Windows: warn when Secure Boot stops trusting the boot chain

Track Microsoft Windows Production PCA 2011 and Windows UEFI CA 2023 in the firmware db parser so the trust of the chainloaded Windows boot manager copy (bootmgfw_ms.vc) can be verified.

Add BootEncryption::GetEfiBootChainTrustStatus to check the installed VeraCrypt loader set and the bootmgfw_ms.vc signer against the active Secure Boot db, asserting nothing from malformed or partial firmware data.

Warn before reboot during Setup upgrade/repair and log a System Favorites service event when a boot chain component is no longer trusted, so Secure Boot certificate changes surface in Windows instead of as a pre-boot failure.

Refs #1655.
This commit is contained in:
Mounir IDRASSI
2026-07-06 22:24:26 +09:00
parent 48f8d87418
commit 7f24d98db2
48 changed files with 354 additions and 1 deletions
+16
View File
@@ -1799,6 +1799,22 @@ BOOL UpgradeBootLoader (HWND hwndDlg)
bootEnc.InstallBootLoader (true);
// Verify the whole boot chain against the active Secure Boot db before the user
// reboots: a component that the firmware no longer trusts (e.g. after a Secure Boot
// certificate update) would otherwise only surface as a pre-boot failure.
try
{
EfiBootChainTrustStatus trustStatus;
if (bootEnc.GetEfiBootChainTrustStatus (trustStatus) && trustStatus.StatusKnown && trustStatus.SecureBootEnabled)
{
if (!trustStatus.VeraCryptLoaderTrusted)
Warning ("SYSENC_EFI_LOADER_NOT_TRUSTED_BY_SECUREBOOT", hwndDlg);
else if (trustStatus.WindowsLoaderSignerKnown && !trustStatus.WindowsLoaderTrusted)
Warning ("SYSENC_EFI_WINDOWS_LOADER_NOT_TRUSTED_BY_SECUREBOOT", hwndDlg);
}
}
catch (...) { }
if (bootEnc.GetInstalledBootLoaderVersion() <= TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION)
{
bUpdateRescueDisk = TRUE;