diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2019-01-12 01:24:25 +0100 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2019-01-14 10:49:05 +0100 |
commit | d3e7ed96f3685d83dcc39a18574be1dd2cc8f2f6 (patch) | |
tree | c31143436e3db3164f51fcb4f669ab8e4175610a | |
parent | 69cb0bea8197fbb2031371a1f71b9a1c94f93b27 (diff) | |
download | VeraCrypt-d3e7ed96f3685d83dcc39a18574be1dd2cc8f2f6.tar.gz VeraCrypt-d3e7ed96f3685d83dcc39a18574be1dd2cc8f2f6.zip |
Windows: Implement feature that enables clearing of encryption keys when a new device is inserted. Better implementation for update of EFI bootloader without usage of drive letters (this can fix random issues encountered during Windows upgrade).
-rw-r--r-- | src/Common/Apidrvr.h | 1 | ||||
-rw-r--r-- | src/Common/BootEncryption.cpp | 74 | ||||
-rw-r--r-- | src/Common/BootEncryption.h | 8 | ||||
-rw-r--r-- | src/Common/Language.xml | 2 | ||||
-rw-r--r-- | src/Driver/Ntdriver.c | 7 | ||||
-rw-r--r-- | src/Mount/Mount.c | 148 | ||||
-rw-r--r-- | src/Mount/Mount.rc | 30 | ||||
-rw-r--r-- | src/Mount/Resource.h | 3 |
8 files changed, 196 insertions, 77 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h index 2d996d2c..0298e204 100644 --- a/src/Common/Apidrvr.h +++ b/src/Common/Apidrvr.h @@ -416,5 +416,6 @@ typedef struct #define VC_DRIVER_CONFIG_ALLOW_NONSYS_TRIM 0x80 #define VC_DRIVER_CONFIG_BLOCK_SYS_TRIM 0x100 #define VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG 0x200 +#define VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 0x400 #endif /* _WIN32 */ diff --git a/src/Common/BootEncryption.cpp b/src/Common/BootEncryption.cpp index 4992e086..364f0869 100644 --- a/src/Common/BootEncryption.cpp +++ b/src/Common/BootEncryption.cpp @@ -994,10 +994,16 @@ namespace VeraCrypt Device::Device (wstring path, bool readOnly) { - FileOpen = false; - Elevated = false; + wstring effectivePath; + FileOpen = false; + Elevated = false; + + if (path.find(L"\\\\?\\") == 0) + effectivePath = path; + else + effectivePath = wstring (L"\\\\.\\") + path; - Handle = CreateFile ((wstring (L"\\\\.\\") + path).c_str(), + Handle = CreateFile (effectivePath.c_str(), readOnly ? GENERIC_READ : GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_RANDOM_ACCESS | FILE_FLAG_WRITE_THROUGH, NULL); @@ -1978,8 +1984,7 @@ namespace VeraCrypt } else { - finally_do ({ EfiBootInst.DismountBootPartition(); }); - EfiBootInst.MountBootPartition(0); + EfiBootInst.PrepareBootPartition(); if (! (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)) pim = -1; @@ -2492,8 +2497,6 @@ namespace VeraCrypt } EfiBoot::EfiBoot() { - ZeroMemory(EfiBootPartPath, sizeof(EfiBootPartPath)); - ZeroMemory (BootVolumePath, sizeof (BootVolumePath)); ZeroMemory (&sdn, sizeof (sdn)); ZeroMemory (&partInfo, sizeof (partInfo)); m_bMounted = false; @@ -2521,34 +2524,21 @@ namespace VeraCrypt } PUNICODE_STRING pStr = (PUNICODE_STRING) tempBuf; - memcpy (BootVolumePath, pStr->Buffer, min (pStr->Length, (sizeof (BootVolumePath) - 2))); - bBootVolumePathSelected = true; - } + BootVolumePath = pStr->Buffer; + + EfiBootPartPath = L"\\\\?"; + EfiBootPartPath += &pStr->Buffer[7]; - void EfiBoot::SelectBootVolume(WCHAR* bootVolumePath) { - wstring str; - str = bootVolumePath; - memcpy (BootVolumePath, &str[0], min (str.length() * 2, (sizeof (BootVolumePath) - 2))); bBootVolumePathSelected = true; } - void EfiBoot::MountBootPartition(WCHAR letter) { + void EfiBoot::PrepareBootPartition() { if (!bBootVolumePathSelected) { SelectBootVolumeESP(); } - - if (!letter) { - if (!GetFreeDriveLetter(&EfiBootPartPath[0])) { - throw ErrorException(L"No free letter to mount EFI boot partition", SRC_POS); - } - } else { - EfiBootPartPath[0] = letter; - } - EfiBootPartPath[1] = ':'; - EfiBootPartPath[2] = 0; - throw_sys_if(!DefineDosDevice(DDD_RAW_TARGET_PATH, EfiBootPartPath, BootVolumePath)); - - Device dev(EfiBootPartPath, TRUE); + std::wstring devicePath = L"\\\\?\\GLOBALROOT"; + devicePath += BootVolumePath; + Device dev(devicePath.c_str(), TRUE); try { @@ -2556,7 +2546,6 @@ namespace VeraCrypt } catch (...) { - DefineDosDevice(DDD_REMOVE_DEFINITION, EfiBootPartPath, NULL); throw; } @@ -2566,20 +2555,9 @@ namespace VeraCrypt dev.Close(); if (!bSuccess) { - DefineDosDevice(DDD_REMOVE_DEFINITION, EfiBootPartPath, NULL); SetLastError (dwLastError); throw SystemException(SRC_POS); - } - - m_bMounted = true; - } - - void EfiBoot::DismountBootPartition() { - if (m_bMounted) - { - DefineDosDevice(DDD_REMOVE_DEFINITION, EfiBootPartPath, NULL); - m_bMounted = false; - } + } } bool EfiBoot::IsEfiBoot() { @@ -3085,8 +3063,7 @@ namespace VeraCrypt if (!DcsInfoImg) throw ErrorException(L"Out of resource DcsInfo", SRC_POS); - finally_do ({ EfiBootInst.DismountBootPartition(); }); - EfiBootInst.MountBootPartition(0); + EfiBootInst.PrepareBootPartition(); try { @@ -4110,9 +4087,7 @@ namespace VeraCrypt const char* g_szMsBootString = "bootmgfw.pdb"; bool bModifiedMsBoot = true; - finally_do ({ EfiBootInst.DismountBootPartition(); }); - - EfiBootInst.MountBootPartition(0); + EfiBootInst.PrepareBootPartition(); EfiBootInst.GetFileSize(szStdMsBootloader, loaderSize); bootLoaderBuf.resize ((size_t) loaderSize); @@ -4233,9 +4208,7 @@ namespace VeraCrypt } } - finally_do ({ EfiBootInst.DismountBootPartition(); }); - - EfiBootInst.MountBootPartition(0); + EfiBootInst.PrepareBootPartition(); EfiBootInst.DeleteStartExec(); EfiBootInst.DeleteStartExec(0xDC5B, L"Driver"); // remove DcsBml boot driver it was installed @@ -4735,8 +4708,7 @@ namespace VeraCrypt } else { - finally_do ({ EfiBootInst.DismountBootPartition(); }); - EfiBootInst.MountBootPartition(0); + EfiBootInst.PrepareBootPartition(); memcpy (pSdn, EfiBootInst.GetStorageDeviceNumber(), sizeof (STORAGE_DEVICE_NUMBER)); } } diff --git a/src/Common/BootEncryption.h b/src/Common/BootEncryption.h index 58cdd2e0..ea0e728c 100644 --- a/src/Common/BootEncryption.h +++ b/src/Common/BootEncryption.h @@ -199,8 +199,7 @@ namespace VeraCrypt public: EfiBoot(); - void MountBootPartition(WCHAR letter); - void DismountBootPartition(); + void PrepareBootPartition(); bool IsEfiBoot(); void DeleteStartExec(uint16 statrtOrderNum = 0xDC5B, wchar_t* type = NULL); @@ -219,17 +218,16 @@ namespace VeraCrypt BOOL WriteConfig (const wchar_t* name, bool preserveUserConfig, int pim, int hashAlgo, const char* passPromptMsg, HWND hwndDlg); BOOL DelDir(const wchar_t* name); void SelectBootVolumeESP(); - void SelectBootVolume(WCHAR* bootVolumePath); PSTORAGE_DEVICE_NUMBER GetStorageDeviceNumber () { return &sdn;} protected: bool m_bMounted; - WCHAR EfiBootPartPath[3]; + std::wstring EfiBootPartPath; STORAGE_DEVICE_NUMBER sdn; PARTITION_INFORMATION_EX partInfo; WCHAR tempBuf[1024]; bool bBootVolumePathSelected; - WCHAR BootVolumePath[MAX_PATH]; + std::wstring BootVolumePath; }; class BootEncryption diff --git a/src/Common/Language.xml b/src/Common/Language.xml index 5fc4ce7d..b2700e6d 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -1429,6 +1429,8 @@ <entry lang="en" key="CONFIRM_ALLOW_WINDOWS_DEFRAG">WARNING: Defragmenting non-system partitions/drives may leak metadata about their content or cause issues with hidden volumes they may contain.\n\nContinue?</entry> <entry lang="en" key="VIRTUAL_DEVICE">Virtual Device</entry> <entry lang="en" key="MOUNTED_VOLUME_NOT_ASSOCIATED">The selected mounted volume is not associated with its drive letter in Windows and so it can not be opened in Windows Explorer.</entry> + <entry lang="en" key="IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION">Clear encryption keys from memory if a new device is inserted</entry> + <entry lang="en" key="CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING">IMPORTANT NOTES:\n - Please keep in mind that this option will not persist after a shutdown/reboot so you will need to select it again next time the machine is started.\n\n - With this option enabled and after a new device is connected, the machine will freeze and it will eventually crash with a BSOD since Windows can not access the encrypted disk after its keys are cleared from memory.\n</entry> </localization> <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="VeraCrypt"> diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index 47b2f8a5..282112fc 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -4346,6 +4346,13 @@ NTSTATUS ReadRegistryConfigFlags (BOOL driverEntry) if (flags & VC_DRIVER_CONFIG_BLOCK_SYS_TRIM) BlockSystemTrimCommand = TRUE; + + /* clear VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION if it is set */ + if (flags & VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION) + { + flags ^= VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION; + WriteRegistryConfigFlags (flags); + } } EnableHwEncryption ((flags & TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION) ? FALSE : TRUE); diff --git a/src/Mount/Mount.c b/src/Mount/Mount.c index 574c3556..473372e1 100644 --- a/src/Mount/Mount.c +++ b/src/Mount/Mount.c @@ -51,6 +51,8 @@ #include "../Setup/SelfExtract.h" #include <Strsafe.h> +#include <InitGuid.h> +#include <devguid.h> #import <msxml6.dll> no_auto_exclude @@ -9296,6 +9298,10 @@ void ExtractCommandLine (HWND hwndDlg, wchar_t *lpszCommandLine) static SERVICE_STATUS SystemFavoritesServiceStatus; static SERVICE_STATUS_HANDLE SystemFavoritesServiceStatusHandle; +static HANDLE SystemFavoriteServiceStopEvent = NULL; +static HDEVNOTIFY SystemFavoriteServiceNotify = NULL; + +DEFINE_GUID(OCL_GUID_DEVCLASS_SOFTWARECOMPONENT, 0x5c4c3332, 0x344d, 0x483c, 0x87, 0x39, 0x25, 0x9e, 0x93, 0x4c, 0x9c, 0xc8); static void SystemFavoritesServiceLogMessage (const wstring &errorMessage, WORD wType) { @@ -9336,12 +9342,84 @@ static void SystemFavoritesServiceSetStatus (DWORD status, DWORD waitHint = 