From 8bfe53b20fef10e7dacc037346a4800998487bba Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Tue, 16 Jun 2026 21:53:27 +0900 Subject: [PATCH] Windows: prevent unsupported EFI Secure Boot fallback Detect whether the active firmware Secure Boot db trusts the Microsoft Corporation UEFI CA 2011 before selecting the 2011-signed EFI loader set. Abort with a clear diagnostic when Secure Boot is enabled but neither the 2011 CA nor the required 2023 CA pair is trusted, and document the CA requirements. Preserve positive CA detection when malformed db data appears only after a supported Microsoft CA set has already been found, while recording the parse error in diagnostics. Refs #1778. --- Translations/Language.ar.xml | 1 + Translations/Language.be.xml | 1 + Translations/Language.bg.xml | 1 + Translations/Language.ca.xml | 1 + Translations/Language.co.xml | 1 + Translations/Language.cs.xml | 1 + Translations/Language.da.xml | 1 + Translations/Language.de.xml | 1 + Translations/Language.el.xml | 1 + Translations/Language.es.xml | 1 + Translations/Language.et.xml | 1 + Translations/Language.eu.xml | 1 + Translations/Language.fa.xml | 1 + Translations/Language.fi.xml | 1 + Translations/Language.fr.xml | 1 + Translations/Language.he.xml | 1 + Translations/Language.hu.xml | 1 + Translations/Language.id.xml | 1 + Translations/Language.it.xml | 1 + Translations/Language.ja.xml | 1 + Translations/Language.ka.xml | 1 + Translations/Language.ko.xml | 1 + Translations/Language.lv.xml | 1 + Translations/Language.my.xml | 1 + Translations/Language.nb.xml | 1 + Translations/Language.nl.xml | 1 + Translations/Language.nn.xml | 1 + Translations/Language.pl.xml | 1 + Translations/Language.pt-br.xml | 1 + Translations/Language.ro.xml | 1 + Translations/Language.ru.xml | 1 + Translations/Language.sk.xml | 1 + Translations/Language.sl.xml | 1 + Translations/Language.sv.xml | 1 + Translations/Language.th.xml | 1 + Translations/Language.tr.xml | 1 + Translations/Language.uk.xml | 1 + Translations/Language.uz.xml | 1 + Translations/Language.vi.xml | 1 + Translations/Language.zh-cn.xml | 1 + Translations/Language.zh-hk.xml | 1 + Translations/Language.zh-tw.xml | 1 + doc/html/en/System Encryption.html | 2 +- doc/html/en/VeraCrypt Rescue Disk.html | 2 +- src/Common/BootEncryption.cpp | 290 +++++++++++++++++++++---- src/Common/BootEncryption.h | 1 + src/Common/Language.xml | 1 + 47 files changed, 292 insertions(+), 46 deletions(-) diff --git a/Translations/Language.ar.xml b/Translations/Language.ar.xml index a09fa94f..e83c8558 100644 --- a/Translations/Language.ar.xml +++ b/Translations/Language.ar.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.be.xml b/Translations/Language.be.xml index 7043acde..01c2f3da 100644 --- a/Translations/Language.be.xml +++ b/Translations/Language.be.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.bg.xml b/Translations/Language.bg.xml index 7003359c..aa1df606 100644 --- a/Translations/Language.bg.xml +++ b/Translations/Language.bg.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.ca.xml b/Translations/Language.ca.xml index 44cdd535..d9a9227a 100644 --- a/Translations/Language.ca.xml +++ b/Translations/Language.ca.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.co.xml b/Translations/Language.co.xml index 5bf6213f..d72364c1 100644 --- a/Translations/Language.co.xml +++ b/Translations/Language.co.xml @@ -1707,6 +1707,7 @@ Information about Corsican localization: macOS hà signalatu l’apparechju selezziunatu cum’è essendu in lettura sola. S’ellu hè un discu APFS, assicuratevi chì ghjè a partizione d’allucamentu APFS fisica chì hè selezziunata, è micca un vulume APFS sintetizatu. Impiegate l’attrezzu di discu o « diskutil list » per identificà a partizione fisica eppò pruvate torna. Stu vulume hè arregistratu cum’è un favuritu di u sistema è u so PIM è/o i so parametri KDF sò stati cambiati.\nVulete chì VeraCrypt mudificheghji autumaticamente a cunfigurazione di i favuriti di u sistema (i privileghji d’amministratore sò richiesti) ?\n\nSappiate chì, s’è vò rispundite nò, tuccherà à voi di fallu manualmente. U KDF selezziunatu impiegheghja parametri PIM sfarenti, dunque VeraCrypt ùn rimpiegherà micca u PIM persunalizatu attuale. A nova intestatura di u vulume impiegherà u PIM predefinitu per u KDF selezziunatu fora s’è vo selezziunate « Impiegà un PIM » in a sezzione « Novu » è s’è vo stampittate un valore persunalizatu.\n\nVulete cuntinuà ? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.cs.xml b/Translations/Language.cs.xml index 0121254e..e2a57165 100644 --- a/Translations/Language.cs.xml +++ b/Translations/Language.cs.xml @@ -1685,6 +1685,7 @@ macOS oznámil, že vybrané zařízení je pouze pro čtení. Jde-li o disk APFS, ujistěte se, že jste vybrali fyzický diskový oddíl úložiště APFS, nikoli syntetizovaný svazek APFS. Pomocí Diskové utility nebo příkazu 'diskutil list' určete fyzický diskový oddíl a zkuste to znovu. Tento svazek je zaregistrován jako systémový oblíbený svazek a jeho nastavení PIM a/nebo KDF byla změněna.\nChcete, aby VeraCrypt automaticky aktualizoval konfiguraci systémového oblíbeného svazku (jsou vyžadována oprávnění správce)?\n\nMějte prosím na paměti, že pokud odpovíte ne, budete muset systémový oblíbený svazek aktualizovat ručně. Vybraný KDF používá jiné parametry PIM, takže VeraCrypt nepoužije aktuální vlastní PIM. Nová hlavička svazku použije výchozí PIM pro vybraný KDF, pokud v sekci „Nové” nezvolíte „Použít PIM” a nezadáte vlastní hodnotu.\n\nChcete pokračovat? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.da.xml b/Translations/Language.da.xml index 4c1e2bed..91b92010 100644 --- a/Translations/Language.da.xml +++ b/Translations/Language.da.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.de.xml b/Translations/Language.de.xml index 656c2af4..d6588fc3 100644 --- a/Translations/Language.de.xml +++ b/Translations/Language.de.xml @@ -1688,6 +1688,7 @@ macOS hat das ausgewählte Gerät als schreibgeschützt gemeldet. Handelt es sich um eine APFS-Festplatte, stellen Sie sicher, dass Sie die physische APFS-Speicherpartition ausgewählt haben und nicht ein synthetisches APFS-Volume. Identifizieren Sie die physische Partition mit dem Festplatten-Dienstprogramm oder dem Befehl „diskutil list“ und versuchen Sie es dann erneut. Dieses Volume ist als Systemfavorit registriert und seine PIM- und/oder KDF-Einstellungen wurden geändert.