Strange Windows 10 Build 1903 UEFI with CSM issue
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi all,
Two issues:
1) Bootloader does not automatically boot, but works when selected from the Boot Menu.
2) The VeraCrypt password promt is just a black screen, but it works if you enter the password and PIM.
Some info:
The system has a fresh install of Windows 10 Build 1903, and is a ~2yo HP EliteBook.
VeraCrypt installed fine, and I started doing a standard system encryption. Nothing fancy. Restarted for encryption pretest and the system stuck on the HP logo.
I rebooted and F9'd into Boot Options. The VeraCrypt bootloader was in the list, so I picked it.
I was presented with a solid black screen, and nothing else. Rebooted, tried again, same result.
Just for fun, on the black screen I entered the encryption password, hit enter, then enter again (default PIM), and moments later Windows began to boot.
VeraCrypt told me the encryption pretest was successful, and I have no data, so I told it to encrypt.
It finished, so I rebooted.
After reboot it hung on the HP logo again, so I F9'd into the Boot Menu again.
Now the VeraCrypt bootloader isn't listed, but if I choose 'OS Boot Manager' it gives me the plain black screen, and if I enter my encryption password it works.
In BIOS there are settings for "UEFI with CSM", and "UEFI without CSM". I feel like the problem lies there somewhere, but it only seems to work if I use "UEFI without CSM"..
Thank you for this detailed report.
For the first issue, it is unfortunately something known to happen with HP machine although with the latest changes in VeraCrypt it seems to work better on some HP machines. One way I solved the problem is to replace Windows loader by VeraCrypt and so even if VeraCrypt boot menu entry is erased, the machine would boot normally.
But in your case, even the OS bootlaoder is working, the HP BIOS refuses to boot on it. Maybe there is a security option on the BIOS used by this model that allow only loader from predefined manufacturers.
for the second issue, it looks like VeraCrypt bootloader could not initialize correctly the video mode of the machine and so it is not able to print any output. To my knowledge, this is the first time such issue is report.
Did you check the BIOS options to see if there is any advanced option to control the graphic video card behavior?
Normally, graphic card should be limited to OS and boot environement should use basic display
Also, VeraCrypt bootloader creates a file called "PlatformInfo" in the EFI system patition inside the folder "EFI\VeraCrypt". Can you please share this file (after removing any identifying information from it)? It is a simple XML file with technical details about the hardware available.
A simple way to access this from Windows is to run a command prompt as an administartor and then type the following:
and then share the file "C:\PlatformInfo".
Thank you for your help.
By mistake I replied to the thread instead of replying to you.
I wasn't sure you would see it, so I am replying directly to you as well.
I failed to mention yesterday that I'm using VeraCrypt version 1.23-Hotfix-2.
Also, I looked through BIOS, and found no option to allow custom bootloaders.
I did find an option for "Hybrid Grapics", which was enabled. Disabling it resulted in no change. VeraCrypt still displayed a plain black screen.
While looking around I took note of the BIOS version (01.09), and found that it was out of date. I am presently updating to the newest version (01.29).
I will likely reinstall Windows 1903 when the BIOS update finishes, then re-encrypt to see if there are any changes.
Anyway, attached is the PlatformInfo file you requested.
Haven't reinstalled Windows yet, but the BIOS update finished. Afterwards I was looking through the "Startup Menu", and noticed an option called "Enter Intel(R) ME Setup".
I selected it, look around, and exited. I made no changes.
When it exited the ME Setup menu, the VeraCrypt password prompt appeared.
I tested the other "Startup Menu" options, and the "Enter Intel(R) ME Setup" option is the only one that results in the VeraCrypt password prompt.
Rebooting results in the same symptoms as originally described.
Thank you for these details.
From the PlatfromInfo file you shared, I can see that there are two graphic devices available to the EFI boot environement. By default, VeraCrypt selects the last one on the list returned by EFI subsystem which means in your case that VeraCrypt uses the second graphic device.
The fact that VeraCrypt password prompt appeared after you enter the Intel ME setup option could indicate this specific menu changes something in the graphic device configuration that makes VeraCrypt use the working one.
There is an option in VeraCrypt EFI bootloader configuration file located at "EFI\VeraCrypt\DcsProp" that enables to force VeraCrypt bootloader to use a specific graphic device based on its index on the list returned by EFI subsystem. This option is called "GraphDevice" and in your case you can set it to 0 to see if it changes something since currently VeraCrypt bootloader uses index 1 in your case.
You can edit the "EFI\VeraCrypt\DcsProp" file either manually or through VeraCrypt UI using the menu System -> Settings and then clicking on the button "Edit Boot Loader Configuration", and then add the following line :
<config key="GraphDevice">0</config>as you can see in the following example:
If this doesn't change anything, then it is possible that Intel ME component itself is causing some kind of conflict in EFI mode. Maybe there is an option in the its associated meny in the BIOS that allows to alter its behavior.
Anyway, regardless of the current issue, Intel ME is a security risk for the machines that contain it and this should be taken into account when securing data.
Setting the GraphDevice to zero did not change the behavior.
The menu for Intel ME Setup is very confusing, but I do not see any option to disable it, or anything relating to graphics.
I updated it to the newest version though, which allegedly fixes a handful of remote vulnerabilities. Thank you for bringing that to my attention.
Also, thank you for all of your help. I don't know what else we can do though. Because of this, I'll think twice before buying another HP computer..