Windows: prevent unsupported EFI Secure Boot fallback

Detect whether the active firmware Secure Boot db trusts the Microsoft Corporation UEFI CA 2011 before selecting the 2011-signed EFI loader set. Abort with a clear diagnostic when Secure Boot is enabled but neither the 2011 CA nor the required 2023 CA pair is trusted, and document the CA requirements. Preserve positive CA detection when malformed db data appears only after a supported Microsoft CA set has already been found, while recording the parse error in diagnostics. Refs #1778.
2026-06-17 01:56:10 -05:00 · 2026-06-16 21:53:27 +09:00
parent 9a85a53731
commit 8bfe53b20f
47 changed files with 292 additions and 46 deletions
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1707,6 +1707,7 @@ Information about Corsican localization:
 	    <entry lang="co" key="MACOSX_APFS_EROFS_HINT">macOS hà signalatu l’apparechju selezziunatu cum’è essendu in lettura sola. S’ellu hè un discu APFS, assicuratevi chì ghjè a partizione d’allucamentu APFS fisica chì hè selezziunata, è micca un vulume APFS sintetizatu. Impiegate l’attrezzu di discu o « diskutil list » per identificà a partizione fisica eppò pruvate torna.</entry>
 	    <entry lang="co" key="FAVORITE_PIM_OR_KDF_CHANGED">Stu vulume hè arregistratu cum’è un favuritu di u sistema è u so PIM è/o i so parametri KDF sò stati cambiati.\nVulete chì VeraCrypt mudificheghji autumaticamente a cunfigurazione di i favuriti di u sistema (i privileghji d’amministratore sò richiesti) ?\n\nSappiate chì, s’è vò rispundite nò, tuccherà à voi di fallu manualmente.</entry>
 	    <entry lang="co" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">U KDF selezziunatu impiegheghja parametri PIM sfarenti, dunque VeraCrypt ùn rimpiegherà micca u PIM persunalizatu attuale. A nova intestatura di u vulume impiegherà u PIM predefinitu per u KDF selezziunatu fora s’è vo selezziunate « Impiegà un PIM » in a sezzione « Novu » è s’è vo stampittate un valore persunalizatu.\n\nVulete cuntinuà ?</entry>
+	    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
 	</localization>
 	<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 		<xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="cs" key="MACOSX_APFS_EROFS_HINT">macOS oznámil, že vybrané zařízení je pouze pro čtení. Jde-li o disk APFS, ujistěte se, že jste vybrali fyzický diskový oddíl úložiště APFS, nikoli syntetizovaný svazek APFS. Pomocí Diskové utility nebo příkazu 'diskutil list' určete fyzický diskový oddíl a zkuste to znovu.</entry>
    <entry lang="cs" key="FAVORITE_PIM_OR_KDF_CHANGED">Tento svazek je zaregistrován jako systémový oblíbený svazek a jeho nastavení PIM a/nebo KDF byla změněna.\nChcete, aby VeraCrypt automaticky aktualizoval konfiguraci systémového oblíbeného svazku (jsou vyžadována oprávnění správce)?\n\nMějte prosím na paměti, že pokud odpovíte ne, budete muset systémový oblíbený svazek aktualizovat ručně.</entry>
    <entry lang="cs" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Vybraný KDF používá jiné parametry PIM, takže VeraCrypt nepoužije aktuální vlastní PIM. Nová hlavička svazku použije výchozí PIM pro vybraný KDF, pokud v sekci „Nové” nezvolíte „Použít PIM” a nezadáte vlastní hodnotu.\n\nChcete pokračovat?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1688,6 +1688,7 @@
    <entry lang="de" key="MACOSX_APFS_EROFS_HINT">macOS hat das ausgewählte Gerät als schreibgeschützt gemeldet. Handelt es sich um eine APFS-Festplatte, stellen Sie sicher, dass Sie die physische APFS-Speicherpartition ausgewählt haben und nicht ein synthetisches APFS-Volume. Identifizieren Sie die physische Partition mit dem Festplatten-Dienstprogramm oder dem Befehl „diskutil list“ und versuchen Sie es dann erneut.</entry>
    <entry lang="de" key="FAVORITE_PIM_OR_KDF_CHANGED">Dieses Volume ist als Systemfavorit registriert und seine PIM- und/oder KDF-Einstellungen wurden geändert.\nMöchten Sie, dass VeraCrypt die Konfiguration des Systemfavoriten automatisch aktualisiert (Administratorrechte erforderlich)?\n\nBitte beachten Sie: Wenn Sie mit „Nein“ antworten, müssen Sie den Systemfavoriten manuell aktualisieren.</entry>
    <entry lang="de" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Die ausgewählte KDF verwendet andere PIM-Parameter, daher wird VeraCrypt den derzeitigen benutzerdefinierten PIM nicht wiederverwenden. Die neuen Volume-Kopfdaten verwenden den Standard-PIM für die ausgewählte KDF, es sei denn, Sie wählen im Abschnitt „Neu“ die Option „PIM verwenden“ aus und geben einen benutzerdefinierten Wert ein.\n\nMöchten Sie fortfahren?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <!-- XML-Schema -->
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="es" key="MACOSX_APFS_EROFS_HINT">macOS informó que el dispositivo seleccionado es de sólo lectura. Si se trata de un disco APFS, asegúrese de haber seleccionado la partición física de almacenamiento APFS, no un volumen APFS sintetizado. Use la Utilidad de Discos o 'diskutil list' para identificar la partición física y luego reinténtelo.</entry>
    <entry lang="es" key="FAVORITE_PIM_OR_KDF_CHANGED">Este volumen está registrado como volumen favorito del sistema y se ha modificado su configuración de PIM y/o KDF.\n¿Desea que VeraCrypt actualice automáticamente la configuración del volumen favorito del sistema (se requieren privilegios de administrador)?\n\nTenga en cuenta que si responde No, tendrá que actualizar manualmente el volumen favorito del sistema.</entry>
    <entry lang="es" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">El KDF seleccionado usa parámetros de PIM diferentes, por lo que VeraCrypt no reutilizará el PIM personalizado actual. La nueva cabecera del volumen usará el PIM predeterminado para el KDF seleccionado a menos que seleccione "Usar PIM" en la sección "Nueva" e introduzca un valor personalizado.\n\n¿Desea continuar?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
 </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="fi" key="MACOSX_APFS_EROFS_HINT">macOS ilmoitti valitun laitteen olevan vain luku -tilassa. Jos kyseessä on APFS-levy, varmista, että valitsit fyysisen APFS-tallennusosion etkä APFS:n syntetisoitua taltiota. Käytä Levytyökalua tai komentoa 'diskutil list' fyysisen osion tunnistamiseen ja yritä sitten uudelleen.</entry>
    <entry lang="fi" key="FAVORITE_PIM_OR_KDF_CHANGED">Tämä taltio on rekisteröity järjestelmän suosikkitaltioksi ja sen PIM- ja/tai KDF-asetukset on muutettu.\nHaluatko, että VeraCrypt päivittää järjestelmän suosikkitaltion kokoonpanon automaattisesti (vaatii järjestelmänvalvojan oikeudet)?\n\nHuomaa, että jos vastaat ei, sinun on päivitettävä järjestelmän suosikkitaltio manuaalisesti.</entry>
    <entry lang="fi" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Valittu KDF käyttää eri PIM-parametreja, joten VeraCrypt ei käytä uudelleen nykyistä mukautettua PIM-arvoa. Uusi taltion otsikko käyttää valitun KDF:n oletus-PIM-arvoa, ellet valitse Uusi-osiossa vaihtoehtoa "Käytä PIM" ja syötä mukautettua arvoa.\n\nHaluatko jatkaa?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="fr" key="MACOSX_APFS_EROFS_HINT">macOS a signalé que le périphérique sélectionné est en lecture seule. S’il s’agit d’un disque APFS, assurez-vous d’avoir sélectionné la partition physique de stockage APFS et non un volume APFS synthétisé. Utilisez l’Utilitaire de disque ou 'diskutil list' pour identifier la partition physique, puis réessayez.</entry>
    <entry lang="fr" key="FAVORITE_PIM_OR_KDF_CHANGED">Ce volume est enregistré comme favori système et ses paramètres PIM et/ou KDF ont été modifiés.\nVoulez-vous que VeraCrypt mette automatiquement à jour la configuration du favori système (privilèges administrateur requis) ?\n\nVeuillez noter que si vous répondez « Non », vous devrez mettre à jour le favori système manuellement.</entry>
    <entry lang="fr" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Le KDF sélectionné utilise des paramètres PIM différents, VeraCrypt ne réutilisera donc pas le PIM personnalisé actuel. Le nouvel en-tête du volume utilisera le PIM par défaut du KDF sélectionné, sauf si vous sélectionnez « Saisir un PIM » dans la section « Nouveau » et saisissez une valeur personnalisée.\n\nVoulez-vous continuer ?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="it" key="MACOSX_APFS_EROFS_HINT">macOS ha segnalato il dispositivo selezionato come di sola lettura. Se questo è un disco APFS, assicurati di aver selezionato la partizione dello store fisico APFS, non un volume APFS sintetizzato. Usa Utility Disco o 'diskutil list' per identificare la partizione fisica, quindi riprova.</entry>
    <entry lang="it" key="FAVORITE_PIM_OR_KDF_CHANGED">Questo volume è registrato come volume preferito di sistema e le sue impostazioni PIM e/o KDF sono state modificate.\nVuoi che VeraCrypt aggiorni automaticamente la configurazione del volume preferito di sistema (sono richiesti privilegi di amministratore)?\n\nNota che se rispondi No, dovrai aggiornare manualmente il volume preferito di sistema.</entry>
    <entry lang="it" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Il KDF selezionato usa parametri PIM diversi, quindi VeraCrypt non riutilizzerà il PIM personalizzato attuale. La nuova intestazione del volume userà il PIM predefinito per il KDF selezionato, a meno che tu non selezioni "Usa PIM" nella sezione "Nuovo" e inserisca un valore personalizzato.\n\nVuoi continuare?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="ja" key="MACOSX_APFS_EROFS_HINT">macOS は、選択されたデバイスを読み取り専用として報告しました。これが APFS ディスクの場合は、APFS 合成ボリュームではなく物理 APFS ストアパーティションを選択していることを確認してください。ディスクユーティリティまたは 'diskutil list' を使用して物理パーティションを確認してから、再試行してください。</entry>
    <entry lang="ja" key="FAVORITE_PIM_OR_KDF_CHANGED">このボリュームはシステムお気に入りボリュームとして登録されており、PIM および/または KDF の設定が変更されています。\nVeraCrypt がシステムお気に入りボリュームの設定を自動的に更新しても良いですか（管理者権限が必要です）？\n\nいいえを選択した場合は、システムお気に入りボリュームを手動で更新する必要があります。</entry>
    <entry lang="ja" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">選択した KDF は異なる PIM パラメータを使用するため、VeraCrypt は現在のカスタム PIM を再利用しません。新しいボリュームヘッダーは、「新規」セクションで「PIMを使用する」を選択してカスタム値を入力しない限り、選択した KDF のデフォルトの PIM を使用します。\n\n続行しますか？</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="ko" key="MACOSX_APFS_EROFS_HINT">macOS에서 선택한 장치를 읽기 전용으로 보고했습니다. APFS 디스크인 경우 APFS 합성 볼륨이 아니라 물리적 APFS 저장소 파티션을 선택했는지 확인하세요. 디스크 유틸리티 또는 'diskutil list'를 사용하여 물리적 파티션을 식별한 다음 다시 시도하세요.</entry>
    <entry lang="ko" key="FAVORITE_PIM_OR_KDF_CHANGED">이 볼륨은 시스템 즐겨찾기로 등록되어 있으며 PIM 및/또는 KDF 설정이 변경되었습니다.\nVeraCrypt가 시스템 즐겨찾기 설정을 자동으로 업데이트하도록 하시겠습니까(관리자 권한 필요)?\n\n아니요를 선택하면 시스템 즐겨찾기를 수동으로 업데이트해야 합니다.</entry>
    <entry lang="ko" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">선택한 KDF는 다른 PIM 매개변수를 사용하므로 VeraCrypt는 현재 사용자 지정 PIM을 재사용하지 않습니다. 새 볼륨 헤더는 '신규' 섹션에서 'PIM 사용하기'를 선택하고 사용자 지정 값을 입력하지 않는 한, 선택한 KDF의 기본 PIM을 사용합니다.\n\n계속하시겠습니까?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1687,6 +1687,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" attributeFormDefault="unqualified" elementFormDefault="qualified">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="nb" key="MACOSX_APFS_EROFS_HINT">macOS rapporterte den valgte enheten som skrivebeskyttet. Hvis dette er en APFS-disk, må du forsikre deg om at du har valgt den fysiske APFS-lagringspartisjonen, ikke et syntetisert APFS-volum. Bruk Diskverktøy eller «diskutil list» for å identifisere den fysiske partisjonen, og prøv på nytt.</entry>