\nMöchten Sie, dass VeraCrypt die Konfiguration des Systemfavoriten automatisch aktualisiert (Administratorrechte erforderlich)?\n\nBitte beachten Sie: Wenn Sie mit „Nein“ antworten, müssen Sie den Systemfavoriten manuell aktualisieren. Die ausgewählte KDF verwendet andere PIM-Parameter, daher wird VeraCrypt den derzeitigen benutzerdefinierten PIM nicht wiederverwenden. Die neuen Volume-Kopfdaten verwenden den Standard-PIM für die ausgewählte KDF, es sei denn, Sie wählen im Abschnitt „Neu“ die Option „PIM verwenden“ aus und geben einen benutzerdefinierten Wert ein.\n\nMöchten Sie fortfahren? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.el.xml b/Translations/Language.el.xml index 3dd5739d..1f810cdf 100644 --- a/Translations/Language.el.xml +++ b/Translations/Language.el.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.es.xml b/Translations/Language.es.xml index 3995c1bb..1d3d1f43 100644 --- a/Translations/Language.es.xml +++ b/Translations/Language.es.xml @@ -1685,6 +1685,7 @@ macOS informó que el dispositivo seleccionado es de sólo lectura. Si se trata de un disco APFS, asegúrese de haber seleccionado la partición física de almacenamiento APFS, no un volumen APFS sintetizado. Use la Utilidad de Discos o 'diskutil list' para identificar la partición física y luego reinténtelo. Este volumen está registrado como volumen favorito del sistema y se ha modificado su configuración de PIM y/o KDF.\n¿Desea que VeraCrypt actualice automáticamente la configuración del volumen favorito del sistema (se requieren privilegios de administrador)?\n\nTenga en cuenta que si responde No, tendrá que actualizar manualmente el volumen favorito del sistema. El KDF seleccionado usa parámetros de PIM diferentes, por lo que VeraCrypt no reutilizará el PIM personalizado actual. La nueva cabecera del volumen usará el PIM predeterminado para el KDF seleccionado a menos que seleccione "Usar PIM" en la sección "Nueva" e introduzca un valor personalizado.\n\n¿Desea continuar? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.et.xml b/Translations/Language.et.xml index e3e679ec..6d52dc82 100644 --- a/Translations/Language.et.xml +++ b/Translations/Language.et.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.eu.xml b/Translations/Language.eu.xml index 254c9eea..4d38e3ae 100644 --- a/Translations/Language.eu.xml +++ b/Translations/Language.eu.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.fa.xml b/Translations/Language.fa.xml index 00ea80ad..0702e714 100644 --- a/Translations/Language.fa.xml +++ b/Translations/Language.fa.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.fi.xml b/Translations/Language.fi.xml index 5f2f8e12..cb85d024 100644 --- a/Translations/Language.fi.xml +++ b/Translations/Language.fi.xml @@ -1685,6 +1685,7 @@ macOS ilmoitti valitun laitteen olevan vain luku -tilassa. Jos kyseessä on APFS-levy, varmista, että valitsit fyysisen APFS-tallennusosion etkä APFS:n syntetisoitua taltiota. Käytä Levytyökalua tai komentoa 'diskutil list' fyysisen osion tunnistamiseen ja yritä sitten uudelleen. Tämä taltio on rekisteröity järjestelmän suosikkitaltioksi ja sen PIM- ja/tai KDF-asetukset on muutettu.\nHaluatko, että VeraCrypt päivittää järjestelmän suosikkitaltion kokoonpanon automaattisesti (vaatii järjestelmänvalvojan oikeudet)?\n\nHuomaa, että jos vastaat ei, sinun on päivitettävä järjestelmän suosikkitaltio manuaalisesti. Valittu KDF käyttää eri PIM-parametreja, joten VeraCrypt ei käytä uudelleen nykyistä mukautettua PIM-arvoa. Uusi taltion otsikko käyttää valitun KDF:n oletus-PIM-arvoa, ellet valitse Uusi-osiossa vaihtoehtoa "Käytä PIM" ja syötä mukautettua arvoa.\n\nHaluatko jatkaa? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.fr.xml b/Translations/Language.fr.xml index a98fdd68..d51fbbaf 100644 --- a/Translations/Language.fr.xml +++ b/Translations/Language.fr.xml @@ -1685,6 +1685,7 @@ macOS a signalé que le périphérique sélectionné est en lecture seule. S’il s’agit d’un disque APFS, assurez-vous d’avoir sélectionné la partition physique de stockage APFS et non un volume APFS synthétisé. Utilisez l’Utilitaire de disque ou 'diskutil list' pour identifier la partition physique, puis réessayez. Ce volume est enregistré comme favori système et ses paramètres PIM et/ou KDF ont été modifiés.\nVoulez-vous que VeraCrypt mette automatiquement à jour la configuration du favori système (privilèges administrateur requis) ?\n\nVeuillez noter que si vous répondez « Non », vous devrez mettre à jour le favori système manuellement. Le KDF sélectionné utilise des paramètres PIM différents, VeraCrypt ne réutilisera donc pas le PIM personnalisé actuel. Le nouvel en-tête du volume utilisera le PIM par défaut du KDF sélectionné, sauf si vous sélectionnez « Saisir un PIM » dans la section « Nouveau » et saisissez une valeur personnalisée.\n\nVoulez-vous continuer ? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.he.xml b/Translations/Language.he.xml index e7c6a201..358c8f83 100644 --- a/Translations/Language.he.xml +++ b/Translations/Language.he.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.hu.xml b/Translations/Language.hu.xml index 3258edb6..9f129ce0 100644 --- a/Translations/Language.hu.xml +++ b/Translations/Language.hu.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.id.xml b/Translations/Language.id.xml index e8f43522..bce28b8c 100644 --- a/Translations/Language.id.xml +++ b/Translations/Language.id.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.it.xml b/Translations/Language.it.xml index 8c217c8a..5c0d6ffa 100644 --- a/Translations/Language.it.xml +++ b/Translations/Language.it.xml @@ -1685,6 +1685,7 @@ macOS ha segnalato il dispositivo selezionato come di sola lettura. Se questo è un disco APFS, assicurati di aver selezionato la partizione dello store fisico APFS, non un volume APFS sintetizzato. Usa Utility Disco o 'diskutil list' per identificare la partizione fisica, quindi riprova. Questo volume è registrato come volume preferito di sistema e le sue impostazioni PIM e/o KDF sono state modificate.\nVuoi che VeraCrypt aggiorni automaticamente la configurazione del volume preferito di sistema (sono richiesti privilegi di amministratore)?