VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkavsrf <kavsrf@gmail.com>2017-02-26 11:42:59 +0300
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2017-06-05 17:37:36 +0200
commit10ddedbbac7acb326fb9447c6a1c5f1706017e4b (patch)
tree26993016e4b1cb9ab71bf046a1cfab7e348738c0
parentfdfe9f849c15dc4b864a72fcbc5266edb68171c1 (diff)
downloadVeraCrypt-DCS-10ddedbbac7acb326fb9447c6a1c5f1706017e4b.tar.gz
VeraCrypt-DCS-10ddedbbac7acb326fb9447c6a1c5f1706017e4b.zip
PasswordTimeout and infodelay keys in DcsProp
DcsProp documented included in VeraCrypt Beta2 patch 1
-rw-r--r--DcsInt/DcsInt.c41
-rw-r--r--Include/Library/PasswordLib.h2
-rw-r--r--Library/PasswordLib/ConsolePassword.c14
-rw-r--r--Library/PasswordLib/PicturePassword.c21
-rw-r--r--Library/VeraCryptLib/DcsProp182
-rw-r--r--Library/VeraCryptLib/DcsVeraCrypt.c5
-rw-r--r--Library/VeraCryptLib/DcsVeraCrypt.h2
-rw-r--r--Library/VeraCryptLib/mklinks_src.bat2
-rw-r--r--README.txt13
-rw-r--r--SecureBoot/readme.txt10
10 files changed, 278 insertions, 14 deletions
diff --git a/DcsInt/DcsInt.c b/DcsInt/DcsInt.c
index 06f8841..3303c56 100644
--- a/DcsInt/DcsInt.c
+++ b/DcsInt/DcsInt.c
@@ -986,6 +986,32 @@ VCAuthLoadConfigUpdated(UINT8* secRegion, UINTN secRegionSize) {
}
}
+VOID
+Pause(
+ IN UINTN seconds
+ )
+{
+ if (seconds) {
+ EFI_INPUT_KEY key;
+ key = KeyWait(L"%2d \r", seconds, 0, 0);
+ if (key.UnicodeChar != 0) {
+ GetKey();
+ }
+ }
+}
+
+VOID
+PauseHandleInfo(
+ IN EFI_HANDLE hndle,
+ IN UINTN seconds)
+{
+ if (seconds) {
+ EfiPrintDevicePath(hndle);
+ Pause(seconds);
+ OUT_PRINT(L"\n");
+ }
+}
+
//////////////////////////////////////////////////////////////////////////
// Driver Entry Point
//////////////////////////////////////////////////////////////////////////
@@ -1007,15 +1033,8 @@ UefiMain(
if (gAuthSecRegionSearch) {
res = PlatformGetAuthData(&SecRegionData, &SecRegionSize, &SecRegionHandle);
if (!EFI_ERROR(res)) {
- EFI_INPUT_KEY key;
- EfiPrintDevicePath(SecRegionHandle);
- OUT_PRINT(L"\n");
VCAuthLoadConfigUpdated(SecRegionData, SecRegionSize);
- key = KeyWait(L"%2d \r", 2, 0, 0);
- if (key.UnicodeChar != 0) {
- GetKey();
- }
- OUT_PRINT(L"\n");
+ PauseHandleInfo(SecRegionHandle, gSecRegionInfoDelay);
}
} else if (gRUD != 0) {
// RUD defined
@@ -1028,10 +1047,10 @@ UefiMain(
if (!EFI_ERROR(res) && id != NULL) {
INT32 rud;
rud = GetCrc32((unsigned char*)id, (int)AsciiStrLen(id));
- OUT_PRINT(L"%d ? %d\n", gRUD, rud);
MEM_FREE(id);
if (rud == gRUD) {
devFound = TRUE;
+ PauseHandleInfo(SecRegionHandle, gSecRegionInfoDelay);
break;
}
}
@@ -1093,9 +1112,9 @@ UefiMain(
if (gConfigBuffer != NULL) {
TpmMeasure(gConfigBuffer, gConfigBufferSize); // Measure configuration
}
- if (gTpm->IsConfigured(gTpm) && !gTpm->IsOpen(gTpm)) {
+ if (gTpm->IsConfigured(gTpm) && !gTpm->IsOpen(gTpm) && gTPMLockedInfoDelay) {
ERR_PRINT(L"TPM is configured but locked. Probably boot chain is modified!\n");
- KeyWait(L"%1d\r", 9, 0, 0);
+ Pause(gTPMLockedInfoDelay);
}
}
diff --git a/Include/Library/PasswordLib.h b/Include/Library/PasswordLib.h
index a827b16..25ee1aa 100644
--- a/Include/Library/PasswordLib.h
+++ b/Include/Library/PasswordLib.h
@@ -24,6 +24,8 @@ extern CHAR8* gPasswordPictureCharsDefault;
extern UINTN gPasswordPictureCharsLen;
extern UINT8 gPasswordVisible;
extern UINT8 gPasswordProgress;
+extern int gPasswordTimeout;
+
extern int gPasswordShowMark;
