If Secure Boot is enabled, every loaded image must be signed, and for 1607 Microsoft decided to allow only drivers signed by the SYSDEV portal (well, there's also WHQL which would allow creating a single package for Windows 7-10, but I don't think it's a realistic possibility for VC).
There are a few exceptions (such as drivers using cross-signing with a certificate dated before July 29th 2015 or upgraded Windows 10 installations, but they are irrelevant in the long term). You can read more about it over at https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
As for myself, I'm running an upgraded Windows 10 installation (from 1151) and with Secure Boot disabled, so I don't experience any problem with the driver. You should ask the ones that do.
Last edit: int god 2016-08-15
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you. It looks like it is not possible to reproduce the problem in VBOX. VBOX does not support Secure Boot.
In the sources of DCS loader I've added possibility to customize Secure Boot certificates.
Main idea - add DCS certificate in addition to MS certificate. It is possible if SecureBoot works in Custom mode. How to enable the possibility is in SecureBoot\readme.txt
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Interesting update to the ticket from user MinIsMin reporting that he cannot install VeraCrypt even when Secure Boot is disabled on Windows 10 1607 version.
I don't have a spare machine to test a clean install of 1607, but according to Microsoft's documentation it should work if the driver is installed on a machine with Secure Boot disabled even if it's a clean install of 1607. I also haven't seen any complains from driver developers about this when Secure Boot is disabled, so I'm not sure what's causing the problem in MinIsMin's case.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Secure Boot does not work with default MS certificates because boot loader is not signed by MS.
There is possibility to activate Secure Boot in custom mode. It sets 3 certificates in UEFI.
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19
All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
Install script is attached
Could you check Secure Boot in Custom mode with VeraCrypt and Windows 1607?
I can not reproduce the problem on VirtualBox.(screen shot attached)
i've just testet Secure Boot (ON - custome mode) with the attached script and Windows 1607.
It works! I used it on an MSI C236A Worstation Board. Veracrypt Version 1.18a
Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Microsoft documentation is clear about the fact that MS signature is mandatory only when Secure Boot is enabled and only for Windows 10 fresh installs. So, disabling Secure Boot allows VeraCrypt driver to be installed.
As Alex noted, DCS EFI modules used by VeraCrypt are signed in order to allow protection against Evil-Maid attacks. This is done by loading custom certificate into EFI firmware as explained by Alex.
We are interested in testers for this security feature.
That being said, since enabling Secure Boot on fresh installs will make it mandatory to have VeraCrypt driver signed by Microsoft, I will have to think about the possibility to submit VeraCrypt driver to Microsoft for signature and create a dedicated installer with these drivers.
As announced by Enigma2Illusion, I have finally published versin 1.18. This is was the most complicated release I have ever worked on! There was so many new additions and handling all aspects on Windows, Linux and MacOSX proved to be very tough.
I take this opportunity to thank Alex for his excellent work on EFI bootloader which helped make VeraCrypt the first open source disk encryption software that supports EFI Windows system encryption. This is an important milestone for the community and the modular architecture Alex put on the EFI bootloader opens the door to many new features and functionalities.
The source code of the EFI bootloader is present in the official VeraCrypt 1.18 published files and you can also browser the code at https://github.com/veracrypt/VeraCrypt-DCS
I still have to update Codeplex website with the new release and also put an official announcement especially concerning the TrueCrypt vulnerabilty that is fixed in this release. Tomorrow I will tackle this!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Unfortunately when I'm trying to install the 1.8 Version Windows 10 (64-bit and latest updates) comes up with a signature error for the driver (see figure below). As far as I know you can amend the registry in order to allow unsigned software installations, but does it work for driver the same way?
Any feedback will be appreciated!
Thanks!
Last edit: Viktor 2016-08-18
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have submitted VeraCrypt driver to Microsoft for signing and I have just got the signed files back! Apparently the process is automated.
