Menu

Encrypted sysems on UEFI big problem with windows update

petitlou60
2018-08-01
2019-12-13
1 2 3 > >> (Page 1 of 3)
  • petitlou60

    petitlou60 - 2018-08-01

    Hi everybody
    on UEFI systems because discrepancies of some systems with specifications witch can lead to repair loops
    Veracrypt must modify files in \EFI\Windows\Boot directory
    1) rename Windows boot loader bootmgfw.efi bootmgfw_ms.vc
    2) rename a copy of DcsBoot.efi bootmgfw.efi
    So even original windows boot entry is selected DcsBoot is started , mont system on C: then start copy of original bootmgfw.efi
    Good but there is a big problem for example cumulative update KB4345421 bring new release of bootmgfw.efi after applying it original new windows boot loader is directly invoked leading to repair loop
    the only work around is:
    boot with usb key of install windows or any Windows PE and enter command line
    then
    mountvol b: /s
    b:
    cd EFI
    ren Windows\Boot\bootmgfw.efi \Windows\Boot\bootmgfw_ms.vc
    copy VeraCrypt\DcsBoot.efi \Windows\Boot\bootmgfw.efi
    copy VeraCrypt\DcsBoot.efi \Boot\bootx64.efi
    x:
    mountvol b: /d
    then reboot

    Best regards

    PS
    i don't now when Windows update make change of bootmgfw.efi it's either before firts phase before reboot or second one after reboot
    if it is after above probleme does not arise but you must make this
    mountvol b: /s
    b:
    cd EFI
    ren Windows\Boot\bootmgfw.efi Windows\Boot\bootmgfw_ms.vc
    copy VeraCrypt\DcsBoot.efi windows\Boot\bootmgfw.efi
    c:
    mountvol b: /d

    if you don't make this after reboot pre boot is good but system remain suspended because bootmgfw_ms.vc is not found

     

    Last edit: petitlou60 2018-08-03
  • petitlou60

    petitlou60 - 2018-08-03

    Hi Mounir
    In place of using bootmgfw_ms.vc why not :
    1) Make DcsBoot.efi starting bootmgfw.efi (original one)
    2) bcdedit /set {bootmgr} path \EFI\VeraCrypt\Dcsboot.efi

    So no need of rename and if bootmgfw.efi is simply updated no problem
    and some times above bcdedit command is ok
    Best regards

     

    Last edit: petitlou60 2018-08-03
    • Alex

      Alex - 2018-08-03

      Hi petitlou60,

      Source of the problem - EFI in some notebook do not work according to spec. I suggest solution (temporary).
      https://sourceforge.net/p/veracrypt/discussion/technical/thread/d2987c18/#5098

      Unfortunately better way was not found. Mounir decided to integrate the solution in BETA2 (to test). Probably this solution has to be optional.

       
  • petitlou60

    petitlou60 - 2018-08-03

    HI Alex, Mounir,
    OK but with bcdedit you can easily force bad behavior systems, which attempt to boot with windows EFI Entry, to start DcsBoot.efi.
    the advantage of this is to avoid to use copy of bootmgfw.efi which can become obsolete after Windows Update and start updated Windows with old boot manger can lead to strange results or bugs

    This is only an suggest and i understand that you are very busy with this project
    Thank you for your implication
    Best regards

     

    Last edit: petitlou60 2018-08-03
  • Mounir IDRASSI

    Mounir IDRASSI - 2018-08-04

    As explained by Alex, we were using the standard (and clean) way to register VeraCrypt bootloader in 1.22 but it tuned out that many manufactuters (like HP) force the machine to boot only on bootmgfw.efi and so it was impossible to encrypt these machines.

    After many efforts and trials but Alex and me, I finally decided to go for the renaming of bootmgfw.efi and copying dcsboot.efi as bootmgfw.efi. This is the only way to enable users to encrypt there machines from affected manufacturers like HP or Acer.

    Concerning the issue with bootloader being overwritten by updates like KB4345421, I have already implemented in 1.23-BETA a mechanism based on /ReflectDrivers and /PostOOBE of Windows setup in order to be compatible with Windows major upgrades like Fall Creators and I think I can reuse the PostOOBE mechanism to ensure that bootmgfw_ms.vc is updated and that bootmgfw.efi is always a copy of dcsboot.efi.

    I will try to implement this in the coming days.

    Is it possible for you to help in testing this?