extern VOID* gPictPwdBmp;
extern UINTN gPictPwdBmpSize;
diff --git a/Library/PasswordLib/ConsolePassword.c b/Library/PasswordLib/ConsolePassword.c
index 797ee4a..6894b50 100644
--- a/Library/PasswordLib/ConsolePassword.c
+++ b/Library/PasswordLib/ConsolePassword.c
@@ -31,6 +31,20 @@ AskConsolePwdInt(
UINTN i;
gST->ConOut->EnableCursor(gST->ConOut, TRUE);
+ if (gPasswordTimeout) {
+ EFI_EVENT InputEvents[2];
+ UINTN EventIndex = 0;
+ InputEvents[0] = gST->ConIn->WaitForKey;
+ gBS->CreateEvent(EVT_TIMER, 0, (EFI_EVENT_NOTIFY)NULL, NULL, &InputEvents[1]);
+ gBS->SetTimer(InputEvents[1], TimerPeriodic, 10000000 * gPasswordTimeout);
+ gBS->WaitForEvent(2, InputEvents, &EventIndex);
+ gPasswordTimeout = 0;
+ gBS->CloseEvent(InputEvents[1]);
+ if (EventIndex == 1) {
+ *retCode = AskPwdRetCancel;
+ return ;
+ }
+ }
do {
key = GetKey();
diff --git a/Library/PasswordLib/PicturePassword.c b/Library/PasswordLib/PicturePassword.c
index c3831ad..4e46f47 100644
--- a/Library/PasswordLib/PicturePassword.c
+++ b/Library/PasswordLib/PicturePassword.c
@@ -31,9 +31,11 @@ UINTN gPasswordPictureCharsLen = 95;
UINT8 gPasswordVisible = 0;
int gPasswordShowMark = 1;
UINT8 gPasswordProgress = 1;
+int gPasswordTimeout = 0;
int gPlatformLocked = 0;
int gTPMLocked = 0;
+int gTPMLockedInfoDelay = 9;
int gSCLocked = 0;
@@ -282,6 +284,25 @@ AskPictPwdInt(
UINTN pwdAction = PwdActNone;
CHAR8 pwdNewChar = 0;
+ if (gPasswordTimeout) {
+ UINTN EventIndex = 0;
+ InputEvents[0] = gST->ConIn->WaitForKey;
+ eventsCount = 2;
+ if (gTouchPointer != NULL) {
+ eventsCount = 3;
+ InputEvents[2] = gTouchPointer->WaitForInput;
+ }
+ gBS->CreateEvent(EVT_TIMER, 0, (EFI_EVENT_NOTIFY)NULL, NULL, &InputEvents[1]);
+ gBS->SetTimer(InputEvents[1], TimerPeriodic, 10000000 * gPasswordTimeout);
+ gBS->WaitForEvent(eventsCount, InputEvents, &EventIndex);
+ gPasswordTimeout = 0;
+ gBS->CloseEvent(InputEvents[1]);
+ if (EventIndex == 1) {
+ *retCode = AskPwdRetCancel;
+ return;
+ }
+ }
+
InitConsoleControl();
if (gBeepEnabled) {
InitSpeaker();
diff --git a/Library/VeraCryptLib/DcsProp b/Library/VeraCryptLib/DcsProp
new file mode 100644
index 0000000..e0b6691
--- /dev/null
+++ b/Library/VeraCryptLib/DcsProp
@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="utf-8"?>
+<VeraCrypt>
+ <!-- EFI boot DCS configuration -->
+ <configuration>
+ <!-- PasswordType 0/1
+ 0 - text message is displayed
+ PasswordMsg to specify message
+ 1 - touch picture password if touch is supported by EFI. check PlatformInfo
+ PasswordPicture to specify bitmap
+ -->
+ <config key="PasswordType">0</config>
+ <config key="PasswordMsg">Password:</config>
+ <config key="PasswordPicture">EFI\VeraCrypt\login.bmp</config>
+
+ <!-- Show "*" on each key pressed or picture zone touched -->
+ <config key="AuthorizeProgress">1</config>
+ <!-- Show chars on each key press -->
+ <config key="AuthorizeVisible">0</config>
+ <!-- Show zones touched -->
+ <config key="AuthorizeMarkTouch">0</config>
+
+ <!-- Number of authorization retries -->
+ <config key="AuthorizeRetry">10</config>
+ <!-- Timeout in seconds before <ESC> from password prompt -->
+ <config key="PasswordTimeout">0</config>
+
+ <!-- authorization start message -->
+ <config key="AuthStartMsg">Authorizing...</config>
+ <!-- authorization error message -->
+ <config key="AuthErrorMsg">Authorization failed. Wrong password, PIM or hash.</config>
