Changing the HOOK Boot Property for Symantec Encryption Desktop

book

Article ID: 158885

calendar_today

Updated On:

Products

Drive Encryption

Issue/Introduction

With the change in the BIOS hook in Symantec Encryption Desktop 10.3.2 to use Advanced Encryption Standard - New Instructions (AES-NI) for improved resumption from Hibernation, some systems encounter problems while resuming from Hibernation.

Cause

With Symantec Encryption Desktop 10.3.1 or earlier, systems took longer time to resume from Hibernation. The reason for delayed resumption was that the BIOS hook that loads the hibernation file (Hiberfil.sys) was not optimized to take advantage of AES-NI available on recent Intel processors.

Resolution

Starting from Symantec Encryption Desktop 10.3.2, systems take less time to resume from Hibernation because the BIOS hook now detects an AES-NI enabled processor and use predefined AES-NI instruction sets to decrypt Hiberfil.sys file, thereby decreasing the resumption time.

AES-NI

AES-NI is an instruction set introduced by Intel on its processor to improve the speed of applications that use AES for encryption or decryption. Systems with AES-NI have improved hardware decryption capability.

BIOS Hook

BIOS hook is used to decrypt the hibernation file. The cryptographic code that is used in the BIOS hook that loads the hibernation file has now been optimized to reduce the resumption time.

How does BIOS Hook and AES-NI work

The variable HOOK has been created and stored in the boot props user configuration file in BootGuard File System (BGFS) with the values 0 and 1. (By default, the value of HOOK is set to 0.)

When the value of HOOK is 0, the BIOS hook detects the availability of AES-NI on a processor and improves the pre-boot decryption performance and thus reduces the resumption time. However, if a system shows any compatibility issues or resumption problems, the value of the variable should be changed to 1, so that the BIOS hook decrypts the hibernation file without using AES-NI, and the system takes the usual time to resume from hibernation.

How to change the value of HOOK

The value of HOOK can be changed using the pgpwde command line. The bootprop-set command is used to determine and change the value of HOOK. The bootprop-remove command is used to delete HOOK.

Note: These commands are used for diagnostic purposes only and require supervision of Symantec Technical Support.

These commands can be run from a normal Microsoft Windows session or using a customized Windows Preinstallation Environment (WinPE) recovery CD or UFD. When using a customized WinPE recovery CD, boot from the recovery CD before performing the following procedures.

To change the value of HOOK

  1. From the DOS console, use the pgpwde command line.
  2. To display the current value of HOOK, run the following command:

    $> pgpwde --bootprop-set -d -a --name HOOK
     
  3. To configure the machine to boot without using AES-NI, run the following command:

    $> pgpwde --bootprop-set -d -a --name HOOK –-value 1
     
  4. To configure the machine to boot using AES-NI, run the following command:

    $> pgpwde --bootprop-set -d -a --name HOOK –-value 0
     
  5. Restart the system.

To remove HOOK

  1. From the DOS console, use the pgpwde command line.
  2. To remove HOOK, run the following command.

    $> pgpwde --bootprop-remove -d -a --name HOOK
     
  3. Restart the system.