How to sign the VeraCrypt bootloader for secure boot?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
So I recently encrypted my Windows 10 Pro system drive. I initially encountered a problem where I was getting a "Secure Boot Violation" after Veracrypt created the new bootloader.
I ended up solving this by entering into UEFI BIOS of my Asus motherboard and going into advanced mode, going into the secure boot section changing OS Type from "Windows UEFI" (this is erroneously named in the BIOS menu since Secure Boot doesn't just apply to Windows) into "Other OS".
I save these changes. Although after I save these changes, the Asus BIOS menu claims Secure Boot is still enabled, it clearly isn't because the Platform Key state is unloaded and of course the "Secure Boot Violation" goes away since it allows me to run the unsigned Veracrypt bootloader.
Operating system drive encryption is successful, bootloader works perfectly and it asks for my passphrase.
Everything is in order right? Wrong.
I'm paranoid. All it's going to take for this system to be compromised is an evil maid attack where someone (such as a competitor) drops in an UEFI keylogger that logs my passphrase. The security is far from adequate.
Is there anyway for me to sign the Veracrypt bootloader myself, load this platform key into my bios, and then re-enable Windows UEFI?
Now assuming I can cryptographically sign the Veracrypt bootloader is it possible to prevent someone doing a evil maid attack from them doing what I just did and changing "Windows UEFI" back into "Other OS" which effectively unloads the platform key and allows unsigned bootloader code to run? Will I always have to check the bios to make sure Secure Boot is running with the plaform key loaded before I type into my passphrase so that I am safe in the knowledge that the bootloader hasn't been altered in anyway?
As you probably already know, VeraCrypt EFI bootloader is signed using
our own key and we provide a PowerShell script to load needed
certificates into the BIOS (c.f. "src/Boot/EFI/" folder in source
directory, you will find sb_set_siglists.ps1 and Readme.txt with some
explanations). However, this script can cause problems with some
machines as we load only minimal certificates (Microsoft ones + our own)
but some machines need other certificates to be trusted in order to boot
correctly (this is the case for example of HP and Acer).
Thus, loading custom EFI SecureBoot keys into the BIOS can be tricky and
the best solution is to gather all manufacturers certificates in order
to sign them with our key and then load them back so that we keep the
trust model of the machine unchanged. You can read more about this in
the following thread that i started for this purpose:
https://sourceforge.net/p/veracrypt/discussion/technical/thread/ace1e682/
going back to your question:
1- You can use the scripts used to sign VeraCrypt bootloader as an
example on how to sign using your own keys. The source code of
bootloader is at https://github.com/veracrypt/VeraCrypt-DCS and you can
look at the bottom of the build script " Dcs_bld.bat". The procedure to
create and load your own signing keys is long to explain in a forum
post. I will redirect you instead to a document written by HP that shows
how to create and load custom key using OpenSSL and PowerShell:
http://h10032.www1.hp.com/ctg/Manual/c05649759 . To have maximum
compatibility, be sure to use the tool I posted on the discussion
referenced above to extract the certificates of your machines in order
to inject them back after signing them with your own keys.
2- Preventing adversaries from changing SecureBoot configuration is
important as your pointed it out. The usual way is to set up two
different passwords in your motherboard: one for boot and one for admin
mode. This prevent easy tampering through UEFI setup interface. An
advanced attacker can however open the machines casing to access the
motherboard jumpers so that he can flush the motherboard firmware or
modify it directly. Depending on how this is done and the type of
motherboard weakness exploited, it is possible that such attack would
lead to disabling the motherboard boot password and so one can easily
detect the attack. Also, such physical access to the motherboard
internal circuits can leave physical traces on the machine's case which
can be detected by visual inspection (to help this, one can use stickers
positioned in strategic places around PC case).
If the attacker is able to tamper with EFI configuration without
changing password protection of the firmware and without leaving any
physical trace, the only left solution is to always boot on trusted
external devices that contains genuine bootloader ( once can use
VeraCrypt Rescue disk for this purpose) but be aware that such advanced
attackers can also place hardware keylogger into keyboard.
In the future, I will implement in VeraCrypt some detection mechanisms
to such kind of attacks:
EFI firmware are the same as VeraCrypt-DCS keys
disk with the ones embedded in VeraCrypt binaries and if they are
different display a warning to the user. This is not 100% foolproof but
it's worth adding.
The c05649759 Manual, at page say:
"The simplest way to get to the default HP DB configuration using the Windows command line tools is to create a Signature List serialization file using the three HP default certificates. If you wish to omit one or more or exclusively use your DER-encoded certificates, you can do that, of course. The following command parameters create a signable signature list file
using the three default HP DB certificates, embedded in this document. The command parameters below assume that you have unpacked the three DB certificates into your local working directory."
It have a image HpDb.zip but not have any file embedded.
How get this "three HP default certificates"?
Do it have download link or powershell script to extract?
HpDb_SigList.bin
HPDB2013.der
MsUEFCA2011_2011-06-27.cer
MsWinProDb2011_2011-10-19.cer
HpDb_SigList_Serialization_for_DB.bin
Thank you for such a detailed response. I greatly appreciate it. My motherboard is the Asus Z170-A. I will read the thread you linked to as well to determine if I need to gather all manufacturers certificates so that they can be signed by you using your private key. With motherboards that don't like it if you load minimal certification, what happens? It just fails to boot and you need to boot with secure boot disabled correct?
Since you already the EFI bootloader using your own key (I actually discovered this shortly after opening this thread) I think I may just opt into just loading your EFI secureboot keys into the BIOS since my main concern is to check if the bootloader has been tampered with.
For the hardware keylogger concern, I am thinking of buying a small foldable keyboard specifically for use for entering passphrases and then take this foldable keyboard with me wherever I go to ensure it is not tampered with. Using the rescue disk as an external bootloader is also a very interesting proposal.
Last edit: Mark Bradley 2018-05-03