+/** @file

+This is DCS boot menu lock application

+

+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov

+

+This program and the accompanying materials

+are licensed and made available under the terms and conditions

+of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).

+

+The full text of the license may be found at

+https://opensource.org/licenses/LGPL-3.0

+**/

+

+#include "DcsBml.h"

+

+///

+/// Component Name Protocol instance

+///

+GLOBAL_REMOVE_IF_UNREFERENCED

+EFI_COMPONENT_NAME_PROTOCOL gDcsBmlComponentName = {

+ (EFI_COMPONENT_NAME_GET_DRIVER_NAME) DcsBmlComponentNameGetDriverName,

+ (EFI_COMPONENT_NAME_GET_CONTROLLER_NAME)DcsBmlComponentNameGetControllerName,

+ "eng"

+};

+

+///

+/// Component Name 2 Protocol instance

+///

+GLOBAL_REMOVE_IF_UNREFERENCED

+EFI_COMPONENT_NAME2_PROTOCOL gDcsBmlComponentName2 = {

+ DcsBmlComponentNameGetDriverName,

+ DcsBmlComponentNameGetControllerName,

+ "en"

+};

+

+///

+/// Table of driver names

+///

+GLOBAL_REMOVE_IF_UNREFERENCED

+EFI_UNICODE_STRING_TABLE mDcsBmlDriverNameTable[] = {

+ { "eng;en", (CHAR16 *)L"DcsBml" },

+ { NULL, NULL }

+};

+

+/**

+ Retrieves a Unicode string that is the user-readable name of the EFI Driver.

+

+ @param This A pointer to the EFI_COMPONENT_NAME_PROTOCOL instance.

+ @param Language A pointer to a three-character ISO 639-2 language identifier.

+ This is the language of the driver name that that the caller

+ is requesting, and it must match one of the languages specified

+ in SupportedLanguages. The number of languages supported by a

+ driver is up to the driver writer.

+ @param DriverName A pointer to the Unicode string to return. This Unicode string

+ is the name of the driver specified by This in the language

+ specified by Language.

+

+ @retval EFI_SUCCESS The Unicode string for the Driver specified by This

+ and the language specified by Language was returned

+ in DriverName.

+ @retval EFI_INVALID_PARAMETER Language is NULL.

+ @retval EFI_INVALID_PARAMETER DriverName is NULL.

+ @retval EFI_UNSUPPORTED The driver specified by This does not support the

+ language specified by Language.

+

+**/

+EFI_STATUS

+EFIAPI

+DcsBmlComponentNameGetDriverName (

+ IN EFI_COMPONENT_NAME2_PROTOCOL *This,

+ IN CHAR8 *Language,

+ OUT CHAR16 **DriverName

+ )

+{

+ return LookupUnicodeString2 (

+ Language,

+ This->SupportedLanguages,

+ mDcsBmlDriverNameTable,

+ DriverName,

+ (BOOLEAN)(This != &gDcsBmlComponentName2)

+ );

+}

+

+/**

+ Retrieves a Unicode string that is the user readable name of the controller

+ that is being managed by an EFI Driver.

+

+ @param This A pointer to the EFI_COMPONENT_NAME_PROTOCOL instance.

+ @param ControllerHandle The handle of a controller that the driver specified by

+ This is managing. This handle specifies the controller

+ whose name is to be returned.

+ @param ChildHandle The handle of the child controller to retrieve the name

+ of. This is an optional parameter that may be NULL. It

+ will be NULL for device drivers. It will also be NULL

+ for a bus drivers that wish to retrieve the name of the

+ bus controller. It will not be NULL for a bus driver

+ that wishes to retrieve the name of a child controller.

+ @param Language A pointer to a three character ISO 639-2 language

+ identifier. This is the language of the controller name

+ that the caller is requesting, and it must match one

+ of the languages specified in SupportedLanguages. The

+ number of languages supported by a driver is up to the

+ driver writer.

+ @param ControllerName A pointer to the Unicode string to return. This Unicode

+ string is the name of the controller specified by

+ ControllerHandle and ChildHandle in the language specified

+ by Language, from the point of view of the driver specified

+ by This.