+
+ <!-- PictureChars specifies PasswordPicture alphabet order
+ It is possible to save it on external USB if SecRegionSearch selected
+ -->
+ <!-- config key="PictureChars">MN/[aQ-eyPr}GT: |V^UqiI_gbdA9YwZ%f8t6S@D\"7uXl\\30R#+zH*,W4J?= BLFv]hx~E;$ .o'sp1`(>C)O{!5j2nmkcK</config -->
+
+ <!-- AutoLogin 0/1
+ Posibility to avoid password prompt
+ AutoPassword is password by default
+ Use it with PlatformLocked or TPMLocked enabled to lock password to the computer.
+ -->
+ <config key="AutoLogin">0</config>
+ <config key="AutoPassword"></config>
+
+ <!-- PimRqt 0/1
+ Request PIM during authorization
+ PimMsg - message
+ Pim - default value
+ -->
+ <config key="PimMsg">Pim:</config>
+ <config key="Pim">0</config>
+ <config key="PimRqt">1</config>
+
+ <!-- HashRqt 0/1
+ Request hash during authorization
+ HashMsg - message. It is generated if not specified
+ Hash - default value
+ -->
+ <!-- config key="HashMsg">(0) TEST ALL (1) SHA512 (2) WHIRLPOOL (3) SHA256 (4) RIPEMD160 (5) STREEBOG
+Hash:</config-->
+ <config key="Hash">0</config>
+ <config key="HashRqt">0</config>
+
+ <!-- PlatformLocked 0/1 (it is controled by <F7>)
+ Password is mixed with data from SMBIOS and USB serial structures
+ to avoid authorization on another computer
+ -->
+ <config key="PlatformLocked">0</config>
+
+ <!-- TPMLocked 0/1 (it is controled by <F8>)
+ Password is mixed with data from TPM
+ data is in TPM NVRAM and the data is locked to PCRs selected (use configuration <F2> and "c" "t")
+ BIOS modification or any other boot module blocks authorization with TPMLocked=1
+ DcsProp is measured to PCR8 also.
+ TPM 1.2 support only.
+ -->
+ <config key="TPMLocked">0</config>
+ <!-- Display error if TPM configured and locked before password to inform user with pause (sec) -->
+ <config key="TPMLockedInfoDelay">0</config>
+
+ <!-- Random generator to generate salt to change password <F2> function key
+ 2 RDRAND
+ 3 PRNDGEN but state hast to be saved on external USB
+ 5 TPM 1.2 if pressent
+ -->
+ <config key="Random">2</config>
+
+ <!-- RUD - Require USB device (authorization started if the USB is attached. "what I have")
+ 0 - skip
+ NNNN - CRC32 decimal value of USB "VID_PID_SERIAL" string
+ It is possible to configure via DcsWinCfg
+ or from EFI shell: DcsCfg.dcs -ul
+ -->
+ <config key="RUD">0</config>
+
+ <!-- Try to find security region -->
+ <config key="SecRegionSearch">0</config>
+ <!-- Display device of RUD or SecRegion found with pause (sec) -->
+ <config key="SecRegionInfoDelay">0</config>
+
+ <!-- Ask password even no USB with SecRegions found
+ ForcePasswordMsg, ForcePasswordType,ForcePasswordProgress keys can overide default values
+ -->
+ <config key="DcsBootForce">1</config>
+
+ <!--
+ to find OS partition GUID if ESP and OS uses diffrent disks
+ -->
+ <!-- config key="PartitionGuidOS">XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</config-->
+
+
+ <!-- Actions
+ Success - authorization OK
+ NotFound - RUD of SecRegion search failed
+ Failed - <ESC> pressed or AuthorizeRetry limit
+
+ It can contain several keywords space separated
+
+ Keywords:
+ Exit – simple exit (default)
+ Status(code) – override exit status code (0 is OK)
+ File(path) – path to file to be executed
+ Guid(xxx-x..) – GUID of partition with file to be executed
+ Printinfo – print guid, file and status.
