The prior post shows another user renamed veracryptb to Windows Boot Manager and booted, showing mimic ploy can work for the Windows Boot Manager. Malware may boot if its tries to mimic the trusted files in UEFI InsydeH20 table with SECURE BOOT OFF if InsydeH20 doesn't use signatures to secure its integrity. However, Veracrypt has a script to add its signature to the firmware trust table so its possible for malware to do the same with SECURE BOOT ON. With SECURE BOOT ON, if the malware signature adds itself to the trust list it still does not exist in SECURE BOOT table in firmware so cannot run. So far, rootkit malware cannot run below or at the UEFI preboot level, as we know today, to hack the admin password in UEFI, so it remains secure even with SECURE BOOT OFF. A malware bootloader cannot run in the UEFI because to boot, it must be added to trusted list which can be done only with SECURE BOOT ON to edit the boot file trusted list malware cannot do that without the UEFI Admin password to change the UEFI settings from SECURE BOOT OFF. I suggest leave SECURE BOOT OFF as the Veracrypt signature generating script has bricked some UEFI/BIOS. You can generate one and enter it, as described in the Veracrypt forum or run without secure boot. NB: Secure boot must be off permanently because the Veracrypt signature does not reside in a separate UEFI secure boot table in firmware. Top and the list of bootloaders is now not editable Turn Secure Boot off, the Veracrypt bootloader will remain at the Move Windows Boot Manager to near bottom. On the boot order screen, locate veracrypt and move it to the top of theīoot priority order. Turn ON secure boot, it allows edits to boot files list to mark Once completed, and reboots, enter UEFI/BIOS * Complete Veracrypt full disk encryption * If Veracrypt fails still, but boots on rescue disk proceed with caution as noted above. If Veracrypt fails still: STOP, and proceed only if you know UEFI, Veracrypt and Win10 well as written below. This is because UEFI doesn't recognize the location or the file itself "veracryptb", the bootloader, in the hard disk as "trusted." Run Veracrypt 1.19 disk partition encryption Admin and user password on UEFI will stop all Win10 reboots at UEFI/BIOS interface so you can interrupt auto-boots to troubleshoot Veracrypt faster, and stop direct writes to UEFI by malware Do not set hard disk password as it may interfere with Win10 updates. IMPORTANT in UEFI: set System Admin and user passwords, and set Password on boot option. Turn secure boot off set it as 'disabled' Maybe the workaround would be to just modify the Windows Boot Manager to boot the VeraCrypt loader instead of the Windows loader? Is it a possible solution? How do I do that?īOOTICE unmodified boot entries screenshot:ĢOn an InsydeH20 V5.0 UEFI "BIOS" running on Acer E5-575:īoot to UEFI, press F2 on Acer machines at 2x sec during boot My system is MSI H81-P33 & i5-4690K with the latest BIOS. I also tried to use Windows BCDEdit cmdlet but it is a no go (it does not see the VeraCrypt loader). How do I insert the VeraCrypt loader there? I have secure boot disabled. Obviously in my UEFI (in BIOS) I can't find the VeraCrypt boot option, there's only the Windows Boot Manager and EFI shell to choose from. This description is probably somewhat inaccurate because I don't exactly know how UEFI booting works. When I restart the PC, UEFI boots the VeraCrypt Loader as it should but when I switch off the PC and on again, UEFI boots to the Windows Boot Manager which loads the Windows Automated Repair again. I used BOOTICE (latest version) to modify the UEFI boot entries to boot the VeraCrypt loader in the first place by choosing "Active", "Boot this entry next time" and by placing VeraCrypt in the first position on the list using the "Up" button. After the repair in what I think is Windows Recovery Environment I can choose to boot off USB and THERE I can choose to boot the VeraCrypt loader. So I used VeraCrypt to encrypt the system partition and now Windows boots its automated repair only.
0 Comments
Leave a Reply. |