+

+ @retval EFI_SUCCESS The Unicode string for the user-readable name in the

+ language specified by Language for the driver

+ specified by This was returned in DriverName.

+ @retval EFI_INVALID_PARAMETER ControllerHandle is NULL.

+ @retval EFI_INVALID_PARAMETER ChildHandle is not NULL and it is not a valid EFI_HANDLE.

+ @retval EFI_INVALID_PARAMETER Language is NULL.

+ @retval EFI_INVALID_PARAMETER ControllerName is NULL.

+ @retval EFI_UNSUPPORTED The driver specified by This is not currently managing

+ the controller specified by ControllerHandle and

+ ChildHandle.

+ @retval EFI_UNSUPPORTED The driver specified by This does not support the

+ language specified by Language.

+

+**/

+EFI_STATUS

+EFIAPI

+DcsBmlComponentNameGetControllerName (

+ IN EFI_COMPONENT_NAME2_PROTOCOL *This,

+ IN EFI_HANDLE ControllerHandle,

+ IN EFI_HANDLE ChildHandle OPTIONAL,

+ IN CHAR8 *Language,

+ OUT CHAR16 **ControllerName

+ )

+{

+ EFI_STATUS Status = EFI_SUCCESS;

+ return Status;

+}

+/** @file

+This is DCS boot menu lock application

+

+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov

+

+This program and the accompanying materials

+are licensed and made available under the terms and conditions

+of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).

+

+The full text of the license may be found at

+https://opensource.org/licenses/LGPL-3.0

+**/

+

+/**

+ Retrieves a Unicode string that is the user-readable name of the EFI Driver.

+

+ @param This A pointer to the EFI_COMPONENT_NAME_PROTOCOL instance.

+ @param Language A pointer to a three-character ISO 639-2 language identifier.

+ This is the language of the driver name that that the caller

+ is requesting, and it must match one of the languages specified

+ in SupportedLanguages. The number of languages supported by a

+ driver is up to the driver writer.

+ @param DriverName A pointer to the Unicode string to return. This Unicode string

+ is the name of the driver specified by This in the language

+ specified by Language.

+

+ @retval EFI_SUCCESS The Unicode string for the Driver specified by This

+ and the language specified by Language was returned

+ in DriverName.

+ @retval EFI_INVALID_PARAMETER Language is NULL.

+ @retval EFI_INVALID_PARAMETER DriverName is NULL.

+ @retval EFI_UNSUPPORTED The driver specified by This does not support the

+ language specified by Language.

+

+**/

+EFI_STATUS

+EFIAPI

+DcsBmlComponentNameGetDriverName (

+ IN EFI_COMPONENT_NAME2_PROTOCOL *This,

+ IN CHAR8 *Language,

+ OUT CHAR16 **DriverName

+ );

+

+/**

+ Retrieves a Unicode string that is the user readable name of the controller

+ that is being managed by an EFI Driver.

+

+ @param This A pointer to the EFI_COMPONENT_NAME_PROTOCOL instance.

+ @param ControllerHandle The handle of a controller that the driver specified by

+ This is managing. This handle specifies the controller

+ whose name is to be returned.

+ @param ChildHandle The handle of the child controller to retrieve the name

+ of. This is an optional parameter that may be NULL. It

+ will be NULL for device drivers. It will also be NULL

+ for a bus drivers that wish to retrieve the name of the

+ bus controller. It will not be NULL for a bus driver

+ that wishes to retrieve the name of a child controller.

+ @param Language A pointer to a three character ISO 639-2 language

+ identifier. This is the language of the controller name

+ that the caller is requesting, and it must match one

+ of the languages specified in SupportedLanguages. The

+ number of languages supported by a driver is up to the

+ driver writer.

+ @param ControllerName A pointer to the Unicode string to return. This Unicode

+ string is the name of the controller specified by

+ ControllerHandle and ChildHandle in the language specified

+ by Language, from the point of view of the driver specified

+ by This.

+

+ @retval EFI_SUCCESS The Unicode string for the user-readable name in the

+ language specified by Language for the driver

+ specified by This was returned in DriverName.

+ @retval EFI_INVALID_PARAMETER ControllerHandle is NULL.

