Windows: harden EFI Secure Boot CA fallback

Validate SecureBoot firmware data before trusting fallback selection and mark the unsupported-db helper as noreturn.

Record unsupported Secure Boot db refusals in EFI loader diagnostics, and avoid stale rescue-disk prompts after a refusal.

Reuse the central EFI loader selection policy for elevated signing-support checks instead of duplicating fallback/refusal logic.

Translate unsupported Secure Boot db failures across elevation without duplicate generic dialogs, surface stored-PIM refresh failures, and log unattended loader update failures.
This commit is contained in:
Mounir IDRASSI
2026-06-19 19:32:04 +09:00
parent 8a60f152ab
commit 3650fdfca4
6 changed files with 73 additions and 100 deletions
+6
View File
@@ -1807,6 +1807,12 @@ BOOL UpgradeBootLoader (HWND hwndDlg)
}
return TRUE;
}
catch (ErrorException &e)
{
e.Show (hwndDlg);
if (e.ErrLangId && strcmp (e.ErrLangId, "SYSENC_EFI_UNSUPPORTED_SECUREBOOT_CA") == 0)
return FALSE;
}
catch (Exception &e)
{
e.Show (hwndDlg);