(data, size)
if(data == NULL) MEM_FREE(data);
data = MEM_ALLOC(size);
Whats the point of calling MEM_FREE on NULL?
The code looks to me as if the intention was to do
if(data != NULL) MEM_FREE(data);
i.e. to free the data if there was any...
the way it is when called with a data not null you will end up with a memory leak.
Is there any solution to boot loader from network(pxe)?
I've got grub2 over pxe, any idea?
In case It's unpossible, how I can build bootables uefi iso with DCS ?
I just wanted to note that I followed the VeraCrypt-DCS/SecureBoot/readme.txt and can confirm that this works (that is, on my system and now having Secure Boot Enabled again). However, I did have some red console output errors before it sets the platform and key exchange key. I didn't log them, so I can't share them, but maybe someone else can tell me what that was about and if it could have had any significance to the signing process of the bootloader files or otherwise, any side effects that may occur.
Hi,
Configuration:
Observation:
Workaround:
Is this expected to not work or can it be fixed?
Regards
Hi,
I made dual-boot full system encryption setup on EFI. Windows is encrypted using VeraCrypt, everything works, EFI and stuff. On other system I configured Arch GNU/Linux, which is LVM on LUKS, also requires password during boot, even automounts Windows partition. I also use EFI and systemd-boot to load this OS.
Everything works except small annoying feature.
My desired configuration is to have systemd-boot as default bootloader. And it works. I can choose Arch and boot it or "chainload" VeraCrypt and it also works like a charm. But, when I boot Windows and turn off my computer, after next start that darn VeraCrypt boots. When I wanna boot Arch, I need to go to EFI settings, turn off VeraCrypt bootloader manually and make sure that systemd-boot is default. Darn! Disabling VeraCrypt bootloader also doesn't help – it just keeps reappear.
I tried to find some docs, but EFI case is nonexistient. Everything works awesome, but documentation doesn't say a word about full system encryption on EFI. I thought it is only for BIOS and learned I was mistaken on 3rd party website.
Your tool is awesome, I am very grateful and stuff, but I have two requests :)
I can quote:
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot drive and on the VeraCrypt Rescue Disk (see below).
Seems to me like "no, EFI is not supported, we created this tool before EFI".
Thanks for your hard work
Damjes
The dumpEfiVars.exe (obtained from https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) dumps manufacturer certificates named:
Dell Bios DB Key.der
Dell Bios FW Aux Authority 2018.der
powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1
Setting KEK-signed content of dbx...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:18 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting KEK-signed DCS cert in db...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:21 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting KEK-signed MS cert in db...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:24 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting KEK-signed MS UEFI cert in db...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:27 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:54 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:55 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting PK-signed KEK...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:97 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
Setting self-signed PK...
Set-SecureBootUEFI : Incorrect authentication data: 0xC0000022
At C:\Users\admin\Downloads\VeraCrypt-DCS-master\SecureBoot\sb_set_siglists.ps1:100 char:1
+ Set-SecureBootUEFI -Time 2018-07-05T00:00:00Z -ContentFilePath $scrip ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (Microsoft.Secur...BootUefiCommand:SetSecureBootUefiCommand) [Set-SecureBootUEFI], UnauthorizedAccessException
+ FullyQualifiedErrorId : SetFWVarFailed,Microsoft.SecureBoot.Commands.SetSecureBootUefiCommand
I found that the touch screen not working for me on the Vivobook 14 was a hardware/firmware issue. Even with the latest firmware, it's not able to see the touch screen inside a UEFI app unless it's launched through the UEFI bootloader menu by pressing ESC. If I launch through the on-screen boot menu, then the VeraCrypt DCS app (and also any other app) is then able to see the touch screen.
However, I still have some suggestions for changes to the VeraCrypt DCS bootloader app, which is why I've created this issue. This can serve as a summary of my suggestions and I will attempt to close the other two. I've made most of these locally in the UDK2015 build environment required for VeraCrypt DCS and deployed the updated app locally to my laptop:
Need to specify change for firmwares without writable nvram. Without external bootloader, manual setup leads to bootloop.
Feature Request: Allow this option to be read from a text file or configuration file.
veracrypt/Veracrypt-dcs/DcsBoot/DcsBoot.c
line 28: CHAR16 *gEfiExecCmdDefault = L"\EFI\Microsoft\Boot\Bootmgfw.efi";
ex: installing ubuntu requires renaming ubuntu efi boot file in \EFI\Microsoft\Boot\Bootmgfw.efi , to allow to boot ubuntu, then chaning bootmgfw.efi to a different directory so ubuntu grub can load windows. FDE on these systems does not "work" without manually loading the veracrypt EFI file each time, and will fail preboot test, unless user intervene's and selects proper boot file for verqcrypt EFI loader.
void HaltPrint(const CHAR16* Msg)
its triggered when something goes terribly wrong with the disk hook,
so its the last thing happens and it triggers CleanSensitiveData() so far so good, but what with the bootParams they contain sensitive data to and are not being cleared.
so the call should also MEM_BURNthe bootParams variable.
