diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2016-08-14 23:45:10 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2016-08-15 01:09:19 +0200 |
commit | 67031da928735e1d3b6bfca8d393a07d98e478dd (patch) | |
tree | f3ac60427bf39de06357eb41e5ebe4da8cdee157 /src/Boot | |
parent | 87ee61bcb1fcad9e18f703485a04781ff9f6fa53 (diff) | |
download | VeraCrypt-67031da928735e1d3b6bfca8d393a07d98e478dd.tar.gz VeraCrypt-67031da928735e1d3b6bfca8d393a07d98e478dd.zip |
Windows: Add DCS EFI Bootloader files that are signed. Add certificates and powershell script to update Secure Boot configuration.
Diffstat (limited to 'src/Boot')
29 files changed, 38 insertions, 0 deletions
diff --git a/src/Boot/EFI/DcsBml.efi b/src/Boot/EFI/DcsBml.efi Binary files differnew file mode 100644 index 00000000..8775ce4c --- /dev/null +++ b/src/Boot/EFI/DcsBml.efi diff --git a/src/Boot/EFI/DcsBoot.efi b/src/Boot/EFI/DcsBoot.efi Binary files differnew file mode 100644 index 00000000..03f15633 --- /dev/null +++ b/src/Boot/EFI/DcsBoot.efi diff --git a/src/Boot/EFI/DcsCfg.efi b/src/Boot/EFI/DcsCfg.efi Binary files differnew file mode 100644 index 00000000..da5a6ee4 --- /dev/null +++ b/src/Boot/EFI/DcsCfg.efi diff --git a/src/Boot/EFI/DcsInt.efi b/src/Boot/EFI/DcsInt.efi Binary files differnew file mode 100644 index 00000000..666030ba --- /dev/null +++ b/src/Boot/EFI/DcsInt.efi diff --git a/src/Boot/EFI/DcsRe.efi b/src/Boot/EFI/DcsRe.efi Binary files differnew file mode 100644 index 00000000..646a79e3 --- /dev/null +++ b/src/Boot/EFI/DcsRe.efi diff --git a/src/Boot/EFI/LegacySpeaker.efi b/src/Boot/EFI/LegacySpeaker.efi Binary files differnew file mode 100644 index 00000000..5f49a76a --- /dev/null +++ b/src/Boot/EFI/LegacySpeaker.efi diff --git a/src/Boot/EFI/Readme.txt b/src/Boot/EFI/Readme.txt new file mode 100644 index 00000000..882c247a --- /dev/null +++ b/src/Boot/EFI/Readme.txt @@ -0,0 +1,13 @@ +To update secure boot configuration +1. Enter BIOS configuration +2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key. +3. Boot Windows +4. execute from admin command prompt + powershell -File sb_set_siglists.ps1 +It sets in PK (platform key) - DCS_platform +It sets in KEK (key exchange key) - DCS_key_exchange +It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27 + +All DCS modules are protected by DCS_sign. +All Windows modules are protected by MicWinProPCA2011_2011-10-19 +All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
\ No newline at end of file diff --git a/src/Boot/EFI/certs/DCS_key_exchange.crt b/src/Boot/EFI/certs/DCS_key_exchange.crt Binary files differnew file mode 100644 index 00000000..80bc7ca4 --- /dev/null +++ b/src/Boot/EFI/certs/DCS_key_exchange.crt diff --git a/src/Boot/EFI/certs/DCS_platform.crt b/src/Boot/EFI/certs/DCS_platform.crt Binary files differnew file mode 100644 index 00000000..a7cf8ce9 --- /dev/null +++ b/src/Boot/EFI/certs/DCS_platform.crt diff --git a/src/Boot/EFI/certs/DCS_sign.crt b/src/Boot/EFI/certs/DCS_sign.crt Binary files differnew file mode 100644 index 00000000..f0538dbb --- /dev/null +++ b/src/Boot/EFI/certs/DCS_sign.crt diff --git a/src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt b/src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt Binary files differnew file mode 100644 index 00000000..9aa6ac6c --- /dev/null +++ b/src/Boot/EFI/certs/MicCorUEFCA2011_2011-06-27.crt diff --git a/src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt b/src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt Binary files differnew file mode 100644 index 00000000..a6d001c2 --- /dev/null +++ b/src/Boot/EFI/certs/MicWinProPCA2011_2011-10-19.crt diff --git a/src/Boot/EFI/certs/Readme.txt b/src/Boot/EFI/certs/Readme.txt new file mode 100644 index 00000000..6663a5d1 --- /dev/null +++ b/src/Boot/EFI/certs/Readme.txt @@ -0,0 +1,3 @@ +Apart from DCS certificates, there are two public DB entries - one for Windows and one for the UEFI Certificate Authority (CA). +Windows DB: http://www.microsoft.com/pkiops/certs/MicWinProPCA2011_2011-10-19.crt +UEFI DB: http://www.microsoft.com/pkiops/certs/MicCorUEFCA2011_2011-06-27.crt diff --git a/src/Boot/EFI/sb_set_siglists.ps1 b/src/Boot/EFI/sb_set_siglists.ps1 new file mode 100644 index 00000000..5f664f21 --- /dev/null +++ b/src/Boot/EFI/sb_set_siglists.ps1 @@ -0,0 +1,22 @@ +Set-ExecutionPolicy Bypass -Force +Import-Module secureboot + +Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null +Set-SecureBootUEFI -Name KEK -Time 2015-09-11 -Content $null +Set-SecureBootUEFI -Name db -Time 2015-09-11 -Content $null +Set-SecureBootUEFI -Name dbx -Time 2015-09-11 -Content $null + +Write-Host "Setting self-signed PK..