+ Message(msg) – message to display for the action
+ Postexec – send loader path to DcsBoot to execute after exit
+ Exec – execute module
+ Halt – CPU halt
+ Delay(N) – delay boot
+ -->
+ <config key="ActionSuccess">Exit</config>
+ <config key="ActionNotFound">Exit</config>
+ <config key="ActionFailed">Exit</config>
+
+ <!-- Devices to configure PicturePassword if possible. Check PlatformInfo of your computer
+ GraphDevice - Graphics device and mode
+ TouchDevice - Touch device
+ BeepDevice - ordinary speaker to beep on touch zone
+ -->
+
+ <!-- GraphDevice
+ -1 - initialize + autodetect
+ -2 - ignore
+ <n> - number in list of devices (see PlatformInfo or use DcsCfg.dcs -gl )
+ -->
+ <config key="GraphDevice">-1</config>
+
+ <!-- GraphMode
+ -1 default (see PlatformInfo. or use DcsCfg.dcs -gm <n> to test)
+ -->
+ <config key="GraphMode">-1</config>
+
+ <!--
+ TouchDevice
+ -1 init + autodetect
+ -2 ignore;
+ <N> number in list of devices (See platformInfo or use DcsCfg -tl and to test DcsCfg -tt <N>)
+ -->
+ <config key="TouchDevice">-1</config>
+
+ <!-- TouchSimulate to use keyboard arrows to move touch <F11>/<F12> speed -->
+ <config key="TouchSimulate">1</config>
+
+ <!-- 0/1 Beep if picture zone touched -->
+ <config key="Beep">0</config>
+
+ <!-- BeepDevice (LegacySpeaker.dcs driver is used to support)
+ -1 - initialize + autodetect
+ <n> - number in list of devices (see PlatformInfo or use DcsCfg.dcs -gl )
+ -->
+ <config key="BeepDevice">-1</config>
+
+ <!-- Beep paramters -->
+ <config key="BeepNumber">1</config>
+ <config key="BeepDuration">100</config>
+ <config key="BeepInterval">0</config>
+ <config key="BeepTone">1280</config>
+ <!-- <F4> enable/disable beeps -->
+ <config key="BeepControl">1</config>
+
+ </configuration>
+</VeraCrypt> \ No newline at end of file
diff --git a/Library/VeraCryptLib/DcsVeraCrypt.c b/Library/VeraCryptLib/DcsVeraCrypt.c
index f4a1e27..5d9be88 100644
--- a/Library/VeraCryptLib/DcsVeraCrypt.c
+++ b/Library/VeraCryptLib/DcsVeraCrypt.c
@@ -66,6 +66,7 @@ char* gAuthStartMsg = NULL;
INT32 gRUD = 0;
int gAuthSecRegionSearch = 0;
+int gSecRegionInfoDelay = 0;
CHAR8* gPlatformKeyFile = NULL;
UINTN gPlatformKeyFileSize = 0;
@@ -146,6 +147,7 @@ VCAuthLoadConfig()
gPasswordProgress = (UINT8)ConfigReadInt("AuthorizeProgress", 1); // print "*"
gPasswordVisible = (UINT8)ConfigReadInt("AuthorizeVisible", 0); // show chars
gPasswordShowMark = ConfigReadInt("AuthorizeMarkTouch", 1); // show touch points
+ gPasswordTimeout = (UINT8)ConfigReadInt("PasswordTimeout", 0); // If no password for <seconds> => <ESC>
gDcsBootForce = ConfigReadInt("DcsBootForce", 1); // Ask password even if no USB marked found.
