From 1396269d573256248bece97e1e291ef0c08e513f Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Wed, 20 Apr 2016 00:30:28 +0200 Subject: Windows: Add option to avoid PIM prompt in pre-boot authentication by storing PIM value unencrypted in MBR. --- src/Boot/Windows/BootCommon.h | 2 +- src/Boot/Windows/BootConfig.cpp | 10 ++- src/Boot/Windows/BootConfig.h | 2 +- src/Boot/Windows/BootDefs.h | 7 ++ src/Boot/Windows/BootEncryptedIo.cpp | 4 +- src/Boot/Windows/BootMain.cpp | 120 +++++++++++++++++++---------------- src/Common/BootEncryption.cpp | 44 +++++++++++-- src/Common/BootEncryption.h | 4 +- src/Common/Language.xml | 2 + src/Common/Volumes.c | 5 +- src/Driver/DriveFilter.c | 5 +- src/Mount/Mount.c | 32 +++++++++- src/Mount/Mount.rc | 30 +++++---- src/Mount/Resource.h | 3 +- 14 files changed, 183 insertions(+), 87 deletions(-) (limited to 'src') diff --git a/src/Boot/Windows/BootCommon.h b/src/Boot/Windows/BootCommon.h index 4d820493..4d91981b 100644 --- a/src/Boot/Windows/BootCommon.h +++ b/src/Boot/Windows/BootCommon.h @@ -17,7 +17,7 @@ #include "BootDefs.h" // The user will be advised to upgrade the rescue disk if upgrading from the following or any previous version -#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x0116 +#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x0117 #define TC_BOOT_LOADER_AREA_SIZE (TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS) diff --git a/src/Boot/Windows/BootConfig.cpp b/src/Boot/Windows/BootConfig.cpp index 222fcfc4..63ebaf5e 100644 --- a/src/Boot/Windows/BootConfig.cpp +++ b/src/Boot/Windows/BootConfig.cpp @@ -32,7 +32,7 @@ Partition EncryptedVirtualPartition; Partition ActivePartition; Partition PartitionFollowingActive; bool ExtraBootPartitionPresent = false; -uint64 HiddenVolumeStartUnitNo; +uint64 PimValueOrHiddenVolumeStartUnitNo; // reuse this variable for stored PIM value to reduce memory usage uint64 HiddenVolumeStartSector; #ifndef TC_WINDOWS_BOOT_RESCUE_DISK_MODE @@ -68,6 +68,14 @@ void ReadBootSectorUserConfiguration () DisableScreenOutput(); } + if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) + { + PimValueOrHiddenVolumeStartUnitNo.LowPart = 0; + memcpy (&PimValueOrHiddenVolumeStartUnitNo.LowPart, SectorBuffer + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, TC_BOOT_SECTOR_PIM_VALUE_SIZE); + } + else + PimValueOrHiddenVolumeStartUnitNo.LowPart = -1; + OuterVolumeBackupHeaderCrc = *(uint32 *) (SectorBuffer + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET); ret: diff --git a/src/Boot/Windows/BootConfig.h b/src/Boot/Windows/BootConfig.h index d972a49f..0c5eee74 100644 --- a/src/Boot/Windows/BootConfig.h +++ b/src/Boot/Windows/BootConfig.h @@ -36,7 +36,7 @@ extern Partition EncryptedVirtualPartition; extern Partition ActivePartition; extern Partition PartitionFollowingActive; extern bool ExtraBootPartitionPresent; -extern uint64 HiddenVolumeStartUnitNo; +extern uint64 PimValueOrHiddenVolumeStartUnitNo; // reuse this variable for stored PIM value to reduce memory usage extern uint64 HiddenVolumeStartSector; diff --git a/src/Boot/Windows/BootDefs.h b/src/Boot/Windows/BootDefs.h index 6e425847..fc5cad62 100644 --- a/src/Boot/Windows/BootDefs.h +++ b/src/Boot/Windows/BootDefs.h @@ -74,6 +74,9 @@ #define TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE 4 #define TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET (TC__BOOT_SECTOR_USER_MESSAGE_OFFSET - TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE) +#define TC__BOOT_SECTOR_PIM_VALUE_SIZE 2 +#define TC__BOOT_SECTOR_PIM_VALUE_OFFSET (TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET - TC__BOOT_SECTOR_PIM_VALUE_SIZE) + #define TC__BOOT_LOADER_DECOMPRESSOR_START_SECTOR 2 #define TC__BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT 4 #define TC__BOOT_LOADER_DECOMPRESSOR_MEMORY_SIZE 32768 @@ -100,6 +103,7 @@ #define TC__BOOT_USER_CFG_FLAG_SILENT_MODE TC_HEX (01) #define TC__BOOT_USER_CFG_FLAG_DISABLE_ESC TC_HEX (02) #define TC__BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION TC_HEX (04) +#define TC__BOOT_USER_CFG_FLAG_DISABLE_PIM TC_HEX (08) // The following items are treated as a 2-bit value (apply TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE to obtain the value) #define TC__HIDDEN_OS_CREATION_PHASE_NONE 0 @@ -163,6 +167,8 @@ TC_HIDDEN_OS_CREATION_PHASE_WIPED = TC__HIDDEN_OS_CREATION_PHASE_WIPED #define TC_BOOT_SECTOR_USER_MESSAGE_OFFSET TC__BOOT_SECTOR_USER_MESSAGE_OFFSET #define TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE #define TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET +#define TC_BOOT_SECTOR_PIM_VALUE_SIZE TC__BOOT_SECTOR_PIM_VALUE_SIZE +#define TC_BOOT_SECTOR_PIM_VALUE_OFFSET TC__BOOT_SECTOR_PIM_VALUE_OFFSET #define TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH TC__BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH #define TC_BOOT_SECTOR_VERSION_OFFSET TC__BOOT_SECTOR_VERSION_OFFSET #define TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET TC__BOOT_SECTOR_LOADER_LENGTH_OFFSET @@ -186,6 +192,7 @@ TC_HIDDEN_OS_CREATION_PHASE_WIPED = TC__HIDDEN_OS_CREATION_PHASE_WIPED #define TC_BOOT_USER_CFG_FLAG_SILENT_MODE TC__BOOT_USER_CFG_FLAG_SILENT_MODE #define TC_BOOT_USER_CFG_FLAG_DISABLE_ESC TC__BOOT_USER_CFG_FLAG_DISABLE_ESC #define TC_BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION TC__BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION +#define TC_BOOT_USER_CFG_FLAG_DISABLE_PIM TC__BOOT_USER_CFG_FLAG_DISABLE_PIM #define TC_HIDDEN_OS_CREATION_PHASE_NONE TC__HIDDEN_OS_CREATION_PHASE_NONE #define TC_HIDDEN_OS_CREATION_PHASE_CLONING TC__HIDDEN_OS_CREATION_PHASE_CLONING #define TC_HIDDEN_OS_CREATION_PHASE_WIPING TC__HIDDEN_OS_CREATION_PHASE_WIPING diff --git a/src/Boot/Windows/BootEncryptedIo.cpp b/src/Boot/Windows/BootEncryptedIo.cpp index cc44416d..d130534f 100644 --- a/src/Boot/Windows/BootEncryptedIo.cpp +++ b/src/Boot/Windows/BootEncryptedIo.cpp @@ -48,7 +48,7 @@ BiosResult ReadEncryptedSectors (uint16 destSegment, uint16 destOffset, byte dri { // Convert sector number to data unit number of the hidden volume sector -= HiddenVolumeStartSector; - sector += HiddenVolumeStartUnitNo; + sector += PimValueOrHiddenVolumeStartUnitNo; } if (drive == EncryptedVirtualPartition.Drive) @@ -96,7 +96,7 @@ BiosResult WriteEncryptedSectors (uint16 sourceSegment, uint16 sourceOffset, byt writeOffset = HiddenVolumeStartSector; writeOffset -= EncryptedVirtualPartition.StartSector; dataUnitNo -= EncryptedVirtualPartition.StartSector; - dataUnitNo += HiddenVolumeStartUnitNo; + dataUnitNo += PimValueOrHiddenVolumeStartUnitNo; } while (sectorCount-- > 0) diff --git a/src/Boot/Windows/BootMain.cpp b/src/Boot/Windows/BootMain.cpp index abab2038..275c5762 100644 --- a/src/Boot/Windows/BootMain.cpp +++ b/src/Boot/Windows/BootMain.cpp @@ -231,71 +231,83 @@ static byte AskPassword (Password &password, int& pim) PrintCharAtCursor (asciiCode); } - pos = 0; - Print ("PIM: "); - - while (true) +#ifndef TC_WINDOWS_BOOT_RESCUE_DISK_MODE + if (PimValueOrHiddenVolumeStartUnitNo.LowPart != -1) { - asciiCode = GetKeyboardChar (&scanCode); + pim = (int) PimValueOrHiddenVolumeStartUnitNo.LowPart; + // reset stored PIM value to allow requesting PIM next time in case the stored value is wrong + PimValueOrHiddenVolumeStartUnitNo.LowPart = -1; + return TC_BIOS_KEY_ENTER; + } + else +#endif + { + pos = 0; + Print ("PIM: "); - switch (scanCode) + while (true) { - case TC_BIOS_KEY_ENTER: - Print ("\rPIM: "); - pos =0; - while (pos < MAX_PIM) + asciiCode = GetKeyboardChar (&scanCode); + + switch (scanCode) { - PrintChar ('*'); - pos++; - } + case TC_BIOS_KEY_ENTER: + Print ("\rPIM: "); + pos =0; + while (pos < MAX_PIM) + { + PrintChar ('*'); + pos++; + } - ClearBiosKeystrokeBuffer(); - PrintEndl(); - - return TC_BIOS_KEY_ENTER; + ClearBiosKeystrokeBuffer(); + PrintEndl(); + + return TC_BIOS_KEY_ENTER; - case TC_BIOS_KEY_BACKSPACE: - if (pos > 0) - { - if (pos < MAX_PIM) - PrintBackspace(); - else - PrintCharAtCursor (' '); + case TC_BIOS_KEY_BACKSPACE: + if (pos > 0) + { + if (pos < MAX_PIM) + PrintBackspace(); + else + PrintCharAtCursor (' '); - --pos; - pim /= 10; - } - continue; + --pos; + pim /= 10; + } + continue; - case