0) } -static VOID WINAPI SystemFavoritesServiceCtrlHandler (DWORD control) +static DWORD WINAPI SystemFavoritesServiceCtrlHandler ( DWORD dwControl, + DWORD dwEventType, + LPVOID lpEventData, + LPVOID lpContext) { - if (control == SERVICE_CONTROL_STOP) + switch (dwControl) + { + case SERVICE_CONTROL_PRESHUTDOWN: SystemFavoritesServiceSetStatus (SERVICE_STOP_PENDING); - else + + if (BootEncObj) + { + try + { + BootEncryption::UpdateSetupConfigFile (true); + // re-install our bootloader again in case the update process has removed it. + BootEncryption bootEnc (NULL, true); + bootEnc.InstallBootLoader (true); + } + catch (...) + { + } + } + + /* clear VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION flag */ + SetDriverConfigurationFlag (VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, FALSE); + + SetEvent (SystemFavoriteServiceStopEvent); + SystemFavoritesServiceSetStatus (SERVICE_STOP_PENDING); + + break; + case SERVICE_CONTROL_STOP: + SetEvent (SystemFavoriteServiceStopEvent); + SystemFavoritesServiceSetStatus (SERVICE_STOP_PENDING); + break; + case SERVICE_CONTROL_DEVICEEVENT: + if (DBT_DEVICEARRIVAL == dwEventType) + { + DEV_BROADCAST_HDR* pHdr = (DEV_BROADCAST_HDR *) lpEventData; + if (pHdr->dbch_devicetype != DBT_DEVTYP_VOLUME && pHdr->dbch_devicetype != DBT_DEVTYP_HANDLE) + { + SystemFavoritesServiceLogInfo (L"SERVICE_CONTROL_DEVICEEVENT - DBT_DEVICEARRIVAL received"); + + if (ReadDriverConfigurationFlags() & VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION) + { + BOOL bClearKeys = TRUE; + if (pHdr->dbch_devicetype == DBT_DEVTYP_DEVICEINTERFACE) + { + DEV_BROADCAST_DEVICEINTERFACE* pInf = (DEV_BROADCAST_DEVICEINTERFACE*) pHdr; + + if (IsEqualGUID (pInf->dbcc_classguid, OCL_GUID_DEVCLASS_SOFTWARECOMPONENT) + || IsEqualGUID (pInf->dbcc_classguid, GUID_DEVCLASS_VOLUME) + || IsEqualGUID (pInf->dbcc_classguid, GUID_DEVCLASS_VOLUMESNAPSHOT) + ) + { + bClearKeys = FALSE; + } + } + + if (bClearKeys) + { + DWORD cbBytesReturned = 0; + BOOL bResult = DeviceIoControl (hDriver, VC_IOCTL_EMERGENCY_CLEAR_ALL_KEYS, NULL, 0, NULL, 0, &cbBytesReturned, NULL); + if (bResult) + SystemFavoritesServiceLogInfo (L"New device insertion detected - encryption keys cleared"); + else + SystemFavoritesServiceLogInfo (L"New device insertion detected - failed to clear encryption keys"); + } + } + } + } + break; + default: SystemFavoritesServiceSetStatus (SystemFavoritesServiceStatus.dwCurrentState); + break; + } + + return NO_ERROR; } static LONG WINAPI SystemFavoritesServiceExceptionHandler (EXCEPTION_POINTERS *ep) @@ -9363,13 +9441,27 @@ static void SystemFavoritesServiceInvalidParameterHandler (const wchar_t *expres static VOID WINAPI SystemFavoritesServiceMain (DWORD argc, LPTSTR *argv) { BOOL status = FALSE; + DEV_BROADCAST_DEVICEINTERFACE hdr; memset (&SystemFavoritesServiceStatus, 0, sizeof (SystemFavoritesServiceStatus)); SystemFavoritesServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS; + SystemFavoritesServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP; + if (IsOSAtLeast (WIN_VISTA) && BootEncObj && BootEncStatus.DriveMounted && BootEncObj->GetSystemDriveConfiguration().SystemPartition.IsGPT) + SystemFavoritesServiceStatus.dwControlsAccepted |= SERVICE_ACCEPT_PRESHUTDOWN; + + ZeroMemory (&hdr, sizeof(hdr)); + hdr.dbcc_size = sizeof (hdr); + hdr.dbcc_devicetype = DBT_DEVTYP_DEVICEINTERFACE; - SystemFavoritesServiceStatusHandle = RegisterServiceCtrlHandler (TC_SYSTEM_FAVORITES_SERVICE_NAME, SystemFavoritesServiceCtrlHandler); + SystemFavoritesServiceStatusHandle = RegisterServiceCtrlHandlerEx (TC_SYSTEM_FAVORITES_SERVICE_NAME, SystemFavoritesServiceCtrlHandler, NULL); if (!SystemFavoritesServiceStatusHandle) return; + SystemFavoriteServiceStopEvent = CreateEvent (NULL, FALSE, FALSE, NULL); + if (!SystemFavoriteServiceStopEvent) + return; + + SystemFavoriteServiceNotify = RegisterDeviceNotification (SystemFavoritesServiceStatusHandle, &hdr,DEVICE_NOTIFY_SERVICE_HANDLE | DEVICE_NOTIFY_ALL_INTERFACE_CLASSES); + InitGlobalLocks (); SetUnhandledExceptionFilter (SystemFavoritesServiceExceptionHandler); @@ -9400,7 +9492,22 @@ static VOID WINAPI SystemFavoritesServiceMain (DWORD argc, LPTSTR *argv) FinalizeGlobalLocks (); + if (!(ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD)) + WipeCache (NULL, TRUE); + SystemFavoritesServiceSetStatus (SERVICE_RUNNING); + + WaitForSingleObject (SystemFavoriteServiceStopEvent, INFINITE); + + if (SystemFavoriteServiceNotify) + { + UnregisterDeviceNotification (SystemFavoriteServiceNotify); + SystemFavoriteServiceNotify = NULL; + } + + CloseHandle (SystemFavoriteServiceStopEvent); + SystemFavoriteServiceStopEvent = NULL; + SystemFavoritesServiceSetStatus (SERVICE_STOPPED); } @@ -9419,6 +9526,16 @@ static BOOL StartSystemFavoritesService () if (DriverAttach() != ERR_SUCCESS) return FALSE; + try + { + BootEncObj = new BootEncryption (NULL); + BootEncStatus = BootEncObj->GetStatus(); + } + catch (Exception &) + { + BootEncStatus.DriveMounted = FALSE; + } + SERVICE_TABLE_ENTRY serviceTable[2]; serviceTable[0].lpServiceName = TC_SYSTEM_FAVORITES_SERVICE_NAME; serviceTable[0].lpServiceProc = SystemFavoritesServiceMain; @@ -9428,8 +9545,11 @@ static BOOL StartSystemFavoritesService () BOOL result = StartServiceCtrlDispatcher (serviceTable); - if (!(ReadDriverConfigurationFlags() & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD)) - WipeCache (NULL, TRUE); + if (BootEncObj != NULL) + { + delete BootEncObj; + BootEncObj = NULL; + } return result; } @@ -10919,7 +11039,8 @@ error: void SetDriverConfigurationFlag (uint32 flag, BOOL state) { - BootEncObj->SetDriverConfigurationFlag (flag, state ? true : false); + if (BootEncObj) + BootEncObj->SetDriverConfigurationFlag (flag, state ? true : false); } @@ -11380,6 +11501,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA BOOL bPasswordCacheEnabled = (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD)? TRUE : FALSE; BOOL bPimCacheEnabled = (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PIM)? TRUE : FALSE; BOOL bBlockSysEncTrimEnabled = (driverConfig & VC_DRIVER_CONFIG_BLOCK_SYS_TRIM)? TRUE : FALSE; + BOOL bClearKeysEnabled = (driverConfig & VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION)? TRUE : FALSE; BOOL bIsHiddenOS = IsHiddenOSRunning (); if (!BootEncObj->ReadBootSectorConfig (nullptr, 0, &userConfig, &customUserMessage, &bootLoaderVersion)) @@ -11422,6 +11544,8 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, bPasswordCacheEnabled ? BST_CHECKED : BST_UNCHECKED); EnableWindow (GetDlgItem (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM), bPasswordCacheEnabled); CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? BST_CHECKED : BST_UNCHECKED); + CheckDlgButton (hwndDlg, IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, bClearKeysEnabled? BST_CHECKED : BST_UNCHECKED); + if (bIsHiddenOS) { // we always block TRIM command on hidden OS regardless of the configuration @@ -11542,10 +11666,12 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA BOOL bPasswordCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD); BOOL bPimCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM); BOOL bBlockSysEncTrimEnabled = IsDlgButtonChecked (hwndDlg, IDC_BLOCK_SYSENC_TRIM); + BOOL bClearKeysEnabled = IsDlgButtonChecked (hwndDlg, IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION); BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage, prop.volumePim, prop.pkcs5); SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, bPasswordCacheEnabled); SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? TRUE : FALSE); SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION, IsDlgButtonChecked (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION)); + SetDriverConfigurationFlag (VC_DRIVER_CONFIG_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, bClearKeysEnabled); if (!IsHiddenOSRunning ()) /* we don't need to update TRIM config for hidden OS since it's always blocked */ SetDriverConfigurationFlag (VC_DRIVER_CONFIG_BLOCK_SYS_TRIM, bBlockSysEncTrimEnabled); } @@ -11589,6 +11715,14 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA } break; + + case IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION: + if (IsDlgButtonChecked (hwndDlg, IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION)) + { + Warning ("CLEAR_KEYS_ON_DEVICE_INSERTION_WARNING", hwndDlg); + } + + break; } return 0; } diff --git a/src/Mount/Mount.rc b/src/Mount/Mount.rc index 3011b5d9..4a7fe101 100644 --- a/src/Mount/Mount.rc +++ b/src/Mount/Mount.rc @@ -285,7 +285,7 @@ BEGIN LTEXT "",IDT_PKCS11_LIB_HELP,16,63,286,65 END -IDD_EFI_SYSENC_SETTINGS DIALOGEX 0, 0, 375, 182 +IDD_EFI_SYSENC_SETTINGS DIALOGEX 0, 0, 375, 194 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "VeraCrypt - System Encryption Settings" FONT 8, "MS Shell Dlg", 400, 0, 0x1 @@ -295,18 +295,20 @@ BEGIN "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,20,339,9 CONTROL "Do not request Hash algorithm in the pre-boot authentication screen",IDC_DISABLE_BOOT_LOADER_HASH_PROMPT, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,35,339,9 - GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,7,53,355,61 + GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,7,53,355,75 CONTROL "&Cache pre-boot authentication password in driver memory (for mounting of non-system volumes)",IDC_BOOT_LOADER_CACHE_PASSWORD, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,68,339,10 CONTROL "Include PIM when caching pre-boot authentication password",IDC_BOOT_LOADER_CACHE_PIM, "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,16,83,340,10 CONTROL "Block TRIM command on system partition/drive",IDC_BLOCK_SYSENC_TRIM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,98,340,10 - GROUPBOX "Advanced Options",IDT_ADVANCED_OPTIONS,7,116,355,36 - PUSHBUTTON "Edit Boot Loader Configuration",IDC_EDIT_DCSPROP,10,129,173,14 - PUSHBUTTON "Display EFI Platform Information",IDC_SHOW_PLATFORMINFO,187,129,173,14 - PUSHBUTTON "Cancel",IDCANCEL,313,158,50,14 - DEFPUSHBUTTON "OK",IDOK,255,158,50,14 + GROUPBOX "Advanced Options",IDT_ADVANCED_OPTIONS,7,131,355,36 + PUSHBUTTON "Edit Boot Loader Configuration",IDC_EDIT_DCSPROP,10,144,173,14 + PUSHBUTTON "Display EFI Platform Information",IDC_SHOW_PLATFORMINFO,187,144,173,14 + PUSHBUTTON "Cancel",IDCANCEL,313,170,50,14 + DEFPUSHBUTTON "OK",IDOK,255,170,50,14 + CONTROL "Clear encryption keys from memory if a new device is inserted",IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,112,340,10 END IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 265 @@ -393,7 +395,7 @@ BEGIN CONTROL "TrueCrypt Mode",IDC_TRUECRYPT_MODE,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,7,7,76,10 END -IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 371, 297 +IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 371, 310 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "VeraCrypt - System Encryption Settings" FONT 8, "MS Shell Dlg", 400, 0, 0x1 @@ -413,12 +415,14 @@ BEGIN "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,237,340,10 CONTROL "Block TRIM command on system partition/drive",IDC_BLOCK_SYSENC_TRIM, "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,251,340,10 - PUSHBUTTON "Cancel",IDCANCEL,314,273,50,14 - DEFPUSHBUTTON "OK",IDOK,257,273,50,14 + PUSHBUTTON "Cancel",IDCANCEL,314,286,50,14 + DEFPUSHBUTTON "OK",IDOK,257,286,50,14 LTEXT "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,39,337,8 GROUPBOX "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,9,7,355,165 - GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,9,177,355,92 + GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,9,177,355,105 LTEXT "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,72,337,73 + CONTROL "Clear encryption keys from memory if a new device is inserted",IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION, + "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,265,340,10 END ///////////////////////////////////////////////////////////////////////////// @@ -494,7 +498,7 @@ BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 368 TOPMARGIN, 7 - BOTTOMMARGIN, 172 + BOTTOMMARGIN, 184 END IDD_PERFORMANCE_SETTINGS, DIALOG @@ -526,7 +530,7 @@ BEGIN LEFTMARGIN, 7 RIGHTMARGIN, 364 TOPMARGIN, 7 - BOTTOMMARGIN, 287 + BOTTOMMARGIN, 300 END END #endif // APSTUDIO_INVOKED diff --git a/src/Mount/Resource.h b/src/Mount/Resource.h index 48451638..0eaf357a 100644 --- a/src/Mount/Resource.h +++ b/src/Mount/Resource.h @@ -191,6 +191,7 @@ #define IDC_BLOCK_SYSENC_TRIM 1168 #define IDC_ALLOW_WINDOWS_DEFRAG 1169 #define IDC_LOWER_BOX 1170 +#define IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 1171 #define IDM_HELP 40001 #define IDM_ABOUT 40002 #define IDM_UNMOUNT_VOLUME 40003 @@ -267,7 +268,7 @@ #define _APS_NO_MFC 1 #define _APS_NEXT_RESOURCE_VALUE 120 #define _APS_NEXT_COMMAND_VALUE 40069 -#define _APS_NEXT_CONTROL_VALUE 1171 +#define _APS_NEXT_CONTROL_VALUE 1172 #define _APS_NEXT_SYMED_VALUE 101 #endif #endif |