@@ -165,8 +167,11 @@ VCAuthLoadConfig()
gRndDefault = ConfigReadInt("Random", 0);
gAuthSecRegionSearch = ConfigReadInt("SecRegionSearch", 0);
+ gSecRegionInfoDelay = ConfigReadInt("SecRegionInfoDelay", 0);
+
gPlatformLocked = ConfigReadInt("PlatformLocked", 0);
gTPMLocked = ConfigReadInt("TPMLocked", 0);
+ gTPMLockedInfoDelay = ConfigReadInt("TPMLockedInfoDelay", 9);
gSCLocked = ConfigReadInt("SCLocked", 0);
// Actions for DcsInt
diff --git a/Library/VeraCryptLib/DcsVeraCrypt.h b/Library/VeraCryptLib/DcsVeraCrypt.h
index e6ee57c..f7a3c8f 100644
--- a/Library/VeraCryptLib/DcsVeraCrypt.h
+++ b/Library/VeraCryptLib/DcsVeraCrypt.h
@@ -53,9 +53,11 @@ extern char* gAuthErrorMsg;
extern INT32 gRUD;
extern int gAuthSecRegionSearch;
+extern int gSecRegionInfoDelay;
extern int gPlatformLocked;
extern int gTPMLocked;
+extern int gTPMLockedInfoDelay;
extern int gSCLocked;
extern int gAuthPwdCode;
diff --git a/Library/VeraCryptLib/mklinks_src.bat b/Library/VeraCryptLib/mklinks_src.bat
index 1126cfa..a62298e 100644
--- a/Library/VeraCryptLib/mklinks_src.bat
+++ b/Library/VeraCryptLib/mklinks_src.bat
@@ -1,6 +1,8 @@
@echo off
pushd %~dp0
+if "%veracrypt_src%"=="" if exist %CD:~0,-28%\VeraCrypt\src set veracrypt_src=%CD:~0,-28%\VeraCrypt\src
+
call :select_path "%veracrypt_src%" "Select VeraCrypt directory:"
set veracrypt_src=%select_path_result%
diff --git a/README.txt b/README.txt
new file mode 100644
index 0000000..f1c2e66
--- /dev/null
+++ b/README.txt
@@ -0,0 +1,13 @@
+VeraCrypt EFI Bootloader for EFI Windows system encryption (LGPL)
+
+DcsProp - Configuration for the loader
+SecureBoot - certificates for Secure boot configuration
+
+Modules:
+DcsBoot.efi - Starter
+DcsRe.efi - Recovery tool (decrypt etc)
+DcsCfg.dcs - configuration from EFI shell
+DcsBml.dcs - Boot menu lock runtime driver to prvent Windows modification of boot order
+DcsInt.dcs - PreBoot authorization
+DcsInfo.dcs - PlatformInfo generation
+LegacySpeaker.dcs - driver for ordinary speaker (beep)
diff --git a/SecureBoot/readme.txt b/SecureBoot/readme.txt
index 6e2dc43..ce2d3d3 100644
--- a/SecureBoot/readme.txt
+++ b/SecureBoot/readme.txt
@@ -1,13 +1,17 @@
-To update secure boot configuration
+Secure Boot:
+In order to allow VeraCrypt EFI bootloader to run when EFI Secure Boot is enabled, VeraCrypt EFI bootloader files are signed by custom key(DCS_sign)
+whose public part can be loaded into Secure Boot to allow verification of VeraCrypt EFI files.
+
+to update Secure Boot configuration steps:
1. Enter BIOS configuration
2. Switch Secure boot to setup mode (or custom mode). It deletes PK (platform certificate) and allows to load DCS platform key.
3. Boot Windows
4. execute from admin command prompt
- powershell -File sb_set_siglists.ps1
+ powershell -ExecutionPolicy Bypass -File sb_set_siglists.ps1
It sets in PK (platform key) - DCS_platform
It sets in KEK (key exchange key) - DCS_key_exchange
It sets in db - DCS_sign MicWinProPCA2011_2011-10-19 MicCorUEFCA2011_2011-06-27
All DCS modules are protected by DCS_sign.
All Windows modules are protected by MicWinProPCA2011_2011-10-19
-All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27 \ No newline at end of file
+All SHIM(linux) modules are protected by MicCorUEFCA2011_2011-06-27 \ No newline at end of file