     
  • petitlou60

    petitlou60 - 2018-08-04

    Hi Mounir
    As you know i have a strange bug in my Asus X75VC: secure boot failure with installed DCS keys in firmware.
    So to encrypt my system i must disable secure boot!
    But i can make some tests like:
    see if bootmgfw.efi remain a copy o DcsBoot.efi and bootmgfw_ms.vc correctly updated
    after applying any Windows Update which impact bootmgfw.efi file

    Or test veracrypt driver if you attempt to increase i/o performance

    Best Regards

     
  • petitlou60

    petitlou60 - 2018-08-05

    Hi Mounir
    I have only start a question because i have think of problem of Windows Update of bootmgfw.efi
    Best regards

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2018-08-05

    Thank you petitloup60 for the clarification.
    As I said above, the PostOOBE mechanism implemented in 1.23-BETA2 should take care of the update of bootmgfw.efi and actully I have a Window 10 machine that was encrypted with 1.23-BETA1 last May and since then many Windows updates were installed and there was never a problem.
    For now, it looks that things are good but if anyone encounters an issue with Windows updates, please report it so that I can analyze it.

     
  • Robert Haerkens

    Robert Haerkens - 2019-01-17

    Hi Mounir. We have this issue (still) with HP laptops. We installed around 10 of them and most have this issue. When this happens, we ask users to press F9 and manually select DcsBoot.efi. After that they can boot into Windows. Remotely we copy o:\EFI\VeraCrypt\DcsBoot.efi o:\EFI\Microsoft\Boot\Bootmgfw.efi

    We also insert the line

    <config key="ActionSuccess">postexec file(EFI\Microsoft\Boot\bootmgfw_ms.efi)</config>
    

    in \EFI\VeraCrypt\DcsProp but I'm not sure what this does. It works fine without it too.

    It just happend to me again (after Windows Updates) and I was/am running version 1.23 Hotfix 2 (October 8, 2018).

    Please can you help us with this? At least I want to know what the status is of this problem. There have to be other HP users with the same problem, but I can hardly find any information about this on the forums. The threads seem old, but if it is fixed, why does it still happen? Are we doing somehing wrong?

    Thanks for your support.

     
    • Mounir IDRASSI

      Mounir IDRASSI - 2019-01-17

      As I have mentioned in another post 2 days ago, I'm working on a new
      approach in VeraCrypt to solve all remaining issues as one can see in
      Git repository history. This is the highest priority for 1.24 version
      because of the large number of users affected by this.
      The current implementation looks good as per my tests and I'm waiting
      for Microsoft signature of the EFI bootloader in order to publish
      1.24-Beta1 that contains these changes (hopeful I will receive it by the
      end of next week).

      Meanwhile, I have published a GUI tool called VcFixBoot that enables to
      fix the boot issues when it happens so you users can run this tool after
      booting into windows using F9 key and afterwards the machine will boot
      normally. This tool is available at
      https://sourceforge.net/projects/veracrypt/files/Contributions/VcFixBoot.zip/download
      (its PGP signature is at
      https://sourceforge.net/projects/veracrypt/files/Contributions/VcFixBoot.zip.sig/download).
      I'm planning to implement a command line version of this tool in the future.

      As for your procedure, you don't need to insert the line in the config
      file. Just copying DcsBoot.efi to ootmgfw.efi is enough but it is better
      first to copy this new version of Bootmgfw.efi to bootmgfw_ms.vc and
      then copy DcsBoot.efi to ootmgfw.efi. The tool VcFixBoot implement a
      more complex logic to handle all possible cases and to ensure the
      coherance of all files (including ones at "EFI\Boot").

      Voilà voilà...I hope this clarifies the situation.

       
  • Robert Haerkens

    Robert Haerkens - 2019-01-18

    Thanks Mounir, this helps a lot. If I can help you in any way (e.g. testing), please let me know.

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2019-01-18

    Thanks Robert for the feedback. I have implemented silent mode in VcFixBoot by specifying /silent as argument to VcFixBoot.exe. You can download the new version using the same link as above.

    For testing, I can share a build of 1.24-Beta1 that include 1.24-Beta1 bootloader signed by VeraCrypt custom SecureBoot key but this require either loading our key into EFI firmware using the PowerShell script I already published or disabling SecureBoot. Is this OK for you?
    Thank you for your help.

     
  • Robert Haerkens

    Robert Haerkens - 2019-01-19

    Hi Mounir, yes that's fine. I will disable SecureBoot. I'm not sure if there is an easy way to simulate these Windows Updates. Obviously I can reinstall Windows and apply updates again, or restore an older image, but there might be easier solutions? Maybe if I run the bootrec /fixboot command, it will do the same thing as a normal Windows Update does?