\n\nNota che se rispondi No, dovrai aggiornare manualmente il volume preferito di sistema. Il KDF selezionato usa parametri PIM diversi, quindi VeraCrypt non riutilizzerà il PIM personalizzato attuale. La nuova intestazione del volume userà il PIM predefinito per il KDF selezionato, a meno che tu non selezioni "Usa PIM" nella sezione "Nuovo" e inserisca un valore personalizzato.\n\nVuoi continuare? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.ja.xml b/Translations/Language.ja.xml index 3a8e9d80..cb8abd03 100644 --- a/Translations/Language.ja.xml +++ b/Translations/Language.ja.xml @@ -1685,6 +1685,7 @@ macOS は、選択されたデバイスを読み取り専用として報告しました。これが APFS ディスクの場合は、APFS 合成ボリュームではなく物理 APFS ストアパーティションを選択していることを確認してください。ディスクユーティリティまたは 'diskutil list' を使用して物理パーティションを確認してから、再試行してください。 このボリュームはシステムお気に入りボリュームとして登録されており、PIM および/または KDF の設定が変更されています。\nVeraCrypt がシステムお気に入りボリュームの設定を自動的に更新しても良いですか(管理者権限が必要です)?\n\nいいえを選択した場合は、システムお気に入りボリュームを手動で更新する必要があります。 選択した KDF は異なる PIM パラメータを使用するため、VeraCrypt は現在のカスタム PIM を再利用しません。新しいボリュームヘッダーは、「新規」セクションで「PIMを使用する」を選択してカスタム値を入力しない限り、選択した KDF のデフォルトの PIM を使用します。\n\n続行しますか? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.ka.xml b/Translations/Language.ka.xml index a535b0d9..302f495c 100644 --- a/Translations/Language.ka.xml +++ b/Translations/Language.ka.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.ko.xml b/Translations/Language.ko.xml index b771ddf5..c8f4ccbe 100644 --- a/Translations/Language.ko.xml +++ b/Translations/Language.ko.xml @@ -1685,6 +1685,7 @@ macOS에서 선택한 장치를 읽기 전용으로 보고했습니다. APFS 디스크인 경우 APFS 합성 볼륨이 아니라 물리적 APFS 저장소 파티션을 선택했는지 확인하세요. 디스크 유틸리티 또는 'diskutil list'를 사용하여 물리적 파티션을 식별한 다음 다시 시도하세요. 이 볼륨은 시스템 즐겨찾기로 등록되어 있으며 PIM 및/또는 KDF 설정이 변경되었습니다.\nVeraCrypt가 시스템 즐겨찾기 설정을 자동으로 업데이트하도록 하시겠습니까(관리자 권한 필요)?\n\n아니요를 선택하면 시스템 즐겨찾기를 수동으로 업데이트해야 합니다. 선택한 KDF는 다른 PIM 매개변수를 사용하므로 VeraCrypt는 현재 사용자 지정 PIM을 재사용하지 않습니다. 새 볼륨 헤더는 '신규' 섹션에서 'PIM 사용하기'를 선택하고 사용자 지정 값을 입력하지 않는 한, 선택한 KDF의 기본 PIM을 사용합니다.\n\n계속하시겠습니까? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.lv.xml b/Translations/Language.lv.xml index da9f6148..4f7c1704 100644 --- a/Translations/Language.lv.xml +++ b/Translations/Language.lv.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.my.xml b/Translations/Language.my.xml index 3d3bb285..ab80ad75 100644 --- a/Translations/Language.my.xml +++ b/Translations/Language.my.xml @@ -1687,6 +1687,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.nb.xml b/Translations/Language.nb.xml index 4c2df51f..3e650128 100644 --- a/Translations/Language.nb.xml +++ b/Translations/Language.nb.xml @@ -1685,6 +1685,7 @@ macOS rapporterte den valgte enheten som skrivebeskyttet. Hvis dette er en APFS-disk, må du forsikre deg om at du har valgt den fysiske APFS-lagringspartisjonen, ikke et syntetisert APFS-volum. Bruk Diskverktøy eller «diskutil list» for å identifisere den fysiske partisjonen, og prøv på nytt. Dette volumet er registrert som en systemfavoritt, og PIM- og/eller KDF-innstillingene ble endret.\nVil du at VeraCrypt automatisk skal oppdatere systemfavorittkonfigurasjonen (administratorrettigheter kreves)?\n\nMerk at hvis du svarer nei, må du oppdatere systemfavoritten manuelt. Den valgte KDF-en bruker andre PIM-parametere, så VeraCrypt vil ikke gjenbruke den gjeldende egendefinerte PIM-en. Det nye volumhodet vil bruke standard-PIM for den valgte KDF-en med mindre du velger "Bruk PIM" i Ny-seksjonen og angir en egendefinert verdi.\n\nVil du fortsette? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.nl.xml b/Translations/Language.nl.xml index cde23834..c2b38871 100644 --- a/Translations/Language.nl.xml +++ b/Translations/Language.nl.xml @@ -1685,6 +1685,7 @@ macOS geeft aan dat het geselecteerde apparaat alleen-lezen is. Als dit een APFS-schijf is, controleer dan of u de fysieke APFS-opslagpartitie hebt geselecteerd en niet een gesynthetiseerd APFS-volume. Gebruik Schijfhulpprogramma of 'diskutil list' om de fysieke partitie te identificeren en probeer het vervolgens opnieuw. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.nn.xml b/Translations/Language.nn.xml index e92679c8..b25ff5de 100644 --- a/Translations/Language.nn.xml +++ b/Translations/Language.nn.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.pl.xml b/Translations/Language.pl.xml index b3302782..ea18797a 100644 --- a/Translations/Language.pl.xml +++ b/Translations/Language.pl.xml @@ -1685,6 +1685,7 @@ System macOS zgłosił wybrane urządzenie jako tylko do odczytu. Jeśli jest to dysk APFS, upewnij się, że wybrano fizyczną partycję magazynu APFS, a nie wolumen syntezowany przez APFS. Użyj narzędzia dyskowego lub polecenia „diskutil list”, aby zidentyfikować partycję fizyczną, a następnie spróbuj ponownie. Ten wolumen jest zarejestrowany jako ulubiony wolumen systemu, a jego ustawienia PIM i/lub KDF zostały zmienione.\nCzy chcesz, aby VeraCrypt automatycznie zaktualizował konfigurację ulubionego wolumenu systemu (wymagane są uprawnienia administratora)?\n\nPamiętaj, że jeśli wybierzesz „Nie”, musisz ręcznie zaktualizować ulubiony wolumen systemu. Wybrany algorytm KDF używa innych parametrów PIM, więc VeraCrypt nie użyje ponownie bieżącego, niestandardowego PIM. Nowy nagłówek wolumenu będzie używał domyślnego PIM dla wybranego algorytmu KDF, chyba że wybierzesz „Użyj PIM” w sekcji „Nowe” i wpiszesz niestandardową wartość.\n\nCzy chcesz kontynuować? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.pt-br.xml b/Translations/Language.pt-br.xml index 504dfe33..a931a5ba 100644 --- a/Translations/Language.pt-br.xml +++ b/Translations/Language.pt-br.xml @@ -1685,6 +1685,7 @@ O macOS informou que o dispositivo selecionado é somente leitura. Se for um disco APFS, certifique-se de ter selecionado a partição física de armazenamento APFS, não um volume APFS sintetizado. Use o Utilitário de Disco ou 'diskutil list' para identificar a partição física e tente novamente. Este volume está registrado como volume favorito do sistema e suas configurações de PIM e/ou KDF foram alteradas.\nDeseja que o VeraCrypt atualize automaticamente a configuração do volume favorito do sistema (privilégios de administrador necessários)?\n\nObserve que, se você responder Não, terá que atualizar manualmente o volume favorito do sistema. O KDF selecionado usa parâmetros de PIM diferentes, portanto, o VeraCrypt não reutilizará o PIM personalizado atual. O novo cabeçalho do volume usará o PIM padrão para o KDF selecionado, a menos que você selecione "Usar PIM" na seção "Novo" e insira um valor personalizado.