TC_BIOS_KEY_F5: - hidePassword ^= 0x01; - continue; + case TC_BIOS_KEY_F5: + hidePassword ^= 0x01; + continue; - default: - if (scanCode == TC_BIOS_KEY_ESC || IsMenuKey (scanCode)) - { - burn (password.Text, sizeof (password.Text)); - ClearBiosKeystrokeBuffer(); + default: + if (scanCode == TC_BIOS_KEY_ESC || IsMenuKey (scanCode)) + { + burn (password.Text, sizeof (password.Text)); + ClearBiosKeystrokeBuffer(); - PrintEndl(); - return scanCode; + PrintEndl(); + return scanCode; + } } - } - if (!IsDigit (asciiCode) || pos == MAX_PIM) - { - Beep(); - continue; - } + if (!IsDigit (asciiCode) || pos == MAX_PIM) + { + Beep(); + continue; + } - pim = 10*pim + (asciiCode - '0'); - pos++; - - if (hidePassword) asciiCode = '*'; - if (pos < MAX_PIM) - PrintChar (asciiCode); - else - PrintCharAtCursor (asciiCode); + pim = 10*pim + (asciiCode - '0'); + pos++; + + if (hidePassword) asciiCode = '*'; + if (pos < MAX_PIM) + PrintChar (asciiCode); + else + PrintCharAtCursor (asciiCode); + } } } @@ -468,7 +480,7 @@ static bool MountVolume (byte drive, byte &exitKey, bool skipNormal, bool skipHi EncryptedVirtualPartition.StartSector = BootCryptoInfo->EncryptedAreaStart >> TC_LB_SIZE_BIT_SHIFT_DIVISOR; - HiddenVolumeStartUnitNo = EncryptedVirtualPartition.StartSector; + PimValueOrHiddenVolumeStartUnitNo = EncryptedVirtualPartition.StartSector; HiddenVolumeStartSector = PartitionFollowingActive.StartSector; HiddenVolumeStartSector += EncryptedVirtualPartition.StartSector; @@ -749,7 +761,7 @@ static bool CopySystemPartitionToHiddenVolume (byte drive, byte &exitKey) { CopyMemory (TC_BOOT_LOADER_BUFFER_SEGMENT, i * TC_LB_SIZE, SectorBuffer, TC_LB_SIZE); - uint64 s = HiddenVolumeStartUnitNo + sectorOffset + i; + uint64 s = PimValueOrHiddenVolumeStartUnitNo + sectorOffset + i; EncryptDataUnits (SectorBuffer, &s, 1, BootCryptoInfo); CopyMemory (SectorBuffer, TC_BOOT_LOADER_BUFFER_SEGMENT, i * TC_LB_SIZE, TC_LB_SIZE); diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index 07eb9a99..851d7622 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -1300,7 +1300,7 @@ namespace VeraCrypt } - void BootEncryption::WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage) + void BootEncryption::WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim) { Device device (GetSystemDriveConfiguration().DevicePath); device.CheckOpened (SRC_POS); @@ -1326,6 +1326,15 @@ namespace VeraCrypt memcpy (mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, customUserMessage.c_str(), customUserMessage.size()); } + + if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) + { + // PIM for pre-boot authentication can be encoded on two bytes since its maximum + // value is 65535 (0xFFFF) + memcpy (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE); + } + else + memset (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, 0, TC_BOOT_SECTOR_PIM_VALUE_SIZE); device.SeekAt (0); device.Write (mbr, sizeof (mbr)); @@ -1494,7 +1503,7 @@ namespace VeraCrypt InstallBootLoader (device, preserveUserConfig, hiddenOSCreation); } - void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation) + void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation, int pim) { byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0}; CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, hiddenOSCreation); @@ -1512,6 +1521,16 @@ namespace VeraCrypt { bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] = mbr[TC_BOOT_SECTOR_USER_CONFIG_OFFSET]; memcpy (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH); + + if (bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) + { + if (pim >= 0) + { + memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE); + } + else + memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, TC_BOOT_SECTOR_PIM_VALUE_SIZE); + } } } @@ -2499,17 +2518,32 @@ namespace VeraCrypt if (headerUpdated) { + bool storedPimUpdateNeeded = false; ReopenBootVolumeHeaderRequest reopenRequest; reopenRequest.VolumePassword = *newPassword; reopenRequest.pkcs5_prf = cryptoInfo->pkcs5; reopenRequest.pim = pim; finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); }); + if (old_pim != pim) + { + try + { + // check if PIM is stored in MBR + byte userConfig; + ReadBootSectorConfig (nullptr, 0, &userConfig); + if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) + storedPimUpdateNeeded = true; + } + catch (...) + {} + } + try { - // force update of bootloader if fingerprint doesn't match - if (!CheckBootloaderFingerprint (true)) - InstallBootLoader (device, true); + // force update of bootloader if fingerprint doesn't match or if the stored PIM changed + if (storedPimUpdateNeeded || !CheckBootloaderFingerprint (true)) + InstallBootLoader (device, true, false, pim); } catch (...) {} diff --git a/src/Common/BootEncryption.h b/src/Common/BootEncryption.h index 8aad6708..a922d1fa 100644 --- a/src/Common/BootEncryption.h +++ b/src/Common/BootEncryption.h @@ -169,7 +169,7 @@ namespace VeraCrypt void GetVolumeProperties (VOLUME_PROPERTIES_STRUCT *properties); SystemDriveConfiguration GetSystemDriveConfiguration (); void Install (bool hiddenSystem); - void InstallBootLoader (Device& device, bool preserveUserConfig = false, bool hiddenOSCreation = false); + void InstallBootLoader (Device& device, bool preserveUserConfig = false, bool hiddenOSCreation = false, int pim = -1); void InstallBootLoader (bool preserveUserConfig = false, bool hiddenOSCreation = false); bool CheckBootloaderFingerprint (bool bSilent = false); void InvalidateCachedSysDriveProperties (); @@ -206,7 +206,7 @@ namespace VeraCrypt void WipeHiddenOSCreationConfig (); void WriteBootDriveSector (uint64 offset, byte *data); void WriteBootSectorConfig (const byte newConfig[]); - void WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage); + void WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim); void WriteLocalMachineRegistryDwordValue (wchar_t *keyPath, wchar_t *valueName, DWORD value); protected: diff --git a/src/Common/Language.xml b/src/Common/Language.xml index cebbc92d..f72e1a30 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -1394,6 +1394,8 @@ The Volume ID value is invalid No Volume with the specified ID was found on the system Copy Value to Clipboard... + Do not request PIM in the pre-boot authentication screen (PIM value is stored unencrypted on disk) + WARNING: Please keep in mind that if you enable this option, the PIM value will be stored unencrypted on the disk.\n\nAre you sure you want to enable this option? diff --git a/src/Common/Volumes.c b/src/Common/Volumes.c index d69ef753..955c7e48 100644 --- a/src/Common/Volumes.c +++ b/src/Common/Volumes.c @@ -590,6 +590,7 @@ void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderS { // compute Whirlpool+SHA512 fingerprint of bootloader including MBR // we skip user configuration fields: + // TC_BOOT_SECTOR_PIM_VALUE_OFFSET = 400 // TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402 // => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4 // TC_BOOT_SECTOR_USER_MESSAGE_OFFSET = 406 @@ -604,8 +605,8 @@ void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderS WHIRLPOOL_init (&whirlpool); sha512_begin (&sha2); - WHIRLPOOL_add (bootLoaderBuf, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool); - sha512_hash (bootLoaderBuf, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2); + WHIRLPOOL_add (bootLoaderBuf, TC_BOOT_SECTOR_PIM_VALUE_OFFSET * 8, &whirlpool); + sha512_hash (bootLoaderBuf, TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &sha2); WHIRLPOOL_add (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool); sha512_hash (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2); diff --git a/src/Driver/DriveFilter.c b/src/Driver/DriveFilter.c index eba7c40c..a8752a5f 100644 --- a/src/Driver/DriveFilter.c +++ b/src/Driver/DriveFilter.c @@ -241,6 +241,7 @@ static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte* // compute Whirlpool+SHA512 fingerprint of bootloader including MBR // we skip user configuration fields: + // TC_BOOT_SECTOR_PIM_VALUE_OFFSET = 400 // TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402 // => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4 // TC_BOOT_SECTOR_USER_MESSAGE_OFFSET = 406 @@ -257,11 +258,11 @@ static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte* status = TCReadDevice (LowerDeviceObject, ioBuffer, offset, TC_SECTOR_SIZE_BIOS); if (NT_SUCCESS (status)) { - WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool); + WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_PIM_VALUE_OFFSET * 8, &whirlpool); WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool); WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)) * 8, &whirlpool); - sha512_hash (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2); + sha512_hash (ioBuffer, TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &sha2); sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2); sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)), &sha2); diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c index 5b6f86f2..9619a9f6 100644 --- a/src/Mount/Mount.c +++ b/src/Mount/Mount.c @@ -10359,9 +10359,11 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM try { + VOLUME_PROPERTIES_STRUCT prop; try { BootEncStatus = BootEncObj->GetStatus(); + BootEncObj->GetVolumeProperties (&prop); } catch (...) { @@ -10384,7 +10386,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM else userConfig &= ~TC_BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION; - BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage); + BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage, prop.volumePim); } SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION, disableHW); @@ -10724,6 +10726,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA SendMessage (GetDlgItem (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE), EM_LIMITTEXT, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, 0); SetDlgItemTextA (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE, customUserMessage.c_str()); + CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT, (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) ? BST_CHECKED : BST_UNCHECKED); CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT, (userConfig & TC_BOOT_USER_CFG_FLAG_SILENT_MODE) ? BST_CHECKED : BST_UNCHECKED); CheckDlgButton (hwndDlg, IDC_ALLOW_ESC_PBA_BYPASS, (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_ESC) ? BST_UNCHECKED : BST_CHECKED); CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, bPasswordCacheEnabled ? BST_CHECKED : BST_UNCHECKED); @@ -10752,12 +10755,25 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA case IDOK: { + VOLUME_PROPERTIES_STRUCT prop; + if (!BootEncObj->GetStatus().DriveMounted) { EndDialog (hwndDlg, IDCANCEL); return 1; } + try + { + BootEncObj->GetVolumeProperties (&prop); + } + catch (Exception &e) + { + e.Show (hwndDlg); + EndDialog (hwndDlg, IDCANCEL); + return 1; + } + char customUserMessage[TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH + 1]; GetDlgItemTextA (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE, customUserMessage, sizeof (customUserMessage)); @@ -10772,6 +10788,11 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA return 1; } + if (IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT)) + userConfig |= TC_BOOT_USER_CFG_FLAG_DISABLE_PIM; + else + userConfig &= ~TC_BOOT_USER_CFG_FLAG_DISABLE_PIM; + if (IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT)) userConfig |= TC_BOOT_USER_CFG_FLAG_SILENT_MODE; else @@ -10786,7 +10807,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA { BOOL bPasswordCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD); BOOL bPimCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM); - BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage); + BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage, prop.volumePim); SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, bPasswordCacheEnabled); SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? TRUE : FALSE); SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION, IsDlgButtonChecked (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION)); @@ -10801,6 +10822,13 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA return 1; } + case