    <entry lang="nb" key="FAVORITE_PIM_OR_KDF_CHANGED">Dette volumet er registrert som en systemfavoritt, og PIM- og/eller KDF-innstillingene ble endret.\nVil du at VeraCrypt automatisk skal oppdatere systemfavorittkonfigurasjonen (administratorrettigheter kreves)?\n\nMerk at hvis du svarer nei, må du oppdatere systemfavoritten manuelt.</entry>
    <entry lang="nb" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Den valgte KDF-en bruker andre PIM-parametere, så VeraCrypt vil ikke gjenbruke den gjeldende egendefinerte PIM-en. Det nye volumhodet vil bruke standard-PIM for den valgte KDF-en med mindre du velger "Bruk PIM" i Ny-seksjonen og angir en egendefinert verdi.\n\nVil du fortsette?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="nl" key="MACOSX_APFS_EROFS_HINT">macOS geeft aan dat het geselecteerde apparaat alleen-lezen is. Als dit een APFS-schijf is, controleer dan of u de fysieke APFS-opslagpartitie hebt geselecteerd en niet een gesynthetiseerd APFS-volume. Gebruik Schijfhulpprogramma of 'diskutil list' om de fysieke partitie te identificeren en probeer het vervolgens opnieuw.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" attributeFormDefault="unqualified" elementFormDefault="qualified">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="pl" key="MACOSX_APFS_EROFS_HINT">System macOS zgłosił wybrane urządzenie jako tylko do odczytu. Jeśli jest to dysk APFS, upewnij się, że wybrano fizyczną partycję magazynu APFS, a nie wolumen syntezowany przez APFS. Użyj narzędzia dyskowego lub polecenia „diskutil list”, aby zidentyfikować partycję fizyczną, a następnie spróbuj ponownie.</entry>
    <entry lang="pl" key="FAVORITE_PIM_OR_KDF_CHANGED">Ten wolumen jest zarejestrowany jako ulubiony wolumen systemu, a jego ustawienia PIM i/lub KDF zostały zmienione.\nCzy chcesz, aby VeraCrypt automatycznie zaktualizował konfigurację ulubionego wolumenu systemu (wymagane są uprawnienia administratora)?\n\nPamiętaj, że jeśli wybierzesz „Nie”, musisz ręcznie zaktualizować ulubiony wolumen systemu.</entry>
    <entry lang="pl" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Wybrany algorytm KDF używa innych parametrów PIM, więc VeraCrypt nie użyje ponownie bieżącego, niestandardowego PIM. Nowy nagłówek wolumenu będzie używał domyślnego PIM dla wybranego algorytmu KDF, chyba że wybierzesz „Użyj PIM” w sekcji „Nowe” i wpiszesz niestandardową wartość.\n\nCzy chcesz kontynuować?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="pt-br" key="MACOSX_APFS_EROFS_HINT">O macOS informou que o dispositivo selecionado é somente leitura. Se for um disco APFS, certifique-se de ter selecionado a partição física de armazenamento APFS, não um volume APFS sintetizado. Use o Utilitário de Disco ou 'diskutil list' para identificar a partição física e tente novamente.</entry>
    <entry lang="pt-br" key="FAVORITE_PIM_OR_KDF_CHANGED">Este volume está registrado como volume favorito do sistema e suas configurações de PIM e/ou KDF foram alteradas.\nDeseja que o VeraCrypt atualize automaticamente a configuração do volume favorito do sistema (privilégios de administrador necessários)?\n\nObserve que, se você responder Não, terá que atualizar manualmente o volume favorito do sistema.</entry>
    <entry lang="pt-br" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">O KDF selecionado usa parâmetros de PIM diferentes, portanto, o VeraCrypt não reutilizará o PIM personalizado atual. O novo cabeçalho do volume usará o PIM padrão para o KDF selecionado, a menos que você selecione "Usar PIM" na seção "Novo" e insira um valor personalizado.\n\nDeseja continuar?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="ru" key="MACOSX_APFS_EROFS_HINT">macOS сообщает, что выбранное устройство доступно только для чтения. Если это диск с файловой системой APFS, убедитесь, что вы выбрали физический раздел хранилища APFS, а не синтезированный том APFS. Используйте дисковую утилиту или 'diskutil list', чтобы определить физический раздел, затем повторите попытку.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="sl" key="MACOSX_APFS_EROFS_HINT">macOS je poročal, da je izbrana naprava samo za branje. Če je to disk APFS, se prepričaj, da si izbral fizično particijo shrambe APFS, ne sintetiziranega nosilca APFS. S programom Disk Utility ali ukazom 'diskutil list' poišči fizično particijo in poskusi znova.</entry>
    <entry lang="sl" key="FAVORITE_PIM_OR_KDF_CHANGED">Ta nosilec je registriran kot sistemski priljubljeni nosilec in njegove nastavitve PIM in/ali KDF so bile spremenjene.\nAli želiš, da VeraCrypt samodejno posodobi konfiguracijo sistemskega priljubljenega nosilca (potrebne so skrbniške pravice)?\n\nUpoštevaj, da boš moral sistemski priljubljeni nosilec posodobiti ročno, če odgovoriš z ne.</entry>
    <entry lang="sl" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Izbrani KDF uporablja drugačne parametre PIM, zato VeraCrypt ne bo znova uporabil trenutnega PIM po meri. Nova glava nosilca bo uporabila privzeti PIM za izbrani KDF, razen če v razdelku »Novo« izbereš »Uporabi PIM« in vneseš vrednost po meri.\n\nAli želiš nadaljevati?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="tr" key="MACOSX_APFS_EROFS_HINT">macOS, seçilmiş aygıtı salt okunur olarak bildirdi. Bu bir APFS diskiyse, APFS sentezlenmiş birimi değil fiziksel APFS depolama bölümünü seçtiğinizden emin olun. Fiziksel bölümü belirlemek için Disk İzlencesi ya da 'diskutil list' komutunu kullanıp yeniden deneyin.</entry>
    <entry lang="tr" key="FAVORITE_PIM_OR_KDF_CHANGED">Bu birim, sistem sık kullanılan birimi olarak kayıtlı ve kişisel çevrim çarpanı (PIM) ve/veya KDF ayarları değiştirildi.\nVeraCrypt'in sistem sık kullanılan biriminin yapılandırmasını otomatik olarak güncellemesini ister misiniz (yönetici yetkileri gerekli)?\n\nHayır yanıtını verirseniz, sistem sık kullanılan birimini el ile güncellemeniz gerekeceğini unutmayın.</entry>
    <entry lang="tr" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">Seçilen KDF, farklı kişisel çevrim çarpanı (PIM) parametreleri kullandığından VeraCrypt geçerli özel PIM değerini yeniden kullanmayacak. 'Yeni' bölümünde 'Kişisel çevrim çarpanı (PIM) kullanılsın' seçeneğini seçip özel bir değer girmediğiniz sürece, yeni birim üst bilgisi seçilen KDF için varsayılan PIM değerini kullanacak.\n\nİlerlemek istiyor musunuz?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1686,6 +1686,7 @@
    <entry lang="zh-cn" key="MACOSX_APFS_EROFS_HINT">macOS 报告所选设备为只读。如果这是 APFS 磁盘，请确保您选择的是物理 APFS 存储分区，而不是 APFS 合成卷。请使用“磁盘工具”或 'diskutil list' 来识别物理分区，然后重试。</entry>
    <entry lang="zh-cn" key="FAVORITE_PIM_OR_KDF_CHANGED">此卷已注册为系统收藏加密卷，但其 PIM 和/或 KDF 设置已被更改。\n您希望 VeraCrypt 自动更新系统收藏加密卷配置吗（需要管理员权限）？\n\n请注意，如果您选择“否”，您将需要手动更新系统收藏加密卷配置。</entry>
    <entry lang="zh-cn" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">所选 KDF 使用了不同的 PIM 参数，因此 VeraCrypt 将不会重用当前的自定义 PIM。新的卷头将使用所选 KDF 的默认 PIM，除非您在“新密码”部分中勾选“调整 PIM”并输入一个自定义值。\n\n您确定要继续吗？</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">
@@ -73,7 +73,7 @@ Thus, when setting or entering your password, it's crucial to type it manually u
 <p>Note: By default, Windows 7 and later boot from a special small partition. The partition contains files that are required to boot the system. Windows allows only applications that have administrator privileges to write to the partition (when the system is
 running). In EFI boot mode, which is the default on modern PCs, VeraCrypt can not encrypt this partition since it must remain unencrypted so that the BIOS can load the EFI bootloader from it. This in turn implies that in EFI boot mode, VeraCrypt offers only to encrypt the system partition where Windows is installed (the user can later manually encrypt other data partitions using VeraCrypt).
 In MBR legacy boot mode, VeraCrypt encrypts the partition only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the partition where Windows is installed).</p>
-<p>In EFI boot mode with Secure Boot enabled, VeraCrypt selects the installed Microsoft UEFI CA-signed bootloader set during install, repair, upgrade, or Windows PostOOBE repair. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.</p>
+<p>In EFI boot mode with Secure Boot enabled, VeraCrypt selects a Microsoft UEFI CA-signed bootloader set trusted by the active firmware Secure Boot db during install, repair, upgrade, or Windows PostOOBE repair. The 2023 VeraCrypt loader set requires both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, while the 2011 loader set requires Microsoft Corporation UEFI CA 2011. If the active db trusts neither supported set, VeraCrypt aborts instead of installing a loader that firmware will reject. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.</p>
 <p>&nbsp;</p>
 <p><a href="Hidden%20Operating%20System.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></p>
 </div>
@@ -93,7 +93,7 @@ To boot a VeraCrypt Rescue Disk, insert it into a USB port or your CD/DVD drive
 configuration screen appears, restart (reset) the computer again and start pressing F2 or Delete repeatedly as soon as you restart (reset) the computer. When a BIOS configuration screen appears, configure your BIOS to boot from the USB drive and CD/DVD drive first (for
 information on how to do so, please refer to the documentation for your BIOS/motherboard or contact your computer vendor's technical support team for assistance). Then restart your computer. The VeraCrypt Rescue Disk screen should appear now. Note: In the
 case of MBR legacy boot mode, you can select 'Repair Options' on the VeraCrypt Rescue Disk screen by pressing F8 on your keyboard.</div>
-<p>In EFI boot mode with Secure Boot enabled, the VeraCrypt Rescue Disk uses the Microsoft UEFI CA-signed bootloader set selected from the computer's current Secure Boot db state when the Rescue Disk is created. If firmware or Secure Boot db entries are later changed, create a new VeraCrypt Rescue Disk. A Rescue Disk created on a computer that trusts only one Microsoft UEFI CA generation may not Secure-Boot on a different computer that trusts only the other generation.</p>
+<p>In EFI boot mode with Secure Boot enabled, the VeraCrypt Rescue Disk uses a Microsoft UEFI CA-signed bootloader set trusted by the computer's active Secure Boot db when the Rescue Disk is created. The 2023 VeraCrypt loader set requires both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, while the 2011 loader set requires Microsoft Corporation UEFI CA 2011. If firmware or Secure Boot db entries are later changed, create a new VeraCrypt Rescue Disk. A Rescue Disk created on a computer that trusts only one Microsoft UEFI CA generation may not Secure-Boot on a different computer that trusts only the other generation.</p>
 <p>Installed EFI bootloader files are refreshed only during VeraCrypt install, repair, upgrade, or Windows PostOOBE repair paths. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.</p>
 <p>If your VeraCrypt Rescue Disk is damaged, you can create a new one by selecting
 <em style="text-align:left">System</em> &gt; <em style="text-align:left">Create Rescue Disk</em>. To find out whether your VeraCrypt Rescue Disk is damaged, insert it into a USB port (or into your CD/DVD drive in case of MBR legacy boot mode) and select
@@ -2620,6 +2620,15 @@ namespace VeraCrypt
 		DWORD FirmwareDbError;
 	};

