Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2026-06-17 18:16:07 -05:00
Code Activity

Windows: prevent unsupported EFI Secure Boot fallback

Browse Source 
Detect whether the active firmware Secure Boot db trusts the Microsoft Corporation UEFI CA 2011 before selecting the 2011-signed EFI loader set.

Abort with a clear diagnostic when Secure Boot is enabled but neither the 2011 CA nor the required 2023 CA pair is trusted, and document the CA requirements.

Preserve positive CA detection when malformed db data appears only after a supported Microsoft CA set has already been found, while recording the parse error in diagnostics.

Refs #1778.
This commit is contained in:
Mounir IDRASSI
2026-06-16 21:53:27 +09:00
parent 9a85a53731
commit 8bfe53b20f
47 changed files with 292 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
doc/html/en/System Encryption.html
+1 -1
View File
@@ -73,7 +73,7 @@ Thus, when setting or entering your password, it's crucial to type it manually u
<p>Note: By default, Windows 7 and later boot from a special small partition. The partition contains files that are required to boot the system. Windows allows only applications that have administrator privileges to write to the partition (when the system is
running). In EFI boot mode, which is the default on modern PCs, VeraCrypt can not encrypt this partition since it must remain unencrypted so that the BIOS can load the EFI bootloader from it. This in turn implies that in EFI boot mode, VeraCrypt offers only to encrypt the system partition where Windows is installed (the user can later manually encrypt other data partitions using VeraCrypt).
In MBR legacy boot mode, VeraCrypt encrypts the partition only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the partition where Windows is installed).</p>
<p>In EFI boot mode with Secure Boot enabled, VeraCrypt selects the installed Microsoft UEFI CA-signed bootloader set during install, repair, upgrade, or Windows PostOOBE repair. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.</p>
<p>In EFI boot mode with Secure Boot enabled, VeraCrypt selects a Microsoft UEFI CA-signed bootloader set trusted by the active firmware Secure Boot db during install, repair, upgrade, or Windows PostOOBE repair. The 2023 VeraCrypt loader set requires both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, while the 2011 loader set requires Microsoft Corporation UEFI CA 2011. If the active db trusts neither supported set, VeraCrypt aborts instead of installing a loader that firmware will reject. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.</p>
<p>&nbsp;</p>
<p><a href="Hidden%20Operating%20System.html" style="text-align:left; color:#0080c0; text-decoration:none; font-weight:bold">Next Section &gt;&gt;</a></p>
</div>
doc/html/en/VeraCrypt Rescue Disk.html
+1 -1
View File
@@ -93,7 +93,7 @@ To boot a VeraCrypt Rescue Disk, insert it into a USB port or your CD/DVD drive
configuration screen appears, restart (reset) the computer again and start pressing F2 or Delete repeatedly as soon as you restart (reset) the computer. When a BIOS configuration screen appears, configure your BIOS to boot from the USB drive and CD/DVD drive first (for
information on how to do so, please refer to the documentation for your BIOS/motherboard or contact your computer vendor's technical support team for assistance). Then restart your computer. The VeraCrypt Rescue Disk screen should appear now. Note: In the
case of MBR legacy boot mode, you can select 'Repair Options' on the VeraCrypt Rescue Disk screen by pressing F8 on your keyboard.</div>
<p>In EFI boot mode with Secure Boot enabled, the VeraCrypt Rescue Disk uses the Microsoft UEFI CA-signed bootloader set selected from the computer's current Secure Boot db state when the Rescue Disk is created. If firmware or Secure Boot db entries are later changed, create a new VeraCrypt Rescue Disk. A Rescue Disk created on a computer that trusts only one Microsoft UEFI CA generation may not Secure-Boot on a different computer that trusts only the other generation.</p>
<p>In EFI boot mode with Secure Boot enabled, the VeraCrypt Rescue Disk uses a Microsoft UEFI CA-signed bootloader set trusted by the computer's active Secure Boot db when the Rescue Disk is created. The 2023 VeraCrypt loader set requires both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023, while the 2011 loader set requires Microsoft Corporation UEFI CA 2011. If firmware or Secure Boot db entries are later changed, create a new VeraCrypt Rescue Disk. A Rescue Disk created on a computer that trusts only one Microsoft UEFI CA generation may not Secure-Boot on a different computer that trusts only the other generation.</p>
<p>Installed EFI bootloader files are refreshed only during VeraCrypt install, repair, upgrade, or Windows PostOOBE repair paths. If you manually change firmware Secure Boot db entries, run VeraCrypt repair or reinstall to refresh the installed bootloader set.</p>
<p>If your VeraCrypt Rescue Disk is damaged, you can create a new one by selecting
<em style="text-align:left">System</em> &gt; <em style="text-align:left">Create Rescue Disk</em>. To find out whether your VeraCrypt Rescue Disk is damaged, insert it into a USB port (or into your CD/DVD drive in case of MBR legacy boot mode) and select