10 files changed, 70 insertions, 15 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
index 0298e204..63de40ae 100644
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -417,5 +417,6 @@ typedef struct
 #define VC_DRIVER_CONFIG_BLOCK_SYS_TRIM								0x100
 #define VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG						0x200
 #define VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION			0x400
+#define VC_DRIVER_CONFIG_ENABLE_CPU_RNG								0x800
 
 #endif		/* _WIN32 */
diff --git a/src/Common/Crypto.c b/src/Common/Crypto.c
index 299595bd..a6f3ffb7 100644
--- a/src/Common/Crypto.c
+++ b/src/Common/Crypto.c
@@ -1216,3 +1216,29 @@ BOOL IsHwEncryptionEnabled ()
 }
 
 #endif // !TC_WINDOWS_BOOT
+
+#ifndef TC_WINDOWS_BOOT
+
+static BOOL CpuRngDisabled = FALSE;
+
+BOOL IsCpuRngSupport ()
+{
+	if (HasRDSEED() || HasRDSEED())
+		return TRUE;
+	else
+		return FALSE;
+}
+
+void EnableCpuRng (BOOL enable)
+{
+	CpuRngDisabled = !enable;
+}
+
+BOOL IsCpuRngEnabled ()
+{
+	return !CpuRngDisabled;
+}
+
+
+#endif
+
diff --git a/src/Common/Crypto.h b/src/Common/Crypto.h
index a362f5d1..f1b35977 100644
--- a/src/Common/Crypto.h
+++ b/src/Common/Crypto.h
@@ -385,6 +385,10 @@ BOOL IsAesHwCpuSupported ();
 void EnableHwEncryption (BOOL enable);
 BOOL IsHwEncryptionEnabled ();
 
+BOOL IsCpuRngSupport ();
+void EnableCpuRng (BOOL enable);
+BOOL IsCpuRngEnabled ();
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/Common/Language.xml b/src/Common/Language.xml
index 47d99764..f62421de 100644
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1432,6 +1432,7 @@
     <entry lang="en" key="IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION">Clear encryption keys from memory if a new device is inserted</entry>
     <entry lang="en" key="CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING">IMPORTANT NOTES:\n - Please keep in mind that this option will not persist after a shutdown/reboot so you will need to select it again next time the machine is started.\n\n - With this option enabled and after a new device is connected, the machine will freeze and it will eventually crash with a BSOD since Windows can not access the encrypted disk after its keys are cleared from memory.\n</entry>
     <entry lang="en" key="STARTING">Starting</entry>
+    <entry lang="en" key="IDC_ENABLE_CPU_RNG">Use CPU hardware random generator as an additional source of entropy</entry>
   </localization>
   <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <xs:element name="VeraCrypt">
diff --git a/src/Common/Random.c b/src/Common/Random.c
index 12e9d9af..c8655b56 100644
--- a/src/Common/Random.c
+++ b/src/Common/Random.c
@@ -777,9 +777,10 @@ BOOL SlowPoll (void)
 	}
 
 	// use RDSEED or RDRAND from CPU as source of entropy if present
-	if (	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
+	if (	IsCpuRngEnabled() && 
+		(	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
 		||	(HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer)))
-		)
+		))
 	{
 		RandaddBuf (buffer, sizeof (buffer));
 	}
@@ -907,10 +908,11 @@ BOOL FastPoll (void)
 		return FALSE;
 	}
 