+	struct FirmwareDbMicrosoftUefiCaSupport
+	{
+		bool ContainsMicrosoftCorporationUefiCa2011;
+		bool ContainsMicrosoftUefiCa2023;
+		bool ContainsMicrosoftOptionRomUefiCa2023;
+		bool DbMalformed;
+		DWORD ParseError;
+	};
+
 	static const EfiBootLoaderResourceSet EfiBootLoaderResources2011 =
 	{
 		IDR_EFI_DCSBOOT_2011,
@@ -2801,9 +2810,9 @@ namespace VeraCrypt
 		SetLastError (previousLastError);
 	}

-	static void RecordEfiBootLoaderResourceSetSelection (const EfiBootLoaderImages& images)
+	static void RecordEfiBootLoaderResourceSetSelectionDiagnostics (DWORD resourceSet, const wchar_t *selectionReason, DWORD firmwareDbError)
 	{
-		if (!images.ResourceSet || !images.SelectionReason)
+		if (!selectionReason)
 			return;

 		DWORD previousLastError = GetLastError ();
@@ -2813,13 +2822,21 @@ namespace VeraCrypt
 		StringCchPrintfW (selectionTimeUtc, ARRAYSIZE (selectionTimeUtc), L"%04u-%02u-%02uT%02u:%02u:%02uZ",
 			systemTime.wYear, systemTime.wMonth, systemTime.wDay, systemTime.wHour, systemTime.wMinute, systemTime.wSecond);

-		WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, (wchar_t *) VC_EFI_BOOT_LOADER_RESOURCE_SET_VALUE_NAME, images.ResourceSet);
-		WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderFirmwareDbLastError", images.FirmwareDbError);
-		WriteLocalMachineRegistryString (EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderSelectionReason", images.SelectionReason, FALSE);
+		WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, (wchar_t *) VC_EFI_BOOT_LOADER_RESOURCE_SET_VALUE_NAME, resourceSet);
+		WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderFirmwareDbLastError", firmwareDbError);
+		WriteLocalMachineRegistryString (EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderSelectionReason", selectionReason, FALSE);
 		WriteLocalMachineRegistryString (EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderSelectionTimeUtc", selectionTimeUtc, FALSE);
 		SetLastError (previousLastError);
 	}

+	static void RecordEfiBootLoaderResourceSetSelection (const EfiBootLoaderImages& images)
+	{
+		if (!images.ResourceSet || !images.SelectionReason)
+			return;
+
+		RecordEfiBootLoaderResourceSetSelectionDiagnostics (images.ResourceSet, images.SelectionReason, images.FirmwareDbError);
+	}
+
 	static uint32 ReadUint32LittleEndian (const uint8* buffer)
 	{
 		return (uint32) buffer[0]
@@ -2839,7 +2856,32 @@ namespace VeraCrypt
 		return (bufferSize == expectedSize) && BufferEquals (buffer, expected, expectedSize);
 	}

-	static bool FirmwareDbBufferContainsMicrosoft2023UefiCAs (const std::vector<uint8>& db)
+	static bool FirmwareDbMicrosoftUefiCaSupportContains2023Set (const FirmwareDbMicrosoftUefiCaSupport& support)
+	{
+		return support.ContainsMicrosoftUefiCa2023 && support.ContainsMicrosoftOptionRomUefiCa2023;
+	}
+
+	static bool FirmwareDbMicrosoftUefiCaSupportContainsSupportedSet (const FirmwareDbMicrosoftUefiCaSupport& support)
+	{
+		return support.ContainsMicrosoftCorporationUefiCa2011 || FirmwareDbMicrosoftUefiCaSupportContains2023Set (support);
+	}
+
+	static DWORD FirmwareDbMicrosoftUefiCaSupportGetDiagnosticError (const FirmwareDbMicrosoftUefiCaSupport& support)
+	{
+		return support.DbMalformed ? support.ParseError : ERROR_SUCCESS;
+	}
+
+	static bool FirmwareDbMicrosoftUefiCaSupportSetMalformed (FirmwareDbMicrosoftUefiCaSupport& support, DWORD parseError)
+	{
+		support.DbMalformed = true;
+		support.ParseError = parseError;
+		return FirmwareDbMicrosoftUefiCaSupportContainsSupportedSet (support);
+	}
+
+	// Returns true when the db is structurally valid, or when malformed data appears only
+	// after a complete VeraCrypt-supported Microsoft CA set has already been found. In the
+	// latter case support.DbMalformed remains set so selection diagnostics can report it.
+	static bool FirmwareDbBufferGetMicrosoftUefiCaSupport (const std::vector<uint8>& db, FirmwareDbMicrosoftUefiCaSupport& support)
 	{
 		// Microsoft documents these CAs as valid db entries in EFI_CERT_X509_GUID or EFI_CERT_RSA2048_GUID form:
 		// https://learn.microsoft.com/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
@@ -2851,6 +2893,44 @@ namespace VeraCrypt