\n\nDeseja continuar? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.ro.xml b/Translations/Language.ro.xml index 97528d07..14ea4b74 100644 --- a/Translations/Language.ro.xml +++ b/Translations/Language.ro.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.ru.xml b/Translations/Language.ru.xml index 5a2130be..8f3ff6f1 100644 --- a/Translations/Language.ru.xml +++ b/Translations/Language.ru.xml @@ -1685,6 +1685,7 @@ macOS сообщает, что выбранное устройство доступно только для чтения. Если это диск с файловой системой APFS, убедитесь, что вы выбрали физический раздел хранилища APFS, а не синтезированный том APFS. Используйте дисковую утилиту или 'diskutil list', чтобы определить физический раздел, затем повторите попытку. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.sk.xml b/Translations/Language.sk.xml index 7d9fda44..47ae3ae4 100644 --- a/Translations/Language.sk.xml +++ b/Translations/Language.sk.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.sl.xml b/Translations/Language.sl.xml index 8a7702c1..c051726e 100644 --- a/Translations/Language.sl.xml +++ b/Translations/Language.sl.xml @@ -1685,6 +1685,7 @@ macOS je poročal, da je izbrana naprava samo za branje. Če je to disk APFS, se prepričaj, da si izbral fizično particijo shrambe APFS, ne sintetiziranega nosilca APFS. S programom Disk Utility ali ukazom 'diskutil list' poišči fizično particijo in poskusi znova. Ta nosilec je registriran kot sistemski priljubljeni nosilec in njegove nastavitve PIM in/ali KDF so bile spremenjene.\nAli želiš, da VeraCrypt samodejno posodobi konfiguracijo sistemskega priljubljenega nosilca (potrebne so skrbniške pravice)?\n\nUpoštevaj, da boš moral sistemski priljubljeni nosilec posodobiti ročno, če odgovoriš z ne. Izbrani KDF uporablja drugačne parametre PIM, zato VeraCrypt ne bo znova uporabil trenutnega PIM po meri. Nova glava nosilca bo uporabila privzeti PIM za izbrani KDF, razen če v razdelku »Novo« izbereš »Uporabi PIM« in vneseš vrednost po meri.\n\nAli želiš nadaljevati? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.sv.xml b/Translations/Language.sv.xml index f6889167..0c67c24d 100644 --- a/Translations/Language.sv.xml +++ b/Translations/Language.sv.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.th.xml b/Translations/Language.th.xml index 1bf5145d..8e4b650d 100644 --- a/Translations/Language.th.xml +++ b/Translations/Language.th.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.tr.xml b/Translations/Language.tr.xml index 4e0ed980..06f4cf68 100644 --- a/Translations/Language.tr.xml +++ b/Translations/Language.tr.xml @@ -1685,6 +1685,7 @@ macOS, seçilmiş aygıtı salt okunur olarak bildirdi. Bu bir APFS diskiyse, APFS sentezlenmiş birimi değil fiziksel APFS depolama bölümünü seçtiğinizden emin olun. Fiziksel bölümü belirlemek için Disk İzlencesi ya da 'diskutil list' komutunu kullanıp yeniden deneyin. Bu birim, sistem sık kullanılan birimi olarak kayıtlı ve kişisel çevrim çarpanı (PIM) ve/veya KDF ayarları değiştirildi.\nVeraCrypt'in sistem sık kullanılan biriminin yapılandırmasını otomatik olarak güncellemesini ister misiniz (yönetici yetkileri gerekli)?\n\nHayır yanıtını verirseniz, sistem sık kullanılan birimini el ile güncellemeniz gerekeceğini unutmayın. Seçilen KDF, farklı kişisel çevrim çarpanı (PIM) parametreleri kullandığından VeraCrypt geçerli özel PIM değerini yeniden kullanmayacak. 'Yeni' bölümünde 'Kişisel çevrim çarpanı (PIM) kullanılsın' seçeneğini seçip özel bir değer girmediğiniz sürece, yeni birim üst bilgisi seçilen KDF için varsayılan PIM değerini kullanacak.\n\nİlerlemek istiyor musunuz? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.uk.xml b/Translations/Language.uk.xml index dc3f72fe..9c3bf7c4 100644 --- a/Translations/Language.uk.xml +++ b/Translations/Language.uk.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.uz.xml b/Translations/Language.uz.xml index d385c189..a469ba29 100644 --- a/Translations/Language.uz.xml +++ b/Translations/Language.uz.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.vi.xml b/Translations/Language.vi.xml index b9398e0d..8539bb01 100644 --- a/Translations/Language.vi.xml +++ b/Translations/Language.vi.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.zh-cn.xml b/Translations/Language.zh-cn.xml index b4b17bc7..28893060 100644 --- a/Translations/Language.zh-cn.xml +++ b/Translations/Language.zh-cn.xml @@ -1686,6 +1686,7 @@ macOS 报告所选设备为只读。如果这是 APFS 磁盘,请确保您选择的是物理 APFS 存储分区,而不是 APFS 合成卷。请使用“磁盘工具”或 'diskutil list' 来识别物理分区,然后重试。 此卷已注册为系统收藏加密卷,但其 PIM 和/或 KDF 设置已被更改。\n您希望 VeraCrypt 自动更新系统收藏加密卷配置吗(需要管理员权限)?\n\n请注意,如果您选择“否”,您将需要手动更新系统收藏加密卷配置。 所选 KDF 使用了不同的 PIM 参数,因此 VeraCrypt 将不会重用当前的自定义 PIM。新的卷头将使用所选 KDF 的默认 PIM,除非您在“新密码”部分中勾选“调整 PIM”并输入一个自定义值。\n\n您确定要继续吗? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.zh-hk.xml b/Translations/Language.zh-hk.xml index 5128debc..903ae4d7 100644 --- a/Translations/Language.zh-hk.xml +++ b/Translations/Language.zh-hk.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/Translations/Language.zh-tw.xml b/Translations/Language.zh-tw.xml index 172de5b5..990f1375 100644 --- a/Translations/Language.zh-tw.xml +++ b/Translations/Language.zh-tw.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot. diff --git a/doc/html/en/System Encryption.html b/doc/html/en/System Encryption.html index e13b7d81..1865422b 100644 --- a/doc/html/en/System Encryption.html +++ b/doc/html/en/System Encryption.html @@ -73,7 +73,7 @@ Thus, when setting or entering your password, it's crucial to type it manually u

Note: By default, Windows 7 and later boot from a special small partition. The partition contains files that are required to boot the system. Windows allows only applications that have administrator privileges to write to the partition (when the system is running). In EFI boot mode, which is the default on modern PCs, VeraCrypt can not encrypt this partition since it must remain unencrypted so that the BIOS can load the EFI bootloader from it. This in turn implies that in EFI boot mode, VeraCrypt offers only to encrypt the system partition where Windows is installed (the user can later manually encrypt other data partitions using VeraCrypt). In MBR legacy boot mode, VeraCrypt encrypts the partition only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the partition where Windows is installed).

-

In EFI boot mode with Secure Boot enabled, VeraCrypt selects the installed Microsoft UEFI CA-signed bootloader set during install, repair, upgrade, or Windows PostOOBE repair. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.

+

In EFI boot mode with Secure Boot enabled, VeraCrypt selects a Microsoft UEFI CA-signed bootloader set trusted by the active firmware Secure Boot db during install, repair, upgrade, or Windows PostOOBE repair. The 2023 VeraCrypt loader set requires both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, while the 2011 loader set requires Microsoft Corporation UEFI CA 2011. If the active db trusts neither supported set, VeraCrypt aborts instead of installing a loader that firmware will reject. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.

 

Next Section >>

diff --git a/doc/html/en/VeraCrypt Rescue Disk.html b/doc/html/en/VeraCrypt Rescue Disk.html index 86ad5d9c..55627f75 100644 --- a/doc/html/en/VeraCrypt Rescue Disk.html +++ b/doc/html/en/VeraCrypt Rescue Disk.html @@ -93,7 +93,7 @@ To boot a VeraCrypt Rescue Disk, insert it into a USB port or your CD/DVD drive configuration screen appears, restart (reset) the computer again and start pressing F2 or Delete repeatedly as soon as you restart (reset) the computer. When a BIOS configuration screen appears, configure your BIOS to boot from the USB drive and CD/DVD drive first (for information on how to do so, please refer to the documentation for your BIOS/motherboard or contact your computer vendor's technical support team for assistance). Then restart your computer. The VeraCrypt Rescue Disk screen should appear now. Note: In the case of MBR legacy boot mode, you can select 'Repair Options' on the VeraCrypt Rescue Disk screen by pressing F8 on your keyboard. -

In EFI boot mode with Secure Boot enabled, the VeraCrypt Rescue Disk uses the Microsoft UEFI CA-signed bootloader set selected from the computer's current Secure Boot db state when the Rescue Disk is created. If firmware or Secure Boot db entries are later changed, create a new VeraCrypt Rescue Disk. A Rescue Disk created on a computer that trusts only one Microsoft UEFI CA generation may not Secure-Boot on a different computer that trusts only the other generation.

+

In EFI boot mode with Secure Boot enabled, the VeraCrypt Rescue Disk uses a Microsoft UEFI CA-signed bootloader set trusted by the computer's active Secure Boot db when the Rescue Disk is created. The 2023 VeraCrypt loader set requires both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, while the 2011 loader set requires Microsoft Corporation UEFI CA 2011. If firmware or Secure Boot db entries are later changed, create a new VeraCrypt Rescue Disk. A Rescue Disk created on a computer that trusts only one Microsoft UEFI CA generation may not Secure-Boot on a different computer that trusts only the other generation.

Installed EFI bootloader files are refreshed only during VeraCrypt install, repair, upgrade, or Windows PostOOBE repair paths. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.

If your VeraCrypt Rescue Disk is damaged, you can create a new one by selecting System > Create Rescue Disk. To find out whether your VeraCrypt Rescue Disk is damaged, insert it into a USB port (or into your CD/DVD drive in case of MBR legacy boot mode) and select diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index aa91b999..03899414 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -2620,6 +2620,15 @@ namespace VeraCrypt DWORD FirmwareDbError; }; + struct FirmwareDbMicrosoftUefiCaSupport + { + bool ContainsMicrosoftCorporationUefiCa2011; + bool ContainsMicrosoftUefiCa2023; + bool ContainsMicrosoftOptionRomUefiCa2023; + bool DbMalformed; + DWORD ParseError; + }; + static const EfiBootLoaderResourceSet EfiBootLoaderResources2011 = { IDR_EFI_DCSBOOT_2011, @@ -2801,9 +2810,9 @@ namespace VeraCrypt SetLastError (previousLastError); } - static void RecordEfiBootLoaderResourceSetSelection (const EfiBootLoaderImages& images) + static void RecordEfiBootLoaderResourceSetSelectionDiagnostics (DWORD resourceSet, const wchar_t *selectionReason, DWORD firmwareDbError) { - if (!images.ResourceSet || !images.SelectionReason) + if (!selectionReason) return; DWORD previousLastError = GetLastError (); @@ -2813,13 +2822,21 @@ namespace VeraCrypt StringCchPrintfW (selectionTimeUtc, ARRAYSIZE (selectionTimeUtc), L"%04u-%02u-%02uT%02u:%02u:%02uZ", systemTime.wYear, systemTime.wMonth, systemTime.wDay, systemTime.wHour, systemTime.wMinute, systemTime.wSecond); - WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, (wchar_t *) VC_EFI_BOOT_LOADER_RESOURCE_SET_VALUE_NAME, images.ResourceSet); - WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderFirmwareDbLastError", images.FirmwareDbError); - WriteLocalMachineRegistryString (EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderSelectionReason", images.SelectionReason, FALSE); + WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, (wchar_t *) VC_EFI_BOOT_LOADER_RESOURCE_SET_VALUE_NAME, resourceSet); + WriteLocalMachineRegistryDword ((wchar_t *) EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderFirmwareDbLastError", firmwareDbError); + WriteLocalMachineRegistryString (EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderSelectionReason", selectionReason, FALSE); WriteLocalMachineRegistryString (EfiBootLoaderDiagnosticsRegistryKey, L"EfiBootLoaderSelectionTimeUtc", selectionTimeUtc, FALSE); SetLastError (previousLastError); } + static void RecordEfiBootLoaderResourceSetSelection (const EfiBootLoaderImages& images) + { + if (!images.ResourceSet || !images.SelectionReason) + return; + + RecordEfiBootLoaderResourceSetSelectionDiagnostics (images.ResourceSet, images.SelectionReason, images.FirmwareDbError); + } + static uint32 ReadUint32LittleEndian (const uint8* buffer) { return (uint32) buffer[0] @@ -2839,7 +2856,32 @@ namespace VeraCrypt return (bufferSize == expectedSize) && BufferEquals (buffer, expected, expectedSize); } - static bool FirmwareDbBufferContainsMicrosoft2023UefiCAs (const std::vector& db) + static bool FirmwareDbMicrosoftUefiCaSupportContains2023Set (const FirmwareDbMicrosoftUefiCaSupport& support) + { + return support.ContainsMicrosoftUefiCa2023 && support.ContainsMicrosoftOptionRomUefiCa2023; + } + + static bool