mirror of
https://github.com/veracrypt/VeraCrypt.git
synced 2026-05-22 13:43:46 -05:00
Windows: Add DCS EFI Bootloader files that are signed. Add certificates and powershell script to update Secure Boot configuration.
This commit is contained in:
Mounir IDRASSI
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,13 @@
|
|||||||
|
To update secure boot configuration
|
||||||
|
1. Enter BIOS configuration
|
||||||
|
2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
|
||||||
|
3. Boot Windows
|
||||||
|
4. execute from admin command prompt
|
||||||
|
powershell -File sb_set_siglists.ps1
|
||||||
|
It sets in PK (platform key) - DCS_platform
|
||||||
|
It sets in KEK (key exchange key) - DCS_key_exchange
|
||||||
|
It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
|
||||||
|
|
||||||
|
All DCS modules are protected by DCS_sign.
|
||||||
|
All Windows modules are protected by MicWinProPCA2011_2011-10-19
|
||||||
|
All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -0,0 +1,3 @@
|
|||||||
|
Apart from DCS certificates, there are two public DB entries - one for Windows and one for the UEFI Certificate Authority (CA).
|
||||||
|
Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt
|
||||||
|
UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt
|
||||||
@@ -0,0 +1,22 @@
|
|||||||
|
Set-ExecutionPolicy Bypass -Force
|
||||||
|
Import-Module secureboot
|
||||||
|
|
||||||
|
Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null
|
||||||
|
Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null
|
||||||
|
Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null
|
||||||
|
Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null
|
||||||
|
|
||||||
|
Write-Host "Setting self-signed PK..."
|
||||||
|
Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK
|
||||||
|
|
||||||
|
Write-Host "Setting PK-signed KEK..."
|
||||||
|
Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK
|
||||||
|
|
||||||
|
Write-Host "Setting KEK-signed DCS cert in db..."
|
||||||
|
Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_sign_SigList.bin -SignedFilePath siglists\DCS_sign_SigList_Serialization.bin.p7 -Name db
|
||||||
|
|
||||||
|
Write-Host "Setting KEK-signed MS cert in db..."
|
||||||
|
Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicWinProPCA2011_2011-10-19_SigList.bin -SignedFilePath siglists\MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
|
||||||
|
|
||||||
|
Write-Host "Setting KEK-signed MS UEFI cert in db..."
|
||||||
|
Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList.bin -SignedFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Reference in New Issue
Block a user