I have checked the files and only Microsoft signature was added, so it is OK.
a brief feedback on the new 18a version and the UEFI script:
The UEFI script needed some customisation:
In my case the BIOS din't have the custom option anymore. I had to manually delete the Platform Key which allowed me to update it without any additional authorisation running Windows. The update PowerShell script was amendet accordingly in Line 4. The command <#Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null> was set as a comment.
The script ran through sucessfully and updated all neccessary keys including the Platform Key.
With VeraCrypt I'm still experiencing some issues. During the Test after the restart, where I get prompted to enter my password and the PIM it's very difficult to get the password right due to the double key strokes and the shift button removing the last entered letter.
PS: I've got the american + russian keyboard layout.
I look forward to the new release :-)
Thanks,
Viktor
Last edit: Viktor 2016-08-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm using a ASUS E202SA with American English / Russian Keyboard. This issue occured with entering the password only. The PIM seemed to be alright, although I can't verify it because I already failed at stage one with entering the password. I'm going to set an easy 1 worded password to verify the PIM as well.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm encountering the same issue with my Asus e200ha. The console normally (even if not at every keystroke) detects as a separate key stroke the press and release action. Pressing shifts cause some extra keystroke and sometimes has the same behavior of backspace.
Do you are planning to provde any fix in short time?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
An update on the shift key behaviour: Right after starting the bootloader it adds an extra keystroke. If the backspace is used the shift button behavies as the backspace button.
I also tested the the procedure with an one letter password. The PIM seems to be alright. I tried and entered the PIM, deleted the values and entered them again.
Last edit: Viktor 2016-08-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Well, that shouldn't be an issue. Could you first of all give me a quick explenation of how to debug veracrypt at that early stage or even activate the logging?
If there aren't any parameters to set in order to enable the debug mode I would be dependend on you providing me with the customised version with the debugging on.
What exactly you are looking for apart of the log?
Last edit: Viktor 2016-08-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tested your script with the following results:
1. All the letters and special chars were interpretated correctly
2. The following buttons produced an output CTRL -> blank, SHIFT -> repeating the last letter entered (holding down the shift button created a series of the last letter entered as output), Caps Lock -> blank. However, I noticed a different behavior to VeraCrypt Bootloader:
VeraCrypt Bootloader: If you typed a random letter and deleted it using the backspace key and typed a series of random words, the shift key kept the backspace character, deleting the last typed letter (or even a series if you kept it pressed)
Your EFI tool: The difference is that your tool was only repeating the last letter or function key pressed. If you typed a series of letters and deleted one using the backspace key the shift key behaived as the backspace key only until you typed another letter or used a function key.
As usual I'm also attaching the photo of the test:
and
Everytime the shift key was used the output was "Success not ready", but the capital letter appeared correctly as "Success Success"
Last edit: Viktor 2016-08-19
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If Secure Boot is enabled, every loaded image must be signed, and for 1607 Microsoft decided to allow only drivers signed by the SYSDEV portal (well, there's also WHQL which would allow creating a single package for Windows 7-10, but I don't think it's a realistic possibility for VC).
There are a few exceptions (such as drivers using cross-signing with a certificate dated before July 29th 2015 or upgraded Windows 10 installations, but they are irrelevant in the long term). You can read more about it over at https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
As for myself, I'm running an upgraded Windows 10 installation (from 1151) and with Secure Boot disabled, so I don't experience any problem with the driver. You should ask the ones that do.
Last edit: int god 2016-08-15
Thank you. It looks like it is not possible to reproduce the problem in VBOX. VBOX does not support Secure Boot.
In the sources of DCS loader I've added possibility to customize Secure Boot certificates.