IDC_DISABLE_BOOT_LOADER_PIM_PROMPT: + if ((IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT)) + && AskWarnYesNo ("DISABLE_BOOT_LOADER_PIM_PROMPT", hwndDlg) == IDNO) + { + CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT, BST_UNCHECKED); + } + case IDC_DISABLE_BOOT_LOADER_OUTPUT: if ((IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT)) && AskWarnYesNo ("CUSTOM_BOOT_LOADER_MESSAGE_PROMPT", hwndDlg) == IDNO) diff --git a/src/Mount/Mount.rc b/src/Mount/Mount.rc index cf22086f..f39c8543 100644 --- a/src/Mount/Mount.rc +++ b/src/Mount/Mount.rc @@ -281,28 +281,30 @@ BEGIN LTEXT "",IDT_PKCS11_LIB_HELP,16,63,286,65 END -IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 272 +IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 286 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "VeraCrypt - System Encryption Settings" FONT 8, "MS Shell Dlg", 400, 0, 0x1 BEGIN CONTROL "Do not &show any texts in the pre-boot authentication screen (except the below custom message)",IDC_DISABLE_BOOT_LOADER_OUTPUT, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,22,339,9 - EDITTEXT IDC_CUSTOM_BOOT_LOADER_MESSAGE,18,52,216,14,ES_AUTOHSCROLL + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,37,339,9 + EDITTEXT IDC_CUSTOM_BOOT_LOADER_MESSAGE,18,67,216,14,ES_AUTOHSCROLL CONTROL "&Cache pre-boot authentication password in driver memory (for mounting of non-system volumes)",IDC_BOOT_LOADER_CACHE_PASSWORD, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,178,339,10 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,192,339,10 CONTROL "Allow pre-boot &authentication to be bypassed by pressing the Esc key (enables boot manager)",IDC_ALLOW_ESC_PBA_BYPASS, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,208,340,10 - DEFPUSHBUTTON "OK",IDOK,257,244,50,14 - PUSHBUTTON "Cancel",IDCANCEL,313,244,50,14 - LTEXT "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,41,337,8 - GROUPBOX "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,8,7,355,150 - GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,8,163,355,75 - LTEXT "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,74,337,73 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,222,340,10 + DEFPUSHBUTTON "OK",IDOK,257,262,50,14 + PUSHBUTTON "Cancel",IDCANCEL,313,262,50,14 + LTEXT "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,56,337,8 + GROUPBOX "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,8,7,355,165 + GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,8,177,355,75 + LTEXT "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,89,337,73 CONTROL "Disable ""Evil Maid"" attack detection",IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,223,340,10 + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,237,340,10 CONTROL "Include PIM when caching pre-boot authentication password",IDC_BOOT_LOADER_CACHE_PIM, - "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,18,193,340,10 + "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,18,207,340,10 + CONTROL "Do not request PIM in the pre-boot authentication screen (PIM value is stored unencrypted on disk)",IDC_DISABLE_BOOT_LOADER_PIM_PROMPT, + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,20,339,9 END IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 370, 248 @@ -456,7 +458,7 @@ BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 363 TOPMARGIN, 7 - BOTTOMMARGIN, 258 + BOTTOMMARGIN, 276 END IDD_PERFORMANCE_SETTINGS, DIALOG diff --git a/src/Mount/Resource.h b/src/Mount/Resource.h index 5b564a94..c5a45af4 100644 --- a/src/Mount/Resource.h +++ b/src/Mount/Resource.h @@ -179,6 +179,7 @@ #define IDT_VOLUME_ID 1157 #define IDC_FAVORITE_VOLUME_ID 1158 #define IDC_FAVORITE_USE_VOLUME_ID 1159 +#define IDC_DISABLE_BOOT_LOADER_PIM_PROMPT 1160 #define IDM_HELP 40001 #define IDM_ABOUT 40002 #define IDM_UNMOUNT_VOLUME 40003 @@ -255,7 +256,7 @@ #define _APS_NO_MFC 1 #define _APS_NEXT_RESOURCE_VALUE 119 #define _APS_NEXT_COMMAND_VALUE 40069 -#define _APS_NEXT_CONTROL_VALUE 1160 +#define _APS_NEXT_CONTROL_VALUE 1161 #define _APS_NEXT_SYMED_VALUE 101 #endif #endif -- cgit v1.2.3