idrassi
commented
6 years ago Yes, as you figured it out, these two certificates are already included in the script (lines 63 and 64 in the current version). So you just need to uncomment these two lines.
No need to do anything special on your side, just install 1.23-beta2, clear SecureBoot keys in the BIOS, launch the PowerShell script after uncommenting the adéquate lines, enable SecureBoot in the BIOS and then start the encryption process.
VeraCrypt-DCS bootloader that is included in VeraCrypt is signed with a custom key that is loaded using the PowerShell script and this same key is used to sign the certificates of various manufacturers that are referenced in the PowerShell script. If a user encounters a certificate that is not included in the script, he must submit it to us so that we sign it and then include it along side its signature in the PowerShell script.
The
dumpEfiVars.exe(obtained from https://www.veracrypt.fr/downloads/tools/dumpEfiVars.exe) dumps manufacturer certificates named:Lenovo UEFI CA 2014.derThinkPad Product CA 2012.derAnd in
\sigliststhere are:dbx_SigList.bindb_SigList.binKEK_SigList.binPK_SigList.binReferences to these files are not listed in
sb_set_siglists.ps1. Could I just add them as new lines/change the existing lines? Note the files at\siglistsdo not have any files with names referencing the manufacturer.Edit: I just realized the idea is to cross-reference the output of
dumpEfiVars.exeto thesiglistson the VeraCrypt-DCS. So, in this case the correct lines to uncomment would be:And as a last issue that is not totally clear, if I am using VeraCrypt 1.23-BETA2, do I still need to manually compile VeraCrypt-DCS or can I just use the boot loader included in the stock VeraCrypt 1.23-BETA2? The
readme.txtat https://github.com/veracrypt/VeraCrypt/tree/master/src/Boot/EFI would indicate that compilation is needed.If compilation is required, perhaps this should be listed in the
readme.txtfor VeraCrypt-DCS also somewhere?