FirmwareDbMicrosoftUefiCaSupportContainsSupportedSet (const FirmwareDbMicrosoftUefiCaSupport& support) + { + return support.ContainsMicrosoftCorporationUefiCa2011 || FirmwareDbMicrosoftUefiCaSupportContains2023Set (support); + } + + static DWORD FirmwareDbMicrosoftUefiCaSupportGetDiagnosticError (const FirmwareDbMicrosoftUefiCaSupport& support) + { + return support.DbMalformed ? support.ParseError : ERROR_SUCCESS; + } + + static bool FirmwareDbMicrosoftUefiCaSupportSetMalformed (FirmwareDbMicrosoftUefiCaSupport& support, DWORD parseError) + { + support.DbMalformed = true; + support.ParseError = parseError; + return FirmwareDbMicrosoftUefiCaSupportContainsSupportedSet (support); + } + + // Returns true when the db is structurally valid, or when malformed data appears only + // after a complete VeraCrypt-supported Microsoft CA set has already been found. In the + // latter case support.DbMalformed remains set so selection diagnostics can report it. + static bool FirmwareDbBufferGetMicrosoftUefiCaSupport (const std::vector& db, FirmwareDbMicrosoftUefiCaSupport& support) { // Microsoft documents these CAs as valid db entries in EFI_CERT_X509_GUID or EFI_CERT_RSA2048_GUID form: // https://learn.microsoft.com/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance @@ -2851,6 +2893,44 @@ namespace VeraCrypt // X.509 entries are matched by embedded CA public-key modulus bytes; RSA2048 entries contain this modulus directly. // This is a byte-presence heuristic for bootloader-set selection, not full certificate-chain validation. + // Microsoft Corporation UEFI CA 2011, SHA-1 thumbprint 46DEF63B5CE61CF8BA0DE2E6639C1019D0ED14F3. + // DER source: https://go.microsoft.com/fwlink/p/?linkid=321194, SHA-256 48E99B991F57FC52F76149599BFF0A58C47154229B9F8D603AC40D3500248507. + static const uint8 microsoftCorporationUefiCa2011Rsa2048Modulus[256] = + { + 0xA5, 0x08, 0x6C, 0x4C, 0xC7, 0x45, 0x09, 0x6A, + 0x4B, 0x0C, 0xA4, 0xC0, 0x87, 0x7F, 0x06, 0x75, + 0x0C, 0x43, 0x01, 0x54, 0x64, 0xE0, 0x16, 0x7F, + 0x07, 0xED, 0x92, 0x7D, 0x0B, 0xB2, 0x73, 0xBF, + 0x0C, 0x0A, 0xC6, 0x4A, 0x45, 0x61, 0xA0, 0xC5, + 0x16, 0x2D, 0x96, 0xD3, 0xF5, 0x2B, 0xA0, 0xFB, + 0x4D, 0x49, 0x9B, 0x41, 0x80, 0x90, 0x3C, 0xB9, + 0x54, 0xFD, 0xE6, 0xBC, 0xD1, 0x9D, 0xC4, 0xA4, + 0x18, 0x8A, 0x7F, 0x41, 0x8A, 0x5C, 0x59, 0x83, + 0x68, 0x32, 0xBB, 0x8C, 0x47, 0xC9, 0xEE, 0x71, + 0xBC, 0x21, 0x4F, 0x9A, 0x8A, 0x7C, 0xFF, 0x44, + 0x3F, 0x8D, 0x8F, 0x32, 0xB2, 0x26, 0x48, 0xAE, + 0x75, 0xB5, 0xEE, 0xC9, 0x4C, 0x1E, 0x4A, 0x19, + 0x7E, 0xE4, 0x82, 0x9A, 0x1D, 0x78, 0x77, 0x4D, + 0x0C, 0xB0, 0xBD, 0xF6, 0x0F, 0xD3, 0x16, 0xD3, + 0xBC, 0xFA, 0x2B, 0xA5, 0x51, 0x38, 0x5D, 0xF5, + 0xFB, 0xBA, 0xDB, 0x78, 0x02, 0xDB, 0xFF, 0xEC, + 0x0A, 0x1B, 0x96, 0xD5, 0x83, 0xB8, 0x19, 0x13, + 0xE9, 0xB6, 0xC0, 0x7B, 0x40, 0x7B, 0xE1, 0x1F, + 0x28, 0x27, 0xC9, 0xFA, 0xEF, 0x56, 0x5E, 0x1C, + 0xE6, 0x7E, 0x94, 0x7E, 0xC0, 0xF0, 0x44, 0xB2, + 0x79, 0x39, 0xE5, 0xDA, 0xB2, 0x62, 0x8B, 0x4D, + 0xBF, 0x38, 0x70, 0xE2, 0x68, 0x24, 0x14, 0xC9, + 0x33, 0xA4, 0x08, 0x37, 0xD5, 0x58, 0x69, 0x5E, + 0xD3, 0x7C, 0xED, 0xC1, 0x04, 0x53, 0x08, 0xE7, + 0x4E, 0xB0, 0x2A, 0x87, 0x63, 0x08, 0x61, 0x6F, + 0x63, 0x15, 0x59, 0xEA, 0xB2, 0x2B, 0x79, 0xD7, + 0x0C, 0x61, 0x67, 0x8A, 0x5B, 0xFD, 0x5E, 0xAD, + 0x87, 0x7F, 0xBA, 0x86, 0x67, 0x4F, 0x71, 0x58, + 0x12, 0x22, 0x04, 0x22, 0x22, 0xCE, 0x8B, 0xEF, + 0x54, 0x71, 0x00, 0xCE, 0x50, 0x35, 0x58, 0x76, + 0x95, 0x08, 0xEE, 0x6A, 0xB1, 0xA2, 0x01, 0xD5 + }; + // Microsoft UEFI CA 2023, SHA-1 thumbprint B5EEB4A6706048073F0ED296E7F580A790B59EAA. // DER source: https://go.microsoft.com/fwlink/?linkid=2239872, SHA-256 F6124E34125BEE3FE6D79A574EAA7B91C0E7BD9D929C1A321178EFD611DAD901. static const uint8 microsoftUefiCa2023Rsa2048Modulus[256] = @@ -2929,14 +3009,13 @@ namespace VeraCrypt const size_t efiGuidSize = 16; const size_t efiSignatureListHeaderSize = efiGuidSize + sizeof (uint32) * 3; const size_t efiSignatureOwnerSize = efiGuidSize; - bool bContainsMicrosoftUefiCa2023 = false; - bool bContainsMicrosoftOptionRomUefiCa2023 = false; size_t offset = 0; + memset (&support, 0, sizeof (support)); while (offset < db.size ()) { if (db.size () - offset < efiSignatureListHeaderSize) - return false; + return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA); const uint8* signatureList = &db[offset]; uint32 signatureListSize = ReadUint32LittleEndian (signatureList + efiGuidSize); @@ -2946,7 +3025,7 @@ namespace VeraCrypt if ((signatureListSize < efiSignatureListHeaderSize) || (signatureListSize > db.size () - offset) || (signatureHeaderSize > signatureListSize - efiSignatureListHeaderSize)) - return false; + return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA); size_t signaturesOffset = offset + efiSignatureListHeaderSize + signatureHeaderSize; size_t signaturesSize = signatureListSize - efiSignatureListHeaderSize - signatureHeaderSize; @@ -2954,28 +3033,30 @@ namespace VeraCrypt if (BufferEquals (signatureList, efiCertX509Guid, efiGuidSize)) { if (signatureSize < efiSignatureOwnerSize) - return false; + return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA); if ((signaturesSize % signatureSize) != 0) - return false; + return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA); for (size_t signatureOffset = signaturesOffset; signatureOffset < offset + signatureListSize; signatureOffset += signatureSize) { const uint8* certificate = &db[signatureOffset + efiSignatureOwnerSize]; size_t certificateSize = signatureSize - efiSignatureOwnerSize; - if (!bContainsMicrosoftUefiCa2023 + if (!support.ContainsMicrosoftCorporationUefiCa2011 + && BufferHasPattern (certificate, certificateSize, microsoftCorporationUefiCa2011Rsa2048Modulus, sizeof (microsoftCorporationUefiCa2011Rsa2048Modulus))) + { + support.ContainsMicrosoftCorporationUefiCa2011 = true; + } + else if (!support.ContainsMicrosoftUefiCa2023 && BufferHasPattern (certificate, certificateSize, microsoftUefiCa2023Rsa2048Modulus, sizeof (microsoftUefiCa2023Rsa2048Modulus))) { - bContainsMicrosoftUefiCa2023 = true; + support.ContainsMicrosoftUefiCa2023 = true; } - else if (!bContainsMicrosoftOptionRomUefiCa2023 + else if (!support.ContainsMicrosoftOptionRomUefiCa2023 && BufferHasPattern (certificate, certificateSize, microsoftOptionRomUefiCa2023Rsa2048Modulus, sizeof (microsoftOptionRomUefiCa2023Rsa2048Modulus))) { - bContainsMicrosoftOptionRomUefiCa2023 = true; + support.ContainsMicrosoftOptionRomUefiCa2023 = true; } - - if (bContainsMicrosoftUefiCa2023 && bContainsMicrosoftOptionRomUefiCa2023) - return true; } } else if (BufferEquals (signatureList, efiCertRsa2048Guid, efiGuidSize)) @@ -2984,36 +3065,50 @@ namespace VeraCrypt || signatureSize != efiSignatureOwnerSize + efiRsa2048KeySize || (signaturesSize % signatureSize) != 0) { - return false; + return FirmwareDbMicrosoftUefiCaSupportSetMalformed (support, ERROR_INVALID_DATA); } for (size_t signatureOffset = signaturesOffset; signatureOffset < offset + signatureListSize; signatureOffset += signatureSize) { const uint8* publicKey = &db[signatureOffset + efiSignatureOwnerSize]; - if (!bContainsMicrosoftUefiCa2023 + if (!support.ContainsMicrosoftCorporationUefiCa2011 + && BufferEquals (publicKey, efiRsa2048KeySize, microsoftCorporationUefiCa2011Rsa2048Modulus, sizeof (microsoftCorporationUefiCa2011Rsa2048Modulus))) + { + support.ContainsMicrosoftCorporationUefiCa2011 = true; + } + else if (!support.ContainsMicrosoftUefiCa2023 && BufferEquals (publicKey, efiRsa2048KeySize, microsoftUefiCa2023Rsa2048Modulus, sizeof (microsoftUefiCa2023Rsa2048Modulus))) { - bContainsMicrosoftUefiCa2023 = true; + support.ContainsMicrosoftUefiCa2023 = true; } - else if (!bContainsMicrosoftOptionRomUefiCa2023 + else if (!support.ContainsMicrosoftOptionRomUefiCa2023 && BufferEquals (publicKey, efiRsa2048KeySize, microsoftOptionRomUefiCa2023Rsa2048Modulus, sizeof (microsoftOptionRomUefiCa2023Rsa2048Modulus))) { - bContainsMicrosoftOptionRomUefiCa2023 = true; + support.ContainsMicrosoftOptionRomUefiCa2023 = true; } - - if (bContainsMicrosoftUefiCa2023 && bContainsMicrosoftOptionRomUefiCa2023) - return true; } } offset += signatureListSize; } - return false; + return true; } #ifdef VC_EFI_BOOTLOADER_SELECTION_TEST + static bool FirmwareDbBufferContainsMicrosoft2023UefiCAs (const std::vector& db) + { + FirmwareDbMicrosoftUefiCaSupport support; + return FirmwareDbBufferGetMicrosoftUefiCaSupport (db, support) && FirmwareDbMicrosoftUefiCaSupportContains2023Set (support); + } + + static bool FirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (const std::vector& db) + { + FirmwareDbMicrosoftUefiCaSupport support; + return FirmwareDbBufferGetMicrosoftUefiCaSupport (db, support) && support.ContainsMicrosoftCorporationUefiCa2011; + } + bool TestFirmwareDbBufferContainsMicrosoft2023UefiCAs (const uint8* db, size_t dbSize) { std::vector firmwareDb; @@ -3026,9 +3121,25 @@ namespace VeraCrypt return FirmwareDbBufferContainsMicrosoft2023UefiCAs (firmwareDb); } + + // Feed a db captured from a machine that trusts Microsoft Corporation UEFI CA 2011 + // (for example the output of PowerShell Get-SecureBootUEFI db) to validate detection + // of the 2011 modulus against real firmware data. + bool TestFirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (const uint8* db, size_t dbSize) + { + std::vector firmwareDb; + if (dbSize != 0) + { + if (!db) + return false; + firmwareDb.assign (db, db + dbSize); + } + + return FirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (firmwareDb); + } #endif - static bool TryFirmwareDbContainsMicrosoft2023UefiCAs (bool& bContainsMicrosoft2023UefiCAs) + static bool TryFirmwareDbGetMicrosoftUefiCaSupport (FirmwareDbMicrosoftUefiCaSupport& support) { std::vector db; DWORD dwError = ERROR_SUCCESS; @@ -3038,7 +3149,12 @@ namespace VeraCrypt return false; } - bContainsMicrosoft2023UefiCAs = FirmwareDbBufferContainsMicrosoft2023UefiCAs (db); + if (!FirmwareDbBufferGetMicrosoftUefiCaSupport (db, support)) + { + SetLastError (support.ParseError ? support.ParseError : ERROR_INVALID_DATA); + return false; + } + return true; } @@ -3063,27 +3179,67 @@ namespace VeraCrypt return true; } + static void ThrowUnsupportedEfiSecureBootDb (const wchar_t *reason, DWORD firmwareDbError) + { + RecordEfiBootLoaderResourceSetSelectionDiagnostics (0, reason, firmwareDbError); + throw ErrorException ("SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA", SRC_POS); + } + static EfiBootLoaderResourceSelection GetPreferredEfiBootLoaderResourceSet () { // The current 2023 DCS set uses both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023: // DcsInt.dcs and LegacySpeaker.dcs are signed through the Option ROM UEFI CA 2023 chain. - // If db cannot be read, keep the pre-2023 universal behavior and use the 2011 compatibility fallback. - bool bContainsMicrosoft2023UefiCAs = false; - if (TryFirmwareDbContainsMicrosoft2023UefiCAs (bContainsMicrosoft2023UefiCAs)) + // If Secure Boot is enabled, only select a loader set whose signing CA is trusted by the active db. + FirmwareDbMicrosoftUefiCaSupport support; + if (TryFirmwareDbGetMicrosoftUefiCaSupport (support)) { - if (bContainsMicrosoft2023UefiCAs) - return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2023, VC_EFI_BOOT_LOADER_RESOURCE_SET_2023, L"firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023", ERROR_SUCCESS); + DWORD firmwareDbError = FirmwareDbMicrosoftUefiCaSupportGetDiagnosticError (support); - return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"firmware db does not contain both Microsoft 2023 UEFI CAs", ERROR_SUCCESS); + if (FirmwareDbMicrosoftUefiCaSupportContains2023Set (support)) + { + return MakeEfiBootLoaderResourceSelection ( + EfiBootLoaderResources2023, + VC_EFI_BOOT_LOADER_RESOURCE_SET_2023, + support.DbMalformed + ? L"firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 before malformed data" + : L"firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023", + firmwareDbError); + } + + if (support.ContainsMicrosoftCorporationUefiCa2011) + { + return MakeEfiBootLoaderResourceSelection ( + EfiBootLoaderResources2011, + VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, + support.DbMalformed + ? L"firmware db contains Microsoft Corporation UEFI CA 2011 before malformed data" + : L"firmware db contains Microsoft Corporation UEFI CA 2011", + firmwareDbError); + } + + bool bSecureBootEnabled = false; + bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled); + DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError (); + if (bSecureBootStateKnown && !bSecureBootEnabled) + return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is disabled and firmware db does not contain a supported Microsoft UEFI CA; using 2011 