-	// use RDSEED or RDRAND from CPU as source of entropy if present
-	if (	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
+	// use RDSEED or RDRAND from CPU as source of entropy if enabled
+	if (	IsCpuRngEnabled() && 
+		(	(HasRDSEED() && RDSEED_getBytes (buffer, sizeof (buffer)))
 		||	(HasRDRAND() && RDRAND_getBytes (buffer, sizeof (buffer)))
-		)
+		))
 	{
 		RandaddBuf (buffer, sizeof (buffer));
 	}
diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c
index a02ca3e5..6228009f 100644
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -1535,10 +1535,11 @@ static VOID SetupThreadProc (PVOID threadArg)
 	KeQuerySystemTime( &iSeed );
 	WHIRLPOOL_init (&tctx);
 	WHIRLPOOL_add ((unsigned char *) &(iSeed.QuadPart), sizeof(iSeed.QuadPart), &tctx);
-	// use RDSEED or RDRAND from CPU as source of entropy if present
-	if (	(HasRDSEED() && RDSEED_getBytes (digest, sizeof (digest)))
+	// use RDSEED or RDRAND from CPU as source of entropy if enabled
+	if (	IsCpuRngEnabled() && 
+		(	(HasRDSEED() && RDSEED_getBytes (digest, sizeof (digest)))
 		||	(HasRDRAND() && RDRAND_getBytes (digest, sizeof (digest)))
-		)
+		))
 	{
 		WHIRLPOOL_add (digest, sizeof(digest), &tctx);
 	}
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 83c050a8..7e3a08bd 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -4382,6 +4382,7 @@ NTSTATUS ReadRegistryConfigFlags (BOOL driverEntry)
 			}
 
 			EnableHwEncryption ((flags & TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION) ? FALSE : TRUE);
+			EnableCpuRng ((flags & VC_DRIVER_CONFIG_ENABLE_CPU_RNG) ? TRUE : FALSE);
 
 			EnableExtendedIoctlSupport = (flags & TC_DRIVER_CONFIG_ENABLE_EXTENDED_IOCTL)? TRUE : FALSE;
 			AllowTrimCommand = (flags & VC_DRIVER_CONFIG_ALLOW_NONSYS_TRIM)? TRUE : FALSE;
diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c
index 1ada1b86..98732214 100644
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -820,7 +820,10 @@ void LoadSettingsAndCheckModified (HWND hwndDlg, BOOL bOnlyCheckModified, BOOL*
 {
 	char langid[6] = {0};
 	if (!bOnlyCheckModified)
+	{
 	   EnableHwEncryption ((ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION) ? FALSE : TRUE);
+	   EnableCpuRng ((ReadDriverConfigurationFlags() & VC_DRIVER_CONFIG_ENABLE_CPU_RNG) ? TRUE : FALSE);
+	}
 
 	WipeAlgorithmId savedWipeAlgorithm = TC_WIPE_NONE;
 
@@ -11099,6 +11102,16 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ALLOW_WINDOWS_DEFRAG), FALSE);
 			}
 
+			if (HasRDRAND() || HasRDSEED())
+			{
+				CheckDlgButton (hwndDlg, IDC_ENABLE_CPU_RNG, (driverConfig & VC_DRIVER_CONFIG_ENABLE_CPU_RNG) ? BST_CHECKED : BST_UNCHECKED);
+			}
+			else
+			{
+				CheckDlgButton (hwndDlg, IDC_ENABLE_CPU_RNG,  BST_UNCHECKED);
+				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_CPU_RNG), FALSE);
+			}
+
 			SYSTEM_INFO sysInfo;
 			GetSystemInfo (&sysInfo);
 
@@ -11154,6 +11167,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 				}
 
 				BOOL disableHW = !IsDlgButtonChecked (hwndDlg, IDC_ENABLE_HARDWARE_ENCRYPTION);
+				BOOL enableCpuRng = IsDlgButtonChecked (hwndDlg, IDC_ENABLE_CPU_RNG);
 				BOOL enableExtendedIOCTL = IsDlgButtonChecked (hwndDlg, IDC_ENABLE_EXTENDED_IOCTL_SUPPORT);
 				BOOL allowTrimCommand = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_TRIM_NONSYS_SSD);
 				BOOL allowWindowsDefrag = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_WINDOWS_DEFRAG);
@@ -11196,12 +11210,14 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 					SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ALLOW_NONSYS_TRIM, allowTrimCommand);
 					if (IsOSAtLeast (WIN_8_1))
 						SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG, allowWindowsDefrag);
+					SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ENABLE_CPU_RNG, enableCpuRng);
 