+ @retval EFI_INVALID_PARAMETER ChildHandle is not NULL and it is not a valid EFI_HANDLE.

+ @retval EFI_INVALID_PARAMETER Language is NULL.

+ @retval EFI_INVALID_PARAMETER ControllerName is NULL.

+ @retval EFI_UNSUPPORTED The driver specified by This is not currently managing

+ the controller specified by ControllerHandle and

+ ChildHandle.

+ @retval EFI_UNSUPPORTED The driver specified by This does not support the

+ language specified by Language.

+

+**/

+EFI_STATUS

+EFIAPI

+DcsBmlComponentNameGetControllerName (

+ IN EFI_COMPONENT_NAME2_PROTOCOL *This,

+ IN EFI_HANDLE ControllerHandle,

+ IN EFI_HANDLE ChildHandle OPTIONAL,

+ IN CHAR8 *Language,

+ OUT CHAR16 **ControllerName

+ );

+#include <Guid/GlobalVariable.h>

+#include <Library/CommonLib.h>

+

+#include <Protocol/DcsBmlProto.h>

+#include "DcsBml.h"

+

+//////////////////////////////////////////////////////////////////////////

+// Runtime data to lock

+//////////////////////////////////////////////////////////////////////////

+STATIC BOOLEAN BootMenuLocked = FALSE;

+//////////////////////////////////////////////////////////////////////////

+// DcsBml protocol to control lock in BS mode

+//////////////////////////////////////////////////////////////////////////

+CHAR16* sDcsBootEfi = L"EFI\\VeraCrypt\\DcsBoot.efi";

+CHAR16* sDcsBootEfiDesc = L"VeraCrypt(DCS) loader";

+

+GUID gEfiDcsBmlProtocolGuid = EFI_DCSBML_INTERFACE_PROTOCOL_GUID;

+EFI_DCSBML_PROTOCOL gEfiDcsBmlProtocol = {

+ BootMenuLock

+};

+

+EFI_STATUS

+BootMenuLock(

+ IN EFI_DCSBML_PROTOCOL *This,

+ IN BOOLEAN Lock

+ ) {

+ BootMenuLocked = Lock;

+ return EFI_SUCCESS;

+}

+

+//////////////////////////////////////////////////////////////////////////

+// Driver

+//////////////////////////////////////////////////////////////////////////

+

+/**

+Unloads an image.

+

+@param ImageHandle Handle that identifies the image to be unloaded.

+

+@retval EFI_SUCCESS The image has been unloaded.

+@retval EFI_INVALID_PARAMETER ImageHandle is not a valid image handle.

+

+**/

+EFI_STATUS

+EFIAPI

+DcsBmlUnload(

+ IN EFI_HANDLE ImageHandle

+ )

+{

+ EFI_STATUS res;

+

+ res = EFI_SUCCESS;

+ //

+ // Uninstall Driver Supported EFI Version Protocol onto ImageHandle

+ //

+ res = gBS->UninstallMultipleProtocolInterfaces(

+ ImageHandle,

+ &gEfiDcsBmlProtocolGuid, &gEfiDcsBmlProtocol,

+ NULL

+ );

+

+ if (EFI_ERROR(res)) {

+ return res;

+ }

+ // Clean up

+ return EFI_SUCCESS;

+}

+

+

+ // Check multiple execution of DcsBml

+ if (!EFI_ERROR(InitBml())) {

+ return EFI_ACCESS_DENIED;

+ }

+

+ //

+ // Install DcsBml protocol onto ImageHandle

+ //

+ res = gBS->InstallMultipleProtocolInterfaces(

+ &ImageHandle,

+ &gEfiDcsBmlProtocolGuid, &gEfiDcsBmlProtocol,

+ NULL

+ );

+ ASSERT_EFI_ERROR(res);

+

+ if (EFI_ERROR(res)) {

+ Print(L"Install protocol %r\n", res);

+ return res;

+ }

+ // runtime lock

+

+ // select boot next

+ {

+ UINT16 DcsBootNum = 0x0DC5B;

+ UINTN len;

+ UINT32 attr;

+ CHAR16* tmp = NULL;

