Error: "Secure Boot Violation"
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi, I tried to encrypt the system volume of my MSI notebook. When the preliminary test is performed and after the computer restarts, I received the following error: "Secure Boot Violation - invalid signature detected. Check secure boot policy in setup". Then windows starts normally, and VeraCrypt tells me that the test has failed...
What should I do?
I've disabled the "Secure Boot" option, and now I'm encrypting the system volume :-)
Is it correct what I did? And now that I don't have a secure boot anymore, what is going to change? Is it safe?
You can set custom certificates. Details:
Secure Boot:
In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enabled, VeraCrypt EFI bootloader files are signed by custom key(DCS_sign) whose public part can be loaded into Secure Boot to allow verification of VeraCrypt EFI files.
to update Secure Boot configuration steps:
1. Enter BIOS configuration
2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
3. Boot Windows
4. execute from admin command prompt
powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1
It sets in PK (platform key) - DCS_platform
It sets in KEK (key exchange key) - DCS_key_exchange
It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19
All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
Hello, I tried the command: powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1 in command prompt admin mode and it came up with: The argument 'sb_set_siglists.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter. Is there another way to edit the PK? Thanks.