EFI Pre-Boot-Auth with frequent password fail
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Dear all,
I have been using VC with my new HP Spectre for a few months now and have been experiencing some strange behavior I would like to ask you about (system details see below).
I use a YubiKey with a fixed password plus a 4-digit pin. So the pre-boot sequence is (pin) + (yubikeypass) + (enter, from yubikey). No Pim.
It started to receive once in a while a “failed password, hash or pim” message on the first try only. Now I receive such a fail on first attempt on all boot processes. However, most of the time the second attempt works. Strangely the second attempt-fails are growing…. then third attempt works. So it seems I have “evolved” from 0 to 100% first attempt fails and now moving towards 100% 2nd attempt fails… (???)
Anyone an Idea what this is about and how I can fix it? So far I could always enter Windows, it is just annoying for the moment.
Thank you!
Michael
System:
HP Spectre x360 Convertible 13-ap0xxx, BIOS F.07
EFI Version 2.70, x64
VeraCrypt 1.23 (x64)
VeraCrypt Bootloader Config:
I've got a similar setup: HP Spectre 360 running Win 10 with Veracrypt v1.23 and using YubiKey to enter the pre-boot password.
My issue is that regardless of the password length (tried 64 and 32 char) I program into the key, VC only accepts the first 16-20 characters before moving on to the PIM (still not sure what that is) and the authorization fails. I can still enter the (very long, very complex) password manually for access.
The Yubikey dumps the complete password into a text editor just fine, so I'm prety sure its programmed correctly. Anyone know a reason why VC won't accept the entire password?
Perhaps @idrassi can help with this issue...
I'm having the same issue with a machine with EFI enabled. Despite using the YubiKey Personalization Tool to set a delay of 60ms, I'm experiencing the same issue as @msm1111 above. Once you're booted into Windows, everything is fine so it must be the EFI boot process that changed recently with VC 1.23.
I'm currently using VC 1.23 Hotfix 2 and from what I recall, I didn't have this issue pre VC 1.23. @idrassi, would it be possible to add a configurable key delay at the bootloader?
Thank you!
Its been couple of months. And i would like to refresh this topic, as it is still valid request. Can we get a confirmation that it will be soved one day or should we start looking for another soluton?
@msm1111, @jhaessly, @alancode, @fastriffs: sorry for the late answer. VeraCrypt EFI bootloader has a 100ms delay between accepted key strokes and so if a key received less than 100 ms before previous key then it will be ignored. This mechanism was added to fix issues with some keyboards that send keystores in double during a short period.
Unfortunately, it looks like yubikey has a maximum delay of 60ms between keystrokes, so most certainly some of the keystrokes will be ignored leading to failed authentication.
in order to handle such case, I will add an option to control the delay between keystrokes instead of hardcoding 100ms value. I will also try to get hold on a Yubikey to do tests on my side. I will update this thread with my progress.
How are we doing with this?
I am experiencing the same issue with a YubiKey 5 and VeraCrypt 1.26.7. using an Acer laptop.