+ res = EfiGetVar(L"BootDC5B", &gEfiGlobalVariableGuid, &tmp, &len, &attr);

+ if (EFI_ERROR(res)) {

+ InitFS();

+ res = BootMenuItemCreate(L"BootDC5B", sDcsBootEfiDesc, gFileRootHandle, sDcsBootEfi, TRUE);

+ res = BootOrderInsert(L"BootOrder", 0, 0x0DC5B);

+ }

+ res = EfiSetVar(L"BootNext", &gEfiGlobalVariableGuid, &DcsBootNum, sizeof(DcsBootNum), EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_BOOTSERVICE_ACCESS);

+ MEM_FREE(tmp);

+ }

+

+ // Prepare BootDC5B

+/** @file

+This is DCS boot menu lock application

+

+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov

+

+This program and the accompanying materials

+are licensed and made available under the terms and conditions

+of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).

+

+The full text of the license may be found at

+https://opensource.org/licenses/LGPL-3.0

+**/

+

+#ifndef __EFI_DCSBML_H__

+#define __EFI_DCSBML_H__

+

+#include <Uefi.h>

+

+//

+// Libraries

+//

+#include <Library/UefiBootServicesTableLib.h>

+#include <Library/MemoryAllocationLib.h>

+#include <Library/BaseMemoryLib.h>

+#include <Library/BaseLib.h>

+#include <Library/UefiLib.h>

+#include <Library/DevicePathLib.h>

+#include <Library/DebugLib.h>

+

+//

+// UEFI Driver Model Protocols

+//

+#include <Protocol/ComponentName2.h>

+#include <Protocol/ComponentName.h>

+

+//

+// Consumed Protocols

+//

+

+//

+// Produced Protocols

+//

+#include <Protocol/DcsBmlProto.h>

+

+

+//

+// Protocol instances

+//

+extern EFI_COMPONENT_NAME2_PROTOCOL gDcsBmlComponentName2;

+extern EFI_COMPONENT_NAME_PROTOCOL gDcsBmlComponentName;

+extern EFI_DCSBML_PROTOCOL gEfiDcsBmlProtocol;

+

+//

+// Include files with function prototypes

+//

+#include "ComponentName.h"

+

+EFI_STATUS

+BootMenuLock(

+ IN EFI_DCSBML_PROTOCOL *This,

+ IN BOOLEAN Lock

+ );

+

+

+#endif

+ DcsBml.h

+ ComponentName.c

+ ComponentName.h

+ CommonLib

+ gEfiFileInfoGuid

+ gEfiComponentName2ProtocolGuid

+ gEfiComponentNameProtocolGuid

+//////////////////////////////////////////////////////////////////////////

+// BML

+//////////////////////////////////////////////////////////////////////////

+CHAR16* sDcsBmlEfi = L"EFI\\VeraCrypt\\DcsBml.dcs";

+CHAR16* sDcsBmlEfiDesc = L"VeraCrypt(DcsBml) driver";

+CHAR16* sDcsBmlDriverVar = L"DriverDC5B";

+UINT16 sDcsBmlDriverNum = 0x0DC5B;

+

+VOID

+UpdateDriverBmlStart() {

+ EFI_STATUS res;

+ UINTN len;

+ UINT32 attr;

+ int drvInst;

+ CHAR16* tmp = NULL;

+

+ // Driver load selected?

+ drvInst = ConfigReadInt("DcsBmlDriver", 1);

+ if (drvInst) {

+ res = EfiGetVar(sDcsBmlDriverVar, &gEfiGlobalVariableGuid, &tmp, &len, &attr);

+ // Driver installed?