compatibility fallback", ERROR_SUCCESS); + + if (!bSecureBootStateKnown && IsFirmwareDbUnavailableError (secureBootLastError)) + return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is unavailable and firmware db does not contain a supported Microsoft UEFI CA; using 2011 compatibility fallback", ERROR_SUCCESS); + + if (bSecureBootStateKnown) + ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db does not contain Microsoft Corporation UEFI CA 2011 or the Microsoft 2023 UEFI CA pair required by VeraCrypt", ERROR_SUCCESS); + + ThrowUnsupportedEfiSecureBootDb (L"firmware db does not contain a supported Microsoft UEFI CA and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", secureBootLastError); } DWORD dwError = GetLastError (); - if (IsFirmwareDbUnavailableError (dwError)) - return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"firmware db is unavailable; using 2011 compatibility fallback", dwError); - bool bSecureBootEnabled = false; - if (TryFirmwareSecureBootEnabled (bSecureBootEnabled) && !bSecureBootEnabled) + bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled); + DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError (); + if (bSecureBootStateKnown && !bSecureBootEnabled) return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is disabled and firmware db could not be read; using 2011 compatibility fallback", dwError); + if (!bSecureBootStateKnown && IsFirmwareDbUnavailableError (secureBootLastError)) + return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"Secure Boot is unavailable and firmware db could not be read; using 2011 compatibility fallback", dwError); #ifndef SETUP if (!IsAdmin () && IsUacSupported ()) { @@ -3099,7 +3255,13 @@ namespace VeraCrypt } #endif - return MakeEfiBootLoaderResourceSelection (EfiBootLoaderResources2011, VC_EFI_BOOT_LOADER_RESOURCE_SET_2011, L"firmware db could not be read; using 2011 compatibility fallback", dwError); + if (bSecureBootStateKnown && bSecureBootEnabled) + ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError); + + if (!bSecureBootStateKnown && !IsFirmwareDbUnavailableError (secureBootLastError)) + ThrowUnsupportedEfiSecureBootDb (L"firmware db and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError); + + ThrowUnsupportedEfiSecureBootDb (L"firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError); } static void ThrowMissingEfiResource (const wchar_t* resourceName, bool rescueDisk) @@ -5971,14 +6133,54 @@ namespace VeraCrypt throw SystemException (SRC_POS); } - bool bContainsMicrosoft2023UefiCAs = false; - if (!TryFirmwareDbContainsMicrosoft2023UefiCAs (bContainsMicrosoft2023UefiCAs)) + FirmwareDbMicrosoftUefiCaSupport support; + if (!TryFirmwareDbGetMicrosoftUefiCaSupport (support)) + { + DWORD dwError = GetLastError (); + bool bSecureBootEnabled = false; + bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled); + DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError (); + if (bSecureBootStateKnown && bSecureBootEnabled) + ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError); + + if (!bSecureBootStateKnown && !IsFirmwareDbUnavailableError (secureBootLastError)) + ThrowUnsupportedEfiSecureBootDb (L"firmware db and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", dwError); + + *pMicrosoft2023UefiCAsSupported = FALSE; + return; + } + + if (FirmwareDbMicrosoftUefiCaSupportContains2023Set (support)) + { + *pMicrosoft2023UefiCAsSupported = TRUE; + return; + } + + if (support.ContainsMicrosoftCorporationUefiCa2011) { *pMicrosoft2023UefiCAsSupported = FALSE; return; } - *pMicrosoft2023UefiCAsSupported = bContainsMicrosoft2023UefiCAs ? TRUE : FALSE; + bool bSecureBootEnabled = false; + bool bSecureBootStateKnown = TryFirmwareSecureBootEnabled (bSecureBootEnabled); + DWORD secureBootLastError = bSecureBootStateKnown ? ERROR_SUCCESS : GetLastError (); + if (bSecureBootStateKnown && !bSecureBootEnabled) + { + *pMicrosoft2023UefiCAsSupported = FALSE; + return; + } + + if (!bSecureBootStateKnown && IsFirmwareDbUnavailableError (secureBootLastError)) + { + *pMicrosoft2023UefiCAsSupported = FALSE; + return; + } + + if (bSecureBootStateKnown) + ThrowUnsupportedEfiSecureBootDb (L"Secure Boot is enabled but firmware db does not contain Microsoft Corporation UEFI CA 2011 or the Microsoft 2023 UEFI CA pair required by VeraCrypt", ERROR_SUCCESS); + + ThrowUnsupportedEfiSecureBootDb (L"firmware db does not contain a supported Microsoft UEFI CA and Secure Boot state could not be read; refusing to select an unsupported EFI bootloader signing CA", secureBootLastError); } #ifndef SETUP diff --git a/src/Common/BootEncryption.h b/src/Common/BootEncryption.h index 3ad7d656..3d9cde00 100644 --- a/src/Common/BootEncryption.h +++ b/src/Common/BootEncryption.h @@ -29,6 +29,7 @@ namespace VeraCrypt { #ifdef VC_EFI_BOOTLOADER_SELECTION_TEST bool TestFirmwareDbBufferContainsMicrosoft2023UefiCAs (const uint8* db, size_t dbSize); + bool TestFirmwareDbBufferContainsMicrosoftCorporationUefiCa2011 (const uint8* db, size_t dbSize); #endif class File diff --git a/src/Common/Language.xml b/src/Common/Language.xml index 9fcf09f8..8e611b38 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -1685,6 +1685,7 @@ macOS reported the selected device as read-only. If this is an APFS disk, make sure you selected the physical APFS store partition, not an APFS synthesized volume. Use Disk Utility or 'diskutil list' to identify the physical partition, then retry. This volume is registered as a System Favorite and its PIM and/or KDF settings were changed.\nDo you want VeraCrypt to automatically update the System Favorite configuration (administrator privileges required)?\n\nPlease note that if you answer no, you'll have to update the System Favorite manually. The selected KDF uses different PIM parameters, so VeraCrypt will not reuse the current custom PIM. The new volume header will use the default PIM for the selected KDF unless you select "Use PIM" in the New section and enter a custom value.\n\nDo you want to continue? + Secure Boot is enabled, but the firmware Secure Boot database does not trust any Microsoft UEFI CA set supported by VeraCrypt's EFI bootloader. Enable either Microsoft Corporation UEFI CA 2011, or both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, then run VeraCrypt Repair/Reinstall. Alternatively, disable Secure Boot.