Main idea - add DCS certificate in addition to MS certificate. It is possible if SecureBoot works in Custom mode. How to enable the possibility is in SecureBoot\readme.txt
Interesting update to the ticket from user MinIsMin reporting that he cannot install VeraCrypt even when Secure Boot is disabled on Windows 10 1607 version.
https://veracrypt.codeplex.com/workitem/497
Last edit: Enigma2Illusion 2016-08-16
I don't have a spare machine to test a clean install of 1607, but according to Microsoft's documentation it should work if the driver is installed on a machine with Secure Boot disabled even if it's a clean install of 1607. I also haven't seen any complains from driver developers about this when Secure Boot is disabled, so I'm not sure what's causing the problem in MinIsMin's case.
I had to flush all UEFI Settings in BIOS.
Now the driver can be loaded (with Secure Boot disabled).
Thank you for your help and special thanks to Idrassi for this great program.
Hi,
Secure Boot does not work with default MS certificates because boot loader is not signed by MS.
There is possibility to activate Secure Boot in custom mode. It sets 3 certificates in UEFI.
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19
All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27
Install script is attached
Could you check Secure Boot in Custom mode with VeraCrypt and Windows 1607?
I can not reproduce the problem on VirtualBox.(screen shot attached)
Last edit: Alex 2016-08-17
Hi *,
i've just testet Secure Boot (ON - custome mode) with the attached script and Windows 1607.
It works! I used it on an MSI C236A Worstation Board. Veracrypt Version 1.18a
Thanks!
Microsoft documentation is clear about the fact that MS signature is mandatory only when Secure Boot is enabled and only for Windows 10 fresh installs. So, disabling Secure Boot allows VeraCrypt driver to be installed.
As Alex noted, DCS EFI modules used by VeraCrypt are signed in order to allow protection against Evil-Maid attacks. This is done by loading custom certificate into EFI firmware as explained by Alex.
We are interested in testers for this security feature.
That being said, since enabling Secure Boot on fresh installs will make it mandatory to have VeraCrypt driver signed by Microsoft, I will have to think about the possibility to submit VeraCrypt driver to Microsoft for signature and create a dedicated installer with these drivers.
As announced by Enigma2Illusion, I have finally published versin 1.18. This is was the most complicated release I have ever worked on! There was so many new additions and handling all aspects on Windows, Linux and MacOSX proved to be very tough.
I take this opportunity to thank Alex for his excellent work on EFI bootloader which helped make VeraCrypt the first open source disk encryption software that supports EFI Windows system encryption. This is an important milestone for the community and the modular architecture Alex put on the EFI bootloader opens the door to many new features and functionalities.
The source code of the EFI bootloader is present in the official VeraCrypt 1.18 published files and you can also browser the code at https://github.com/veracrypt/VeraCrypt-DCS
I still have to update Codeplex website with the new release and also put an official announcement especially concerning the TrueCrypt vulnerabilty that is fixed in this release. Tomorrow I will tackle this!
Great news. Great job! Well done, thank you everyone!!!
Hi All,
first of all congratulations on the new release!
Unfortunately when I'm trying to install the 1.8 Version Windows 10 (64-bit and latest updates) comes up with a signature error for the driver (see figure below). As far as I know you can amend the registry in order to allow unsigned software installations, but does it work for driver the same way?
Any feedback will be appreciated!
Thanks!
Last edit: Viktor 2016-08-18
Hi,
I have submitted VeraCrypt driver to Microsoft for signing and I have just got the signed files back! Apparently the process is automated.
I have checked the files and only Microsoft signature was added, so it is OK.
I have created an installer, VeraCrypt Setup 1.18a.exe, that contains the signed driver. You can download it from the nightly build folder: https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/VeraCrypt%20Setup%201.18a.exe/download
Can you please validate that it now works properly on Windows 10 Anniversary Edition?
Thanks.
Hi All,
a brief feedback on the new 18a version and the UEFI script:
The UEFI script needed some customisation:
In my case the BIOS din't have the custom option anymore. I had to manually delete the Platform Key which allowed me to update it without any additional authorisation running Windows. The update PowerShell script was amendet accordingly in Line 4. The command <#Set-SecureBootUEFI -Name PK -Time 2015-09-11 -Content $null> was set as a comment.
The script ran through sucessfully and updated all neccessary keys including the Platform Key.
With VeraCrypt I'm still experiencing some issues. During the Test after the restart, where I get prompted to enter my password and the PIM it's very difficult to get the password right due to the double key strokes and the shift button removing the last entered letter.
PS: I've got the american + russian keyboard layout.
I look forward to the new release :-)
Thanks,
Viktor
Last edit: Viktor 2016-08-19
Hi,
Could you describe your configuration more detail? What keyboard do you use?
My test/development platform is Fujitsu T732 and VirtualBox. Both are OK. No double keys.
But there are several messages about the problem. So I need details to fix it.
Do you have the problem with password?
Do you have the problem with PIM?
Hi Alex,
I'm using a ASUS E202SA with American English / Russian Keyboard. This issue occured with entering the password only. The PIM seemed to be alright, although I can't verify it because I already failed at stage one with entering the password. I'm going to set an easy 1 worded password to verify the PIM as well.
I'm encountering the same issue with my Asus e200ha. The console normally (even if not at every keystroke) detects as a separate key stroke the press and release action. Pressing shifts cause some extra keystroke and sometimes has the same behavior of backspace.
Do you are planning to provde any fix in short time?
An update on the shift key behaviour: Right after starting the bootloader it adds an extra keystroke. If the backspace is used the shift button behavies as the backspace button.
I also tested the the procedure with an one letter password. The PIM seems to be alright. I tried and entered the PIM, deleted the values and entered them again.
Last edit: Viktor 2016-08-19
It is strange behavior. My test configuration does not contain the problem.
I need help to reproduce the error or at least log keystrokes to file. Probably ASUS has incompatibility in firmware.
Well, that shouldn't be an issue. Could you first of all give me a quick explenation of how to debug veracrypt at that early stage or even activate the logging?
If there aren't any parameters to set in order to enable the debug mode I would be dependend on you providing me with the customised version with the debugging on.
What exactly you are looking for apart of the log?
Last edit: Viktor 2016-08-19
I'm preparing simple EFI application with log of any keystrokes to file with timestamps. Need time.
One more idea. Could you start ordinary EFI shell application?
https://github.com/tianocore/edk2/blob/master/ShellBinPkg/UefiShell/X64/Shell.efi
Copy it to FAT32 USB drive. location - EFI\Boot\bootx64.efi
Boot from the USB.
Check keyboard input.
I tested the EFI shell application and it's working fine. I've attached a photo of the screen just in case:
Last edit: Viktor 2016-08-19
Ok. Thank you. Strange. Password uses the same API.
Minimal KeyTest.efi is attached.
Please execute it like shell.efi
I tested your script with the following results:
1. All the letters and special chars were interpretated correctly
2. The following buttons produced an output CTRL -> blank, SHIFT -> repeating the last letter entered (holding down the shift button created a series of the last letter entered as output), Caps Lock -> blank. However, I noticed a different behavior to VeraCrypt Bootloader:
VeraCrypt Bootloader: If you typed a random letter and deleted it using the backspace key and typed a series of random words, the shift key kept the backspace character, deleting the last typed letter (or even a series if you kept it pressed)
Your EFI tool: The difference is that your tool was only repeating the last letter or function key pressed. If you typed a series of letters and deleted one using the backspace key the shift key behaived as the backspace key only until you typed another letter or used a function key.
As usual I'm also attaching the photo of the test:
and
Everytime the shift key was used the output was "Success not ready", but the capital letter appeared correctly as "Success Success"
Last edit: Viktor 2016-08-19
Thank you. Situation becomes clearer. Firmware fires event but does not have key. Tomorrow I'll prepare update.
Great, thank you for your efforts!
Waiting for the update. Thank you so!