 		// X.509 entries are matched by embedded CA public-key modulus bytes; RSA2048 entries contain this modulus directly.
 		// This is a byte-presence heuristic for bootloader-set selection, not full certificate-chain validation.
+		// Microsoft Corporation UEFI CA 2011, SHA-1 thumbprint 46DEF63B5CE61CF8BA0DE2E6639C1019D0ED14F3.
+		// DER source: https://go.microsoft.com/fwlink/p/?linkid=321194, SHA-256 48E99B991F57FC52F76149599BFF0A58C47154229B9F8D603AC40D3500248507.
+		static const uint8 microsoftCorporationUefiCa2011Rsa2048Modulus[256] =
+		{
+			0xA5, 0x08, 0x6C, 0x4C, 0xC7, 0x45, 0x09, 0x6A,
+			0x4B, 0x0C, 0xA4, 0xC0, 0x87, 0x7F, 0x06, 0x75,
+			0x0C, 0x43, 0x01, 0x54, 0x64, 0xE0, 0x16, 0x7F,
+			0x07, 0xED, 0x92, 0x7D, 0x0B, 0xB2, 0x73, 0xBF,
+			0x0C, 0x0A, 0xC6, 0x4A, 0x45, 0x61, 0xA0, 0xC5,
+			0x16, 0x2D, 0x96, 0xD3, 0xF5, 0x2B, 0xA0, 0xFB,
+			0x4D, 0x49, 0x9B, 0x41, 0x80, 0x90, 0x3C, 0xB9,
+			0x54, 0xFD, 0xE6, 0xBC, 0xD1, 0x9D, 0xC4, 0xA4,
+			0x18, 0x8A, 0x7F, 0x41, 0x8A, 0x5C, 0x59, 0x83,
+			0x68, 0x32, 0xBB, 0x8C, 0x47, 0xC9, 0xEE, 0x71,
+			0xBC, 0x21, 0x4F, 0x9A, 0x8A, 0x7C, 0xFF, 0x44,
+			0x3F, 0x8D, 0x8F, 0x32, 0xB2, 0x26, 0x48, 0xAE,
+			0x75, 0xB5, 0xEE, 0xC9, 0x4C, 0x1E, 0x4A, 0x19,
+			0x7E, 0xE4, 0x82, 0x9A, 0x1D, 0x78, 0x77, 0x4D,
+			0x0C, 0xB0, 0xBD, 0xF6, 0x0F, 0xD3, 0x16, 0xD3,
+			0xBC, 0xFA, 0x2B, 0xA5, 0x51, 0x38, 0x5D, 0xF5,
+			0xFB, 0xBA, 0xDB, 0x78, 0x02, 0xDB, 0xFF, 0xEC,
+			0x0A, 0x1B, 0x96, 0xD5, 0x83, 0xB8, 0x19, 0x13,
+			0xE9, 0xB6, 0xC0, 0x7B, 0x40, 0x7B, 0xE1, 0x1F,
+			0x28, 0x27, 0xC9, 0xFA, 0xEF, 0x56, 0x5E, 0x1C,
+			0xE6, 0x7E, 0x94, 0x7E, 0xC0, 0xF0, 0x44, 0xB2,
+			0x79, 0x39, 0xE5, 0xDA, 0xB2, 0x62, 0x8B, 0x4D,
+			0xBF, 0x38, 0x70, 0xE2, 0x68, 0x24, 0x14, 0xC9,
+			0x33, 0xA4, 0x08, 0x37, 0xD5, 0x58, 0x69, 0x5E,
+			0xD3, 0x7C, 0xED, 0xC1, 0x04, 0x53, 0x08, 0xE7,
+			0x4E, 0xB0, 0x2A, 0x87, 0x63, 0x08, 0x61, 0x6F,
+			0x63, 0x15, 0x59, 0xEA, 0xB2, 0x2B, 0x79, 0xD7,
+			0x0C, 0x61, 0x67, 0x8A, 0x5B, 0xFD, 0x5E, 0xAD,
+			0x87, 0x7F, 0xBA, 0x86, 0x67, 0x4F, 0x71, 0x58,
+			0x12, 0x22, 0x04, 0x22, 0x22, 0xCE, 0x8B, 0xEF,
+			0x54, 0x71, 0x00, 0xCE, 0x50, 0x35, 0x58, 0x76,
+			0x95, 0x08, 0xEE, 0x6A, 0xB1, 0xA2, 0x01, 0xD5
+		};
+
 		// Microsoft UEFI CA 2023, SHA-1 thumbprint B5EEB4A6706048073F0ED296E7F580A790B59EAA.
 		// DER source: https://go.microsoft.com/fwlink/?linkid=2239872, SHA-256 F6124E34125BEE3FE6D79A574EAA7B91C0E7BD9D929C1A321178EFD611DAD901.
 		static const uint8 microsoftUefiCa2023Rsa2048Modulus[256] =
@@ -2929,14 +3009,13 @@ namespace VeraCrypt
 		const size_t efiGuidSize = 16;
 		const size_t efiSignatureListHeaderSize = efiGuidSize + sizeof (uint32) * 3;
 		const size_t efiSignatureOwnerSize = efiGuidSize;
-		bool bContainsMicrosoftUefiCa2023 = false;
-		bool bContainsMicrosoftOptionRomUefiCa2023 = false;
 		size_t offset = 0;
+		memset (&support, 0, sizeof (support));

 		while (offset < db.size ())
 		{
 			if (db.size () - offset < efiSignatureListHeaderSize)
-				return false;
+				return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA);

 			const uint8* signatureList = &db[offset];
 			uint32 signatureListSize = ReadUint32LittleEndian (signatureList + efiGuidSize);
@@ -2946,7 +3025,7 @@ namespace VeraCrypt
 			if ((signatureListSize < efiSignatureListHeaderSize)
 				|| (signatureListSize > db.size () - offset)
 				|| (signatureHeaderSize > signatureListSize - efiSignatureListHeaderSize))
-				return false;
+				return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA);

 			size_t signaturesOffset = offset + efiSignatureListHeaderSize + signatureHeaderSize;
 			size_t signaturesSize = signatureListSize - efiSignatureListHeaderSize - signatureHeaderSize;
@@ -2954,28 +3033,30 @@ namespace VeraCrypt
 			if (BufferEquals (signatureList, efiCertX509Guid, efiGuidSize))
 			{
 				if (signatureSize < efiSignatureOwnerSize)
-					return false;
+					return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA);
 				if ((signaturesSize % signatureSize) != 0)
-					return false;
+					return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA);

 				for (size_t signatureOffset = signaturesOffset; signatureOffset < offset + signatureListSize; signatureOffset += signatureSize)
 				{
 					const uint8* certificate = &db[signatureOffset + efiSignatureOwnerSize];
 					size_t certificateSize = signatureSize - efiSignatureOwnerSize;

-					if (!bContainsMicrosoftUefiCa2023
+					if (!support.ContainsMicrosoftCorporationUefiCa2011
+						&& BufferHasPattern (certificate, certificateSize, microsoftCorporationUefiCa2011Rsa2048Modulus, sizeof (microsoftCorporationUefiCa2011Rsa2048Modulus)))
+					{
+						support.ContainsMicrosoftCorporationUefiCa2011 = true;
+					}
+					else if (!support.ContainsMicrosoftUefiCa2023
 						&& BufferHasPattern (certificate, certificateSize, microsoftUefiCa2023Rsa2048Modulus, sizeof (microsoftUefiCa2023Rsa2048Modulus)))
 					{
-						bContainsMicrosoftUefiCa2023 = true;
+						support.ContainsMicrosoftUefiCa2023 = true;
 					}
-					else if (!bContainsMicrosoftOptionRomUefiCa2023
+					else if (!support.ContainsMicrosoftOptionRomUefiCa2023
 						&& BufferHasPattern (certificate, certificateSize, microsoftOptionRomUefiCa2023Rsa2048Modulus, sizeof (microsoftOptionRomUefiCa2023Rsa2048Modulus)))
 					{
-						bContainsMicrosoftOptionRomUefiCa2023 = true;
+						support.ContainsMicrosoftOptionRomUefiCa2023 = true;
 					}
-
-					if (bContainsMicrosoftUefiCa2023 && bContainsMicrosoftOptionRomUefiCa2023)
-						return true;
 				}
 			}
 			else if (BufferEquals (signatureList, efiCertRsa2048Guid, efiGuidSize))
@@ -2984,36 +3065,50 @@ namespace VeraCrypt
 					|| signatureSize != efiSignatureOwnerSize + efiRsa2048KeySize
 					|| (signaturesSize % signatureSize) != 0)
 				{
-					return false;
+					return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA);
 				}

 				for (size_t signatureOffset = signaturesOffset; signatureOffset < offset + signatureListSize; signatureOffset += signatureSize)
 				{
 					const uint8* publicKey = &db[signatureOffset + efiSignatureOwnerSize];