+ if (EFI_ERROR(res)) {

+ // No -> install

+ res = BootMenuItemCreate(sDcsBmlDriverVar, sDcsBmlEfiDesc, gFileRootHandle, sDcsBmlEfi, FALSE);

+ if (!EFI_ERROR(res)) {

+ len = 0;

+ res = EfiGetVar(L"DriverOrder", &gEfiGlobalVariableGuid, &tmp, &len, &attr);

+ if (!EFI_ERROR(res)) len = len / 2;

+ res = BootOrderInsert(L"DriverOrder", len, sDcsBmlDriverNum);

+ }

+ }

+ MEM_FREE(tmp);

+ }

+ else {

+ // uninstall driver

+ res = EfiGetVar(sDcsBmlDriverVar, &gEfiGlobalVariableGuid, &tmp, &len, &attr);

+ if (!EFI_ERROR(res)) {

+ BootMenuItemRemove(sDcsBmlDriverVar);

+ BootOrderRemove(L"DriverOrder", sDcsBmlDriverNum);

+ }

+ }

+ MEM_FREE(tmp);

+}

+

+ EFI_STATUS res;

+// EFI_INPUT_KEY key;

+ // BML installed?

+ if (EFI_ERROR(InitBml())) {

+ // if not -> execute

+ EfiExec(NULL, sDcsBmlEfi);

+ }

+

+ UpdateDriverBmlStart();

+ // Clear DcsExecPartGuid before execute OS to avoid problem in VirtualBox with reboot.

+ EfiSetVar(L"DcsExecPartGuid", NULL, NULL, 0, EFI_VARIABLE_BOOTSERVICE_ACCESS);

+ EfiSetVar(L"DcsExecCmd", NULL, NULL, 0, EFI_VARIABLE_BOOTSERVICE_ACCESS);

+ ConnectAllEfi();

+VOID

+CleanSensitiveData()

+{

+ if (SecRegionCryptInfo != NULL) {

+ MEM_BURN(SecRegionCryptInfo, sizeof(*SecRegionCryptInfo));

+ }

+

+ if (gRnd != NULL) {

+ MEM_BURN(gRnd, sizeof(*gRnd));

+ }

+

+ if (SecRegionData != NULL) {

+ MEM_BURN(SecRegionData, SecRegionSize);

+ }

+

+ if (gAutoPassword != NULL) {

+ MEM_BURN(gAutoPassword, MAX_PASSWORD);

+ }

+}

+

+ CleanSensitiveData();

+

+ if (!EFI_ERROR(Status)) {

+ EFI_INPUT_KEY key;

+ key = KeyWait(L"Boot OS in %2d ('r' to reset) \r", 5, 0, 0);

+ if (key.UnicodeChar == 'r') {

+ MEM_BURN(&newPassword, sizeof(newPassword));

+ MEM_BURN(&confirmPassword, sizeof(confirmPassword));

+ CleanSensitiveData();

+ gST->RuntimeServices->ResetSystem(EfiResetCold, EFI_SUCCESS, 0, NULL);

+ }

+ }

+ CleanSensitiveData();

+ InitBml();

+ BmlLock(TRUE);

+ # Include/Protocol/DcsBmlProto.h

+ #// {7FB6D090-8755-43FC-84B5-6E297F9EC1CD}

+ gEfiDcsBmlProtocolGuid = { 0x7fb6d090, 0x8755, 0x43fc, { 0x84, 0xb5, 0x6e, 0x29, 0x7f, 0x9e, 0xc1, 0xcd } }

+#include <Protocol/BlockIo.h>

+#include <Protocol/DcsBmlProto.h>

+// BML

+//////////////////////////////////////////////////////////////////////////

+extern EFI_HANDLE* gBmlHandles;

+extern UINTN gBmlCount;

+extern EFI_DCSBML_PROTOCOL* gBml;

+extern EFI_GUID gBmlGuid;

+

+EFI_STATUS

+InitBml();

+

+EFI_STATUS

+BmlLock(

+ IN BOOLEAN lock

+ );

+

+

+//////////////////////////////////////////////////////////////////////////

+BootOrderPresent(

+ IN CHAR16 *OrderVarName,

+ UINT16 value);

+

+EFI_STATUS

+/** @file

+This is DCS boot menu lock protocol

+

+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov

+

+This program and the accompanying materials

+are licensed and made available under the terms and conditions

+of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).