     

    Last edit: Robert Haerkens 2019-01-19
  • Mounir IDRASSI

    Mounir IDRASSI - 2019-01-22

    I have uploaded installers for 1.24-Beta1 that implement the new mechanism alongside other changes. You can find them in the Nightly Builds folder.
    There are two types of installer: normal one (which comes included old 1.23 EFI bootloader since the EFI bootloader has not been signed yet) and the one named "CustomEFI" which includes 1.24 EFI bootloader signed by our custom SecureBoot key. Using the normal installer on an encrypted EFI system will cause warnings about wrong bootloader version to be displayed on logon.

    Concerning bootrec idea, I don't think it can be run from within Windows so it can not replicate Windows Update behavior. If you run bootrec from the recovery environment, then VeraCrypt can not do anything. Testing using real update is the only real way to test this mechanism.

    Thank you for your help.

     
  • Robert Haerkens

    Robert Haerkens - 2019-01-23

    Thanks. I'm now running and testing 1.24-Beta1 (normal) on a HP Laptop 14-ck0xxx

     
  • Kelly Ahlers

    Kelly Ahlers - 2019-02-25

    I had tried this new VeraCrypt Setup 1.24-Beta2.exe on an HP Pavilion with Win10 Home. It will consistently prompt to reboot for updates and then go back into the boot loop. Did I pick the wrong version which fixes the HP issue?

     
  • Robert Haerkens

    Robert Haerkens - 2019-02-26

    Hi Kelly. I too am running the Beta version on HP without problems, but I'm still on Beta 1.

    At the time of Beta 1 you could chose between the 'Normal' version and a new 'CustomEFI' version. I selected the Normal version but my collegeau the 'CustomEFI' version. He too kept problems and switched to the 'Normal' version. The 'Normal' version prompt with a warning after login by the way, but this is known and due to the fact that it's bootloader is not correct signed.

    I notice that in the current download there is no 'Normal' vs 'CustomEFI' version anymore. Maybe the only version is 'CustomEFI' now? And maybe that one is still 'faulty'? Maybe you can go back to Beta 1? Or maybe just wait for a comment from someone like Mounir with more inside knowledge.

     
  • Kelly Ahlers

    Kelly Ahlers - 2019-02-26

    Thanks for the info! Is there any chance to get at this file? If not, I'll wait to hear from Mounir as to current progress.

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2019-03-09

    @kellyahlers: can you please give an update about your issue? Does windows goes to repair mode after installing updates?
    Since version 1.24-Beta2 there is only one installer since VeraCrypt bootloader was signed by Microsoft. You can try the latest Beta to be sure to have all the fixes.

     
  • Kelly Ahlers

    Kelly Ahlers - 2019-03-09

    Unfortunately it still boots back to the startup recovery. Did I miss a step where I needed to install the certificates into the HP bios or turn off secure boot? It still has shutdown & restart or update & restart as options then it goes back to the boot loop.

     
  • Mounir IDRASSI

    Mounir IDRASSI - 2019-03-09

    There is no special step to do.
    In HP machines, you can always boot VeraCrypt manually but pressing F9 right after powering on the PC and then select menu "Boot from EFI file": from there browse using ENTER and arrow keys to the folder "EFI\VeraCrypt" and choose the file DcsBoot.efi. Afterwards, you will see the usual VeraCrypt password prompt and Windows will load Normally. After rebooting Windows, you will not need to do this again since VeraCrypt will automatically repair the boot once Windows is loaded.
    Does this fix you problem?

    Anyway, it looks like Windows is still erasing VeraCrypt bootloader even with the new mechanism I implemented in VeraCrypt. I will have to work further on this to see if I can solve it.

     
    • Robert Haerkens

      Robert Haerkens - 2019-03-15

      Hi Mounir,

      Today we found something interesting. My colleague didn't have any issues with 1.24Beta5. We compared everything in the BIOS (secure boot, etc.) and installed and remove KB4489899 time after time. It kept working on his exactly equal laptop, and it kept going wrong on mine.

      They only difference we knew was that I did a clean install of 1.24Beta5 and he did an upgrade from 1.24Beta2 (the one with CustomEFI vs Normal, see https://sourceforge.net/p/veracrypt/discussion/technical/thread/e1b55ec1/#6d2c).

      So finally he uninstalled VeraCrypt 1.24Beta2, installed 1.24Beta5 and removed KB4489899, and bang.... "auto repair" started.

       
  • Kelly Ahlers

    Kelly Ahlers - 2019-03-09

    Unfortunately this is on a client's machine. I have given them the workaround but it's not ideal.

    I'll keep following the thread to see if there are any new updates.

     
1 2 3 > >> (Page 1 of 3)

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.