-					if (!bContainsMicrosoftUefiCa2023
+					if (!support.ContainsMicrosoftCorporationUefiCa2011
+						&& BufferEquals (publicKey, efiRsa2048KeySize, microsoftCorporationUefiCa2011Rsa2048Modulus, sizeof (microsoftCorporationUefiCa2011Rsa2048Modulus)))
+					{
+						support.ContainsMicrosoftCorporationUefiCa2011 = true;
+					}
+					else if (!support.ContainsMicrosoftUefiCa2023
 						&& BufferEquals (publicKey, efiRsa2048KeySize, microsoftUefiCa2023Rsa2048Modulus, sizeof (microsoftUefiCa2023Rsa2048Modulus)))
 					{
-						bContainsMicrosoftUefiCa2023 = true;
+						support.ContainsMicrosoftUefiCa2023 = true;
 					}
-					else if (!bContainsMicrosoftOptionRomUefiCa2023
+					else if (!support.ContainsMicrosoftOptionRomUefiCa2023
 						&& BufferEquals (publicKey, efiRsa2048KeySize, microsoftOptionRomUefiCa2023Rsa2048Modulus, sizeof (microsoftOptionRomUefiCa2023Rsa2048Modulus)))
 					{
-						bContainsMicrosoftOptionRomUefiCa2023 = true;
+						support.ContainsMicrosoftOptionRomUefiCa2023 = true;
 					}
-
-					if (bContainsMicrosoftUefiCa2023 && bContainsMicrosoftOptionRomUefiCa2023)
-						return true;
 				}
 			}

 			offset += signatureListSize;
 		}

-		return false;
+		return true;
 	}

 #ifdef VC_EFI_BOOTLOADER_SELECTION_TEST
+	static bool FirmwareDbBufferContainsMicrosoft2023UefiCAs (const std::vector<uint8>& db)
+	{
+		FirmwareDbMicrosoftUefiCaSupport support;
+		return FirmwareDbBufferGetMicrosoftUefiCaSupport (db, support) && FirmwareDbMicrosoftUefiCaSupportContains2023Set (support);
+	}
+
+	static bool FirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (const std::vector<uint8>& db)
+	{
+		FirmwareDbMicrosoftUefiCaSupport support;
+		return FirmwareDbBufferGetMicrosoftUefiCaSupport (db, support) && support.ContainsMicrosoftCorporationUefiCa2011;
+	}
+
 	bool TestFirmwareDbBufferContainsMicrosoft2023UefiCAs (const uint8* db, size_t dbSize)
 	{
 		std::vector<uint8> firmwareDb;
@@ -3026,9 +3121,25 @@ namespace VeraCrypt

 		return FirmwareDbBufferContainsMicrosoft2023UefiCAs (firmwareDb);
 	}
+
+	// Feed a db captured from a machine that trusts Microsoft Corporation UEFI CA 2011
+	// (for example the output of PowerShell Get-SecureBootUEFI db) to validate detection
+	// of the 2011 modulus against real firmware data.
+	bool TestFirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (const uint8* db, size_t dbSize)
+	{
+		std::vector<uint8> firmwareDb;
+		if (dbSize != 0)
+		{
+			if (!db)
+				return false;
+			firmwareDb.assign (db, db + dbSize);
+		}
+
+		return FirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (firmwareDb);
+	}
 #endif

-	static bool TryFirmwareDbContainsMicrosoft2023UefiCAs (bool& bContainsMicrosoft2023UefiCAs)
+	static bool TryFirmwareDbGetMicrosoftUefiCaSupport (FirmwareDbMicrosoftUefiCaSupport& support)
 	{
 		std::vector<uint8> db;
 		DWORD dwError = ERROR_SUCCESS;
@@ -3038,7 +3149,12 @@ namespace VeraCrypt
 			return false;
 		}

-		bContainsMicrosoft2023UefiCAs = FirmwareDbBufferContainsMicrosoft2023UefiCAs (db);
+		if (!FirmwareDbBufferGetMicrosoftUefiCaSupport (db, support))
+		{
+			SetLastError (support.ParseError ? support.ParseError : ERROR_INVALID_DATA);
+			return false;
+		}
+
 		return true;
 	}

@@ -3063,27 +3179,67 @@ namespace VeraCrypt
 		return true;
 	}

+	static void ThrowUnsupportedEfiSecureBootDb (const wchar_t *reason, DWORD firmwareDbError)
+	{
+		RecordEfiBootLoaderResourceSetSelectionDiagnostics (0, reason, firmwareDbError);
+		throw ErrorException ("SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA", SRC_POS);
+	}
+
 	static EfiBootLoaderResourceSelection GetPreferredEfiBootLoaderResourceSet ()
 	{
 		// The current 2023 DCS set uses both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023:
 		// DcsInt.dcs and LegacySpeaker.dcs are signed through the Option ROM UEFI CA 2023 chain.
-		// If db cannot be read, keep the pre-2023 universal behavior and use the 2011 compatibility fallback.
-		bool bContainsMicrosoft2023UefiCAs = false;
-		if (TryFirmwareDbContainsMicrosoft2023UefiCAs (bContainsMicrosoft2023UefiCAs))
+		// If Secure Boot is enabled, only select a loader set whose signing CA is trusted by the active db.
+		FirmwareDbMicrosoftUefiCaSupport support;
+		if (TryFirmwareDbGetMicrosoftUefiCaSupport (support))
 		{
-			if (bContainsMicrosoft2023UefiCAs)
-				return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2023, VC_EFI_BOOT_LOADER_RESOURCE_SET_2023, L"firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023", ERROR_SUCCESS);
+			DWORD firmwareDbError = FirmwareDbMicrosoftUefiCaSupportGetDiagnosticError (support);

-			return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"firmware db does not contain both Microsoft 2023 UEFI CAs", ERROR_SUCCESS);
+			if (FirmwareDbMicrosoftUefiCaSupportContains2023Set (support))
+			{
+				return MakeEfiBootLoaderResourceSelection (
+					EfiBootLoaderResources2023,
+					VC_EFI_BOOT_LOADER_RESOURCE_SET_2023,
+					support.DbMalformed
+						? L"firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 before malformed data"
+						: L"firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023",
+					firmwareDbError);
+			}
+
+			if (support.ContainsMicrosoftCorporationUefiCa2011)
+			{
+				return MakeEfiBootLoaderResourceSelection (
+					EfiBootLoaderResources2011,
+					VC_EFI_BOOT_LOADER_RESOURCE_SET_2011,
+					support.DbMalformed
+						? L"firmware db contains Microsoft Corporation UEFI CA 2011 before malformed data"
+						: L"firmware db contains Microsoft Corporation UEFI CA 2011",
+					firmwareDbError);
+			}
+
+			bool bSecureBootEnabled = false;
+			bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled);
+			DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError ();
+			if (bSecureBootStateKnown && !bSecureBootEnabled)
+				return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is disabled and firmware db does not contain a supported Microsoft UEFI CA; using 2011 compatibility fallback", ERROR_SUCCESS);
+
+			if (!bSecureBootStateKnown && IsFirmwareDbUnavailableError (secureBootLastError))
+				return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is unavailable and firmware db does not contain a supported Microsoft UEFI CA; using 2011 compatibility fallback", ERROR_SUCCESS);
+
+			if (bSecureBootStateKnown)
+				ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db does not contain Microsoft Corporation UEFI CA 2011 or the Microsoft 2023 UEFI CA pair required by VeraCrypt", ERROR_SUCCESS);
+
+			ThrowUnsupportedEfiSecureBootDb (L"firmware db does not contain a supported Microsoft UEFI CA and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", secureBootLastError);
 		}

 		DWORD dwError = GetLastError ();
-		if (IsFirmwareDbUnavailableError (dwError))
-			return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"firmware db is unavailable; using 2011 compatibility fallback", dwError);
-
 		bool bSecureBootEnabled = false;
-		if (TryFirmwareSecureBootEnabled (bSecureBootEnabled) && !bSecureBootEnabled)
+		bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled);
+		DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError ();
+		if (bSecureBootStateKnown && !bSecureBootEnabled)
 			return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is disabled and firmware db could not be read; using 2011 compatibility fallback", dwError);
+		if (!bSecureBootStateKnown && IsFirmwareDbUnavailableError (secureBootLastError))
+			return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is unavailable and firmware db could not be read; using 2011 compatibility fallback", dwError);
 #ifndef SETUP
 		if (!IsAdmin () && IsUacSupported ())
 		{
@@ -3099,7 +3255,13 @@ namespace VeraCrypt
 		}
 #endif

-		return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"firmware db could not be read; using 2011 compatibility fallback", dwError);
+		if (bSecureBootStateKnown && bSecureBootEnabled)
+			ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
+
+		if (!bSecureBootStateKnown && !IsFirmwareDbUnavailableError (secureBootLastError))
+			ThrowUnsupportedEfiSecureBootDb (L"firmware db and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
+
+		ThrowUnsupportedEfiSecureBootDb (L"firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
 	}

 	static void ThrowMissingEfiResource (const wchar_t* resourceName, bool rescueDisk)
@@ -5971,14 +6133,54 @@ namespace VeraCrypt
 			throw SystemException (SRC_POS);
 		}

-		bool bContainsMicrosoft2023UefiCAs = false;
-		if (!TryFirmwareDbContainsMicrosoft2023UefiCAs (bContainsMicrosoft2023UefiCAs))
+		FirmwareDbMicrosoftUefiCaSupport support;
+		if (!TryFirmwareDbGetMicrosoftUefiCaSupport (support))
+		{
+			DWORD dwError = GetLastError ();
+			bool bSecureBootEnabled = false;
+			bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled);
+			DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError ();
+			if (bSecureBootStateKnown && bSecureBootEnabled)
+				ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
+
+			if (!bSecureBootStateKnown && !IsFirmwareDbUnavailableError (secureBootLastError))
+				ThrowUnsupportedEfiSecureBootDb (L"firmware db and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError);
+
+			*pMicrosoft2023UefiCAsSupported = FALSE;
+			return;
+		}
+
+		if (FirmwareDbMicrosoftUefiCaSupportContains2023Set (support))
+		{
+			*pMicrosoft2023UefiCAsSupported = TRUE;
+			return;
+		}
+
+		if (support.ContainsMicrosoftCorporationUefiCa2011)
 		{
 			*pMicrosoft2023UefiCAsSupported = FALSE;
 			return;
 		}

-		*pMicrosoft2023UefiCAsSupported = bContainsMicrosoft2023UefiCAs ? TRUE : FALSE;
+		bool bSecureBootEnabled = false;
+		bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled);
+		DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError ();
+		if (bSecureBootStateKnown && !bSecureBootEnabled)
+		{
+			*pMicrosoft2023UefiCAsSupported = FALSE;
+			return;
+		}
+
+		if (!bSecureBootStateKnown && IsFirmwareDbUnavailableError (secureBootLastError))
+		{
+			*pMicrosoft2023UefiCAsSupported = FALSE;
+			return;
+		}
+
+		if (bSecureBootStateKnown)
+			ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db does not contain Microsoft Corporation UEFI CA 2011 or the Microsoft 2023 UEFI CA pair required by VeraCrypt", ERROR_SUCCESS);
+
+		ThrowUnsupportedEfiSecureBootDb (L"firmware db does not contain a supported Microsoft UEFI CA and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", secureBootLastError);
 	}

 #ifndef SETUP
@@ -29,6 +29,7 @@ namespace VeraCrypt
 {
 #ifdef VC_EFI_BOOTLOADER_SELECTION_TEST
 	bool TestFirmwareDbBufferContainsMicrosoft2023UefiCAs (const uint8* db, size_t dbSize);
+	bool TestFirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (const uint8* db, size_t dbSize);
 #endif

 	class File
@@ -1685,6 +1685,7 @@
    <entry lang="en" key="MACOSX_APFS_EROFS_HINT">macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry.</entry>
    <entry lang="en" key="FAVORITE_PIM_OR_KDF_CHANGED">This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually.</entry>
    <entry lang="en" key="PIM_RESET_ON_KDF_CHANGE_CONFIRM">The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue?</entry>
+    <entry lang="en" key="SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA">Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.</entry>
  </localization>
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:element name="VeraCrypt">