diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2023-08-13 22:50:37 +0200 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2023-08-13 22:50:37 +0200 |
commit | f84d235cf17a92bb51031833da502660d364013f (patch) | |
tree | 4fd5284f0b5f83d6f7ba9d3d8f5e2700f904ca39 | |
parent | 8c7962bda7ea260049226fe99a351675fd0780a2 (diff) | |
download | VeraCrypt-f84d235cf17a92bb51031833da502660d364013f.tar.gz VeraCrypt-f84d235cf17a92bb51031833da502660d364013f.zip |
Windows: Implement support for mounting partially encrypted system partitions
For now, we force ReadOnly mounting for such partitions.
-rw-r--r-- | src/Common/Apidrvr.h | 1 | ||||
-rw-r--r-- | src/Common/Dlgcode.c | 11 | ||||
-rw-r--r-- | src/Common/Language.xml | 1 | ||||
-rw-r--r-- | src/Driver/EncryptedIoQueue.c | 2 | ||||
-rw-r--r-- | src/Driver/EncryptedIoQueue.h | 1 | ||||
-rw-r--r-- | src/Driver/Ntdriver.c | 15 | ||||
-rw-r--r-- | src/Driver/Ntvol.c | 8 |
7 files changed, 34 insertions, 5 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h index d8bfc74f..7a3ea868 100644 --- a/src/Common/Apidrvr.h +++ b/src/Common/Apidrvr.h @@ -166,6 +166,7 @@ typedef struct BOOL RecoveryMode; int pkcs5_prf; int ProtectedHidVolPkcs5Prf; + BOOL VolumeMountedReadOnlyAