VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/SecureBoot
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2018-07-05 12:51:02 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2018-07-05 12:51:02 +0200
commit8bc4de26e52119d6be3ff6e7c6e5b6839893ee2c (patch)
tree024da82c8b58d133bd7e3f21d8d9817a06d004fb /SecureBoot
parent670470aa927df97d74708288842e4a518cf3b5f2 (diff)
downloadVeraCrypt-DCS-8bc4de26e52119d6be3ff6e7c6e5b6839893ee2c.tar.gz
VeraCrypt-DCS-8bc4de26e52119d6be3ff6e7c6e5b6839893ee2c.zip
Update readme for SecureBoot configuration
Diffstat (limited to 'SecureBoot')
-rw-r--r--SecureBoot/readme.txt12
1 files changed, 7 insertions, 5 deletions
diff --git a/SecureBoot/readme.txt b/SecureBoot/readme.txt
index a38d7c7..b9b40c7 100644
--- a/SecureBoot/readme.txt
+++ b/SecureBoot/readme.txt
@@ -3,15 +3,17 @@ In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enable
whose public part can be loaded into Secure Boot to allow verification of VeraCrypt EFI files.
to update Secure Boot configuration steps:
-1. Enter BIOS configuration
-2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
-3. Boot Windows
-4. Edit the file sb_set_siglists.ps1 and uncomment the lines related to the manufacturer of the machine.
+1. Run the tool dumpEfiVars (https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) to dump the SecureBoot data.
+2. Go through all folders created by dumpEfiVars (other than "77fa9abd-0359-4d32-bd60-28f4e78f784b" and "SigLists") and note the file names of the certificates created inside the folders (.der extension).
+3. Enter BIOS configuration
+4. Switch Secure boot to setup mode (or custom mode or clear keys). It deletes PK (platform certificate) and allows to load DCS platform key.
+5. Boot Windows
+6. Edit the file sb_set_siglists.ps1 and uncomment the lines related to the manufacturer of the machine and which reference the certfiicates names gethered from step 2.
5. execute from admin command prompt
powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1
It sets in PK (platform key) - DCS_platform
It sets in KEK (key exchange key) - DCS_key_exchange
-It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
+It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27 and the other certificates specific to your machine.
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19