 					DWORD bytesReturned;
 					if (!DeviceIoControl (hDriver, TC_IOCTL_REREAD_DRIVER_CONFIG, NULL, 0, NULL, 0, &bytesReturned, NULL))
 						handleWin32Error (hwndDlg, SRC_POS);
 
 					EnableHwEncryption (!disableHW);
+					EnableCpuRng (enableCpuRng);
 
 					uint32 cpuFreeCount = 0;
 					if (IsDlgButtonChecked (hwndDlg, IDC_LIMIT_ENC_THREAD_POOL))
diff --git a/src/Mount/Mount.rc b/src/Mount/Mount.rc
index b817be6e..c5a35b46 100644
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -311,7 +311,7 @@ BEGIN
                     "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,112,340,10
 END
 
-IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 265
+IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 279
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt - Performance Options"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -329,15 +329,17 @@ BEGIN
                     "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,198,337,10
     CONTROL         "Allow TRIM command for non-system SSD partition/drive",IDC_ALLOW_TRIM_NONSYS_SSD,
                     "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,212,337,10
-    PUSHBUTTON      "&Benchmark",IDC_BENCHMARK,7,244,59,14
-    DEFPUSHBUTTON   "OK",IDOK,257,244,50,14
-    PUSHBUTTON      "Cancel",IDCANCEL,314,244,50,14
+    PUSHBUTTON      "&Benchmark",IDC_BENCHMARK,7,258,59,14
+    DEFPUSHBUTTON   "OK",IDOK,257,258,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,314,258,50,14
     LTEXT           "Processor (CPU) in this computer supports hardware acceleration for AES:",IDT_HW_AES_SUPPORTED_BY_CPU,18,23,273,9
     GROUPBOX        "Hardware Acceleration",IDT_ACCELERATION_OPTIONS,7,6,355,74
     GROUPBOX        "Thread-Based Parallelization",IDT_PARALLELIZATION_OPTIONS,7,84,355,93
-    GROUPBOX        "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,58
+    GROUPBOX        "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,72
     CONTROL         "Allow Windows Disk Defragmenter to defragment non-system partition/drive",IDC_ALLOW_WINDOWS_DEFRAG,
                     "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,226,337,10
+    CONTROL         "Use CPU hardware random generator as an additional source of entropy",IDC_ENABLE_CPU_RNG,
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,240,335,10
 END
 
 IDD_FAVORITE_VOLUMES DIALOGEX 0, 0, 380, 368
@@ -506,7 +508,7 @@ BEGIN
         LEFTMARGIN, 7
         RIGHTMARGIN, 364
         TOPMARGIN, 7
-        BOTTOMMARGIN, 258
+        BOTTOMMARGIN, 272
     END
 
     IDD_FAVORITE_VOLUMES, DIALOG
diff --git a/src/Mount/Resource.h b/src/Mount/Resource.h
index 0eaf357a..fdc9f890 100644
--- a/src/Mount/Resource.h
+++ b/src/Mount/Resource.h
@@ -192,6 +192,7 @@
 #define IDC_ALLOW_WINDOWS_DEFRAG        1169
 #define IDC_LOWER_BOX                   1170
 #define IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 1171
+#define IDC_ENABLE_CPU_RNG              1172
 #define IDM_HELP                        40001
 #define IDM_ABOUT                       40002
 #define IDM_UNMOUNT_VOLUME              40003
@@ -268,7 +269,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        120
 #define _APS_NEXT_COMMAND_VALUE         40069
-#define _APS_NEXT_CONTROL_VALUE         1172
+#define _APS_NEXT_CONTROL_VALUE         1173
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif