verification failed: (0x1A) security violation

Topic

New Reply

I’m running windows 10 64 bit pro on alienware 15 r3.

all i did was: boot into live ubuntu 18.04 from a thumbdrive, installed ubuntu on a portable ssd, disabled secure boot and boot into ubuntu from the portable ssd, then reenable secure boot.

then everytime at boot up is this blue window error msg:

verification failed: 0x1A security violation.

press ok, the 2nd msg is:

shim UEFI key management, Press any key to perform MOK management

if i do nothing, the next error msg is:

Failed to load image: security policy violation, start_image() returned security policy violation

I cannot seem to get it right, and not sure what happened. Is it possible to restore it to normal?

 

 

Reply | Quote

Replies

You would need to boot into the BIOS be pressing Del, Esc, F10 etc at power on. Then turn off secure boot.

Alternatively, boot from the USB again and see if it gives you an option to boot to the BIOS.

cheers, Paul

Reply | Quote

Thanks. Has “installing ubuntu to a portable ssd” caused changes to the windows efi partition on my laptop?

Reply | Quote

Most likely, yes.
Ubuntu uses the GRUB boot controller to allow you to boot Windows or Linux. GRUB needs to be signed to work with secure boot.
See the Ubuntu Wiki for more details: https://wiki.ubuntu.com/UEFI/SecureBoot

cheers, Paul

Reply | Quote

So Ubuntu installation will insert code into windows bootloader, this will change pcr7 value- secure boot policy? Bitlocker will be triggered recovery then.

Is it possible to restore windows bootloader to original (so pcr7 will be restored)?

Reply | Quote

anonymous wrote:

So Ubuntu installation will insert code into windows bootloader

Where did you get that from?
Any attempt to insert code into a signed executable will break the signing, so nobody does it.
Restoring the bootloader will fix the issue, but then Linux won’t boot.

cheers, Paul

Reply | Quote

Grub is partially installed to mbr. So how to restore mbr and windows bootloader to original – will it also resolve bitlocker recovery

Reply | Quote

anonymous wrote:

Grub is partially installed to mbr.

There is no MBR in EFI boot land.
The boot partition has the boot files in standard folders.

cheers, Paul

Reply | Quote

Is it possible to restore the below to original

1. Windows Efi Partition

2. Secure boot policy

Bitlocker triggered recovery, but recovery key is no longer accessible. I only have bitlocker pin and windows login.

Reply | Quote

No. You need the BL recovery data which you should have saved to USB.

cheers, Paul

Reply | Quote

recovery keys are saved in a secure note, which is mostly destroyed accidentally by google translate.

i don’t know if it’s possible to restore the whatever hashings s.t. bitlocker does not trigger recovery

Reply | Quote

The problem is Windows doesn’t considered GRUB to be secure. So, whenever you try to boot into Windows using GRUB, it thinks the boot sequence has been compromised and forces a BitLocker key re-entry.

To regain access to Windows without having to deal with the security violation prompt, change the boot order in BIOS so it boots from the Windows UEFI drive instead of the GRUB drive.

Once you have access to Windows again, you can use the “one-time boot menu” (press F12 during the boot sequence) to boot from the portable SSD and access Ubuntu thru GRUB.

BTW, it is possible to setup dual-boot for Win10 + BitLocker and GRUB but it’s a pretty complicated and you must do it in a specific order to avoid exactly the problem you encountered.

• Dual Booting Ubuntu With Windows 10 Pro with BitLocker Encryption

Basically, you have to disable Win10 BitLocker, install Ubuntu/GRUB and get it up and running in dual boot mode, then re-enable BitLocker for Win10.

Good luck!

Reply | Quote

Thanks for reply.

after changing boot order in bios to boot from windows boot mgr, bitlocker recovery is still triggered “because secure boot policy has unexpectedly changed”.  secure boot policy should be pcr 7 here. so one or more of the following should have changed pcr 7:

1. disable and enable fTPM
2. disable and enable secure boot
3. disable and enable uefi
4. switch secure boot mode b/t stand and custom
5. installing ubuntu to a portable ssd. As a result, a new mok is generated and grub is installed somewhere （efi partition?)

if so how to restore “secure boot policy” to original?

Reply | Quote

bitlocker recovery triggered screen shot

Reply | Quote

Ok, unless you can restore the BIOS to the exact settings they had before you installed Ubuntu, you’ll probably need your BitLocker key to continue.

Couple of questions…

Are you still able to boot from the portable Ubuntu drive?

If so, do you get a GRUB screen with different options something like this?

• Ubuntu

• Advanced options for Ubuntu

• Windows Boot Manager

• System Setup

If so, select the Windows Boot Manager option and, when you get the BitLocker recovery screen, hit the Esc key.

That “should” take you to a GRUB terminal screen.

Enter exit at that screen and it “may” start Windows without the BitLocker recovery prompt.

If it does, then immediately backup your BitLocker recovery key to a USB drive.

Open BitLocker Drive Encryption

C:\Windows\System32\BitLockerWizardElev.exe \ t

Select the Backup recovery key option.

Then you can work on disabling/re-enabling BitLocker to get you dual boot working properly.

Reply | Quote

what is the action if you proceed with “System Setup” here？

Reply | Quote

bitlocker was triggered before the ubuntu installation. it was for reasons i don’t understand.

the specified reason is “secure boot policy has changed”. it could be a corrupted boot loader also.

changing bios settings do not seem to help. I’ve shown settings relevant to secure boot. fTPM is enabled. secure boot mode is Custom. it was “standard” when everything was ok, but changing it to standard does not help now.

Reply | Quote

key mgmt is available in secure boot mode “Custom”. Never know what these keys are and where they are stored.

Reply | Quote

flipping secure boot mode to “standard” gives you option to install factory default keys. I don’t know what this is, so I should not have selected yes.

Reply | Quote

this is what boot option priorities look like after i set ubuntu to disabled. not sure if the order #1 – #4 affects pcr7 .

 

Reply | Quote

secure boot is enabled. I heard some ppl could bypass bitlocker recovery by disabling secure boot, but it didn’t work. btw, disabling secure boot gives below warning.

Reply | Quote

bitlocker was not initialy triggered by bios change. however, i’ve changed some settings back and forth after, it may have made things more complex. if bios has some auto backup, maybe i can roll it back to original state. but doubt so.

Reply | Quote

If you don’t have the BL recovery info you will either have to restore from backup or reinstall.   🙁

cheers, Paul

Reply | Quote

BitLocker was specifically designed to prevent anyone who doesn’t know the key from accessing the encrypted drive. There is no “trick” that will allow you get get around that.

As PaulT pointed out above, without the key, your only options are either restoring from a full image backup or reinstalling Windows (which will overwrite all the existing data on the disk.)

Note: restoring a BitLocker drive from a regular backup still requires entry of the key before the backup will work.

Reply | Quote

Thanks. i have to admit that re-formatting and reinstall may be the best cost effective way.

but not quite ready to move on. not reasonable there’s no locksmith when you are locked out of the apartment

meanwhile, can someone answer my other questions:

e.g. what are the keys in the secure boot key management, where are they stored and how they work?

Reply | Quote

The “keys” are the password for the encryption.
Normally they are stored on disk, encrypted with the TPM module and decrypted when a valid user logs in.
You need a copy of the “keys” to be able to recover from any abnormal boot.

cheers, Paul

Reply | Quote

Thanks Paul.

but i mean the key mgmt in secure boot – these keys are independent with bitlocker keys . please refer to the screen shot.

 

Reply | Quote

Those are the public keys/signatures used to verify the encryption used for secure boot and they’re stored in non-volatile memory on the motherboard itself.

The Platform Key (PKpub) is installed into the firmware by the OEM during manufacture. If it gets comprised, the OEM will normally issue a firmware update to change it.

The Key Exchange Key (KEKpub) is used to establish a trust relationship between the PC’s firmware and an OS/application during secure boot.

Each OS (and potentially each 3rd party application which needs to communicate with the firmware during secure boot) will store a public KEK key into the firmware during initial setup/first boot.

The Authorized/Forbidden Signature keys are used to protect access to the allowed/disallowed images databases.

The Authorized Signatures database (db) contains public keys and certificates that represent trusted components and OS loaders.

The Forbidden Signature database (dbx) contains hashes of malicious/vulnerable components and compromised keys/certificates that will not be allowed to execute.

Finally, the Secure Firmware Update Key (which is not shown in your screen shot) is used to verify any attempted firmware update was approved by the OEM for installation on that particular motherboard.

Reply | Quote

Thanks alejr.

so does the installation of ubuntu on an external ssd insert a public key into KEKpub? and will this change the PCR7 value during windows measured boot?  if I install factory default keys, will PCR7 restore to original?

 

Reply | Quote

There is no “change to the PCR7 value”. PCR7 is about verification of boot components on disk.
If you have non MS signed boot components you will get a PCR7 error and a failed boot.

cheers, Paul

Reply | Quote

The current bitlocler recovery message is “because secure boot policy has unexpectedly changed”. Literally it means current pcr7 measurement does not match the measurements which the bitlocker keys were sealed with in tpm. install ubuntu /grub may have changed this measurement, but the error message has been there before ubuntu /grub installation. i want to understand how to restore this measurement to align with what the bitlocker keys were bound to.

Reply | Quote

The keys store on the motherboard are created/stored without any direct user interaction. The H/W and/or S/W generate them when first connected to the motherboard and it’s impossible for a user to “directly” modify them to change their values!

The most you can do is reset them and, if you do, they get reset to the preset OEM values they had when you very first powered up your PC (i.e. they won’t match your current setup.)

As both Paut T and I have pointed out, the only way to fix this is to either input the BitLocker key on the recovery screen or restore the encrypted drive from a full image backup.

Entering the BitLocker key verifies your access to the encrypted drive and the value stored on the motherboard would be updated to reflect the changes it detected that triggered the alert in the first place.

Restoring the encrypted drive from a “known good” full image backup would reset it back to the condition it was in the last time you successfully booted it and you “should” then be able to boot into Windows as before (i.e. the values on the motherboard should now match the drive.)

Also, as I indicated before, using a regular “non-image” back up would require the BitLocker key.

The difference is…

An image backup writes each “sector” to the disk one at a time during restore so it doesn’t have to interact with BitLocker at all.

A regular backup writes each “file” to the disk one at a time during restore so, if the disk is encrypted with BitLocker, it needs the key to unlock the disk before it can write to it.

So basically, if you don’t have the BitLocker key or an image backup of your drive, you can’t get there from here!

Reply | Quote

Thanks both. neither key or encrypted image is available unfortunatelly

i want to understand how the hashing of pcr 7 works. here’s one example:

PCR_07: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5

what are the components that plays into this value?
is changes to it reversible? e.g. if install grub changes this value. if I then remove the grub folder, will this value revert to the same as before?

 

Reply | Quote

A pcr7 hash can never be restored once it’s been changed.

Whenever H/W or S/W changes are detected that require changing the hash, the system creates a “brand new” one and flags the old one as “expired“.

Expired hashes can not be reused!

The security system was “deliberately” designed this way to prevent gaining access to encrypted data by using old hashes.

BTW…

The exact mechanics of how a pcr7 hash, or any hash for that matter, is created is well beyond the scope of discussion here.

Sufficed to say, it involves a LOT of complicated boolean algebra that took 4 days to explain in a special 6 week class I attended back in 1989 at Wright-Patt on how the internet (it was still called the ARPANET back then) actually works.

2 users thanked author for this post.

kokos76, paulga

Reply | Quote

does that mean if you disable secure boot in bios, the pcr 7 value will be permanently changed, and not possible to revert back after you then re-able secure boot ?

i remember the bitlocker recovery on this laptop was triggered once last year. the system was asking for the recovery key. i clicked “skip this drive”, then the system booted into windows as normal, without asking for the key again. It was probably the wifi card that I replaced at that time.

This time, the bitlocker recovery reason is unknown.

BTW, how would you create an image backup, and a regular backup of an encrypted volume?

 

Reply | Quote

Disabling secure boot does not change the disk content so there should be no change for Bitlocker to complain about. Adding a new boot program (grub), does change the disk content.

An image backup is everything on and about the disk.
File backup is files from directories.
Your backup software will have options for both.

I make a regular image backup to allow easy restore if something goes pear shaped and a daily backup of my files to capture any changes I made. This make the backup process much faster than an image every day.

cheers, Paul

Reply | Quote

paulga wrote:

does that mean if you disable secure boot in bios, the pcr 7 value will be permanently changed, and not possible to revert back after you then re-able secure boot ?

Enabling/disabling secure boot is just a switch.

If you turn a light switch off, it doesn’t “remove” the light bulb, it simply stops the electricity from flowing in and lighting the bulb. But, the first time you use it, there does need to be a bulb in place or there’ll be no light when you turn it on.

In the same way, turning secure boot on for the very first time creates and stores the values it uses, but turning it off afterward doesn’t “remove” them… it simply tells the system to stop using secure boot.

You problem is the values previously stored no longer match the values being read from your current H/W + S/W configuration and that’s triggering a request to verify those changes.

If you could either verify the changes with your BiLocker key or restore the H/W + S/W config back to what it was before (i.e. restore the disk from an image backup), the normal boot process would continue. But you’ve indicated you can’t do either of those so you’re stuck!

The whole point of secure boot is not to make life difficult for a “legitimate owner” of a system (who should always have the requested keys available) but to ensure their system can’t be compromised by nefarious processes or persons trying to hack into it.

Reply | Quote

could you recommend a backup software or method for image backup as well as file backup?

Reply | Quote

Paulga,

 

could you recommend a backup software or method for image backup as well as file backup?

There’s a whole subforum (or 2) for that;

Backup            and

Questions – Maintenance and Backups

Look thru them and consider your choices. As for me, I use EaseUS Todo Backup for imaging & cloning and FreeFileSync for data backups. Others have different opinions. If you search my posts, I think you’ll find some rationale for my choice. YMMV.

Good luck

Zig

 

1 user thanked author for this post.

paulga

Reply | Quote

i booted from the portable ubuntu and checked the disks

i may have a back up of the esp partition and system drive from 2017. bitlocker was enabled in 2018, however the esp partition may not have changed by then. shown in the 1st picture, partition 5 should be system image, i’m not sure what partition 4 was. i may have used Clonezilla, or Macrium, or gparted to generate these backups

 

 

Reply | Quote

–Update — : please ignore or delete this and the previous posts, as it looks partition 4 and 5 are not images of the current system

 

partition 4 is not an impage partition. i mounted it to /mnt and checked its folders. does this look like a copy from the esp partition? if so is it possible to use it to restore the esp partition?

 

 

Reply | Quote

That screenshot looks like a recovery partition. Restoring that will not help with your problem because the boot files are in a different partition – generally the 100MB partition at the beginning of the disk – with the OS files on C:. Both of these partitions are required to boot with Bitlocker running.

cheers, Paul

Reply | Quote