VeraCrypt
aboutsummaryrefslogtreecommitdiff
path: root/src/Boot/EFI/Readme.txt
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2018-08-12 22:16:28 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2018-08-12 22:18:06 +0200
commit8040a87a3d1b1a691811458558afa60823b18e5f (patch)
tree5cd761d9edd54980bc66443ed1898ded1c082583 /src/Boot/EFI/Readme.txt
parent0b2497748e6eb5ce20a9f45e24b5ff75efee282b (diff)
downloadVeraCrypt-8040a87a3d1b1a691811458558afa60823b18e5f.tar.gz
VeraCrypt-8040a87a3d1b1a691811458558afa60823b18e5f.zip
Windows: update EFI SecureBoot PowerShell script and its associated certificates to the latest version from VeraCrypt-DCS repository.
Diffstat (limited to 'src/Boot/EFI/Readme.txt')
-rw-r--r--src/Boot/EFI/Readme.txt16
1 files changed, 10 insertions, 6 deletions
diff --git a/src/Boot/EFI/Readme.txt b/src/Boot/EFI/Readme.txt
index 9ba94023..12a8b30f 100644
--- a/src/Boot/EFI/Readme.txt
+++ b/src/Boot/EFI/Readme.txt
@@ -17,17 +17,21 @@ Here the steps to build VeraCrypt-DCS (Visual Studio 2010 SP1 should be installe
* After the build is finished, EFI bootloader files will be present at edk2\Build\DcsPkg\RELEASE_VS2010x86\X64
Secure Boot:
-In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enabled, VeraCrypt EFI bootloader files are signed by custom key(DCS_sign) whose public part can be loaded into Secure Boot to allow verification of VeraCrypt EFI files.
+In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enabled, VeraCrypt EFI bootloader files are signed by custom key(DCS_sign)
+whose public part can be loaded into Secure Boot to allow verification of VeraCrypt EFI files.
to update Secure Boot configuration steps:
-1. Enter BIOS configuration
-2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
-3. Boot Windows
-4. execute from admin command prompt
+1. Run the tool dumpEfiVars (https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) to dump the SecureBoot data.
+2. Go through all folders created by dumpEfiVars (other than "77fa9abd-0359-4d32-bd60-28f4e78f784b" and "SigLists") and note the file names of the certificates created inside the folders (.der extension).
+3. Enter BIOS configuration
+4. Switch Secure boot to setup mode (or custom mode or clear keys). It deletes PK (platform certificate) and allows to load DCS platform key.
+5. Boot Windows
+6. Edit the file sb_set_siglists.ps1 and uncomment the lines related to the manufacturer of the machine and which reference the certfiicates names gethered from step 2.
+5. execute from admin command prompt
powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1
It sets in PK (platform key) - DCS_platform
It sets in KEK (key exchange key) - DCS_key_exchange
-It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
+It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27 and the other certificates specific to your machine.
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19