+

+The full text of the license may be found at

+https://opensource.org/licenses/LGPL-3.0

+**/

+

+#ifndef _EFI_DCSBMLPROTO_H

+#define _EFI_DCSBMLPROTO_H

+

+#include <Uefi.h>

+#include <ProcessorBind.h>

+#include <Base.h>

+

+//

+// Global Id for DcsBml Interface

+// {7FB6D090-8755-43FC-84B5-6E297F9EC1CD}

+//

+#define EFI_DCSBML_INTERFACE_PROTOCOL_GUID \

+ { \

+ 0x7fb6d090, 0x8755, 0x43fc, 0x84, 0xb5, 0x6e, 0x29, 0x7f, 0x9e, 0xc1, 0xcd \

+ }

+

+typedef struct _EFI_DCSBML_PROTOCOL EFI_DCSBML_PROTOCOL;

+

+//

+// Lock boot menu

+//

+typedef

+EFI_STATUS

+(EFIAPI *EFI_BOOT_MENU_LOCK) (

+ IN EFI_DCSBML_PROTOCOL *This,

+ IN BOOLEAN Lock

+ );

+

+

+//

+// Protocol definition

+//

+struct _EFI_DCSBML_PROTOCOL {

+ EFI_BOOT_MENU_LOCK BootMenuLock;

+} ;

+

+extern EFI_GUID gEfiDcsBmlProtocolGuid;

+#endif

+ EfiBml.c

+/** @file

+EFI DCS BML helpers routines/wrappers

+

+Copyright (c) 2016. Disk Cryptography Services for EFI (DCS), Alex Kolotnikov

+Copyright (c) 2016. VeraCrypt, Mounir IDRASSI

+

+This program and the accompanying materials are licensed and made available

+under the terms and conditions of the GNU Lesser General Public License, version 3.0 (LGPL-3.0).

+

+The full text of the license may be found at

+https://opensource.org/licenses/LGPL-3.0

+**/

+

+#include <Library/CommonLib.h>

+#include <Library/UefiBootServicesTableLib.h>

+#include <Protocol/DcsBmlProto.h>

+

+//////////////////////////////////////////////////////////////////////////

+// BML

+//////////////////////////////////////////////////////////////////////////

+EFI_HANDLE* gBmlHandles = NULL;

+UINTN gBmlCount = 0;

+EFI_DCSBML_PROTOCOL* gBml = NULL;

+EFI_GUID gBmlGuid = EFI_DCSBML_INTERFACE_PROTOCOL_GUID;

+

+EFI_STATUS

+BmlSelect(

+ IN UINTN index) {

+ if (index < gBmlCount) {

+ return gBS->HandleProtocol(gBmlHandles[index], &gBmlGuid, (VOID**)&gBml);

+ }

+ return EFI_NOT_FOUND;

+}

+

+EFI_STATUS

+InitBml() {

+ EFI_STATUS res;

+ // BML control if supported

+ res = EfiGetHandles(ByProtocol, &gBmlGuid, 0, &gBmlHandles, &gBmlCount);

+ if (gBmlCount > 0) {

+ return BmlSelect(gBmlCount - 1);

+ }

+ return EFI_NOT_FOUND;

+}

+

+

+EFI_STATUS

+BmlLock(

+ IN BOOLEAN lock

+ )

+{

+ if (gBml != NULL) {

+ return gBml->BootMenuLock(gBml, lock);

+ }

+ return EFI_UNSUPPORTED;

+}

+

+BootOrderPresent(

+ IN CHAR16 *OrderVarName,

+ UINT16 value)

+{

+ EFI_STATUS res = EFI_NOT_READY;

+ UINT16* varBootOrder;

+ UINTN varBootOrderSize;

+ UINT32 varBootOrderAttr;

+ UINTN BootOrderCount;

+ UINTN i;

+ UINTN j;

+

+ res = EfiGetVar(OrderVarName, &gEfiGlobalVariableGuid, &varBootOrder, &varBootOrderSize, &varBootOrderAttr);

+ if (EFI_ERROR(res)) return res;

+ BootOrderCount = varBootOrderSize / sizeof(UINT16);

+ res = EFI_NOT_FOUND;

+ for (j = 0, i = 0; i < BootOrderCount; ++i) {

+ if (varBootOrder[i] == value) {

+ MEM_FREE(varBootOrder);

+ res = EFI_SUCCESS;

+ break;

+ }

+ }

+ return res;

+}

+

+EFI_STATUS