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_platform_SigList.bin -SignedFilePath siglists\DCS_platform_SigList_Serialization.bin.p7 -Name PK + +Write-Host "Setting PK-signed KEK..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_key_exchange_SigList.bin -SignedFilePath siglists\DCS_key_exchange_SigList_Serialization.bin.p7 -Name KEK + +Write-Host "Setting KEK-signed DCS cert in db..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\DCS_sign_SigList.bin -SignedFilePath siglists\DCS_sign_SigList_Serialization.bin.p7 -Name db + +Write-Host "Setting KEK-signed MS cert in db..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicWinProPCA2011_2011-10-19_SigList.bin -SignedFilePath siglists\MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true + +Write-Host "Setting KEK-signed MS UEFI cert in db..." +Set-SecureBootUEFI -Time 2016-08-08T00:00:00Z -ContentFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList.bin -SignedFilePath siglists\MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 -Name db -AppendWrite:$true diff --git a/src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin b/src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin Binary files differnew file mode 100644 index 00000000..62f5cc6f --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_key_exchange_SigList.bin diff --git a/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin Binary files differnew file mode 100644 index 00000000..1cffcf0c --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin diff --git a/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 Binary files differnew file mode 100644 index 00000000..1e9d29ae --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_key_exchange_SigList_Serialization.bin.p7 diff --git a/src/Boot/EFI/siglists/DCS_platform_SigList.bin b/src/Boot/EFI/siglists/DCS_platform_SigList.bin Binary files differnew file mode 100644 index 00000000..0b6d7e12 --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_platform_SigList.bin diff --git a/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin Binary files differnew file mode 100644 index 00000000..e8fbf79a --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin diff --git a/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7 Binary files differnew file mode 100644 index 00000000..19cb86db --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_platform_SigList_Serialization.bin.p7 diff --git a/src/Boot/EFI/siglists/DCS_sign_SigList.bin b/src/Boot/EFI/siglists/DCS_sign_SigList.bin Binary files differnew file mode 100644 index 00000000..9a3f568b --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_sign_SigList.bin diff --git a/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin Binary files differnew file mode 100644 index 00000000..de58d77d --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin diff --git a/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7 Binary files differnew file mode 100644 index 00000000..01753a8b --- /dev/null +++ b/src/Boot/EFI/siglists/DCS_sign_SigList_Serialization.bin.p7 diff --git a/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin Binary files differnew file mode 100644 index 00000000..413ccab9 --- /dev/null +++ b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList.bin diff --git a/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin Binary files differnew file mode 100644 index 00000000..735d9626 --- /dev/null +++ b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin diff --git a/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 Binary files differnew file mode 100644 index 00000000..ed8cefda --- /dev/null +++ b/src/Boot/EFI/siglists/MicCorUEFCA2011_2011-06-27_SigList_Serialization.bin.p7 diff --git a/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin Binary files differnew file mode 100644 index 00000000..ac542ca0 --- /dev/null +++ b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList.bin diff --git a/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin Binary files differnew file mode 100644 index 00000000..9138dae9 --- /dev/null +++ b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin diff --git a/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 Binary files differnew file mode 100644 index 00000000..b08c60a3 --- /dev/null +++ b/src/Boot/EFI/siglists/MicWinProPCA2011_2011-10-19_SigList_Serialization.bin.p7 |