Hey , does anyone know the phone number or email address of Alex Kolotnikov ? Is he the creator of DcsFV tool? https://sourceforge.net/projects/dc5/ ?
I have ASUS Vivobook 14 Flip is 2-in-1 laptop with keyboard and touch screen. Touch screen works in Windows and also in the BIOS.
For the following DcsProp config, the image with the circles is shown, but touch interaction doesn't work. You can't type by touching the circles, though you can move the cursor with the arrow keys and enter a password that way, even when TouchSimulate is set to 0.
<?xml version="1.0" encoding="utf-8"?>
<VeraCrypt>
<configuration>
<config key="PasswordType">1</config>
<config key="PasswordMsg">Password: </config>
<config key="PasswordPicture">login.bmp</config>
<config key="HashMsg">(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256
(4) RIPEMD160 (5) STREEBOG Hash:</config>
<config key="Hash">1</config>
<config key="HashRqt">0</config>
<config key="PimMsg">PIM (Leave empty for default): </config>
<config key="Pim">0</config>
<config key="PimRqt">0</config>
<config key="AuthorizeVisible">0</config>
<config key="AuthorizeRetry">10</config>
<config key="DcsBmlLockFlags">0</config>
<config key="DcsBmlDriver">0</config>
<config key="ActionSuccess"></config>
<config key="TouchDevice">0</config>
<config key="TouchSimulate">0</config>
</configuration>
</VeraCrypt>
This is the relevant bit from PlatformInfo:
<TouchDevices count="1">
<TouchDevice index="0" minx="0" miny="0" minz="0" maxx="800" maxy="589" maxz="0" attr="0x00"/>
</TouchDevices>
I tried changing TouchDevice to -1, but it makes no difference. (I looked at the source code, so I see why it doesn't matter.) Also note that the cursor can be moved by arrow keys even if TouchSimulate is 0, as I've set it.
Has the code been tested on any actual touch platforms? I suppose I can build it myself, but I'm not set up with VS2019 so it's going to take some work to install the relevant tools, and that's if they're all free - I'm not sure that the Community version allows UEFI development.
When using a hardware password manager such as the OnlyKey, the default typing speed is too fast to enter the VeraCrypt bootloader password successfully. The 100 ms debounce delay intended for human keyboard entry causes the OnlyKey to miss some of the characters.
In addition, the 100 ms debounce delay seems to include the time between pressing shift and pressing another key. This means you can't use a VeraCrypt boot password with capital letters or symbols when entering it with the OnlyKey.
https://sourceforge.net/p/veracrypt/discussion/general/thread/4d99b60aa6/
https://sourceforge.net/p/veracrypt/discussion/general/thread/6ecab98a30/
Thanks ever so much! I'm happy to test anything with the OnlyKey.
Hello,
I need do this "Use it with PlatformLocked or TPMLocked enabled to lock password to the computer." and set
1.
After this, the password always invalid , however, I sure the password is ok.
After disable this, the password is ok, too.
So, any issue or something I missed?
Problem: Currently you can create your own login screen via login.bmp, but only with touch support which is very unattractive.
For possible branding, I would like to see a login screen without touch support. That means without the green circles and other fields.
Hello @idrassi ,
I noticed that there are no secure boot keys for my Gigabyte mainboard available,
so here are the necessary files in a ZIP.
Thanks 👍
Gigabyte-GA-Z97-HD3.zip
Bootloader does not reset watchdog and if the password is not entered within 5 minutes then the entire system is reset.
When I'm building DcsCfg under VS2017 (#13), I get the following error in DcsCfgCrypt.c:
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1766): error C2220: warning treated as error - no 'object' file generated
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1766): warning C4459: declaration of 'SecRegionData' hides global declaration
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(49): note: see declaration of 'SecRegionData'
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1767): warning C4459: declaration of 'SecRegionSize' hides global declaration
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(50): note: see declaration of 'SecRegionSize'
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(1768): warning C4459: declaration of 'SecRegionOffset' hides global declaration
d:\shared\edk2\DcsPkg\DcsCfg\DcsCfgCrypt.c(51): note: see declaration of 'SecRegionOffset'
The local variables declared in SecRigionDump
(sic) or the warning should be suppressed.
There is also typo in SecRigionXxx
functions. Apparently they should be named SecRegionXxx
.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.