diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2018-09-02 14:34:31 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2018-09-03 01:00:43 +0200 |
commit | 6e94ee8b85fefda5acee0f815372ccdd1d04b9ea (patch) | |
tree | 2ffa149d6d72cb9b475367a2d2cceae233adcefd /src/Boot/EFI/Readme.txt | |
parent | deef2031c733ca2bebc9bc62c1f637d2e1fd0465 (diff) | |
download | VeraCrypt-6e94ee8b85fefda5acee0f815372ccdd1d04b9ea.tar.gz VeraCrypt-6e94ee8b85fefda5acee0f815372ccdd1d04b9ea.zip |
Windows: Add EFI bootloader files that are signed by Microsoft and remove files related to loading SecureBoot custom keys.
Diffstat (limited to 'src/Boot/EFI/Readme.txt')
-rw-r--r-- | src/Boot/EFI/Readme.txt | 23 |
1 files changed, 1 insertions, 22 deletions
diff --git a/src/Boot/EFI/Readme.txt b/src/Boot/EFI/Readme.txt index 12a8b30f..43e29986 100644 --- a/src/Boot/EFI/Readme.txt +++ b/src/Boot/EFI/Readme.txt @@ -1,5 +1,4 @@ The source code for VeraCrypt EFI bootloader files is available at: https://github.com/veracrypt/VeraCrypt-DCS -Use tag "VeraCrypt_1.18" to extract the sources that were used when building VeraCrypt 1.18. VeraCrypt-DCS uses EDK II as its UEFI development environement. @@ -15,24 +14,4 @@ Here the steps to build VeraCrypt-DCS (Visual Studio 2010 SP1 should be installe * change directory to DcsPkg\Library\VeraCryptLib and then type mklinks_src.bat: you will be asked to provide the path to VeraCrypt src folder. * change directory to DcsPkg and then type dcs_bld.bat X64Rel * After the build is finished, EFI bootloader files will be present at edk2\Build\DcsPkg\RELEASE_VS2010x86\X64 - -Secure Boot: -In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enabled, VeraCrypt EFI bootloader files are signed by custom key(DCS_sign) -whose public part can be loaded into Secure Boot to allow verification of VeraCrypt EFI files. - -to update Secure Boot configuration steps: -1. Run the tool dumpEfiVars (https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) to dump the SecureBoot data. -2. Go through all folders created by dumpEfiVars (other than "77fa9abd-0359-4d32-bd60-28f4e78f784b" and "SigLists") and note the file names of the certificates created inside the folders (.der extension). -3. Enter BIOS configuration -4. Switch Secure boot to setup mode (or custom mode or clear keys). It deletes PK (platform certificate) and allows to load DCS platform key. -5. Boot Windows -6. Edit the file sb_set_siglists.ps1 and uncomment the lines related to the manufacturer of the machine and which reference the certfiicates names gethered from step 2. -5. execute from admin command prompt - powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1 -It sets in PK (platform key) - DCS_platform -It sets in KEK (key exchange key) - DCS_key_exchange -It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27 and the other certificates specific to your machine. - -All DCS modules are protected by DCS_sign. -All Windows modules are protected by MicWinProPCA2011_2011-10-19 -All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
\ No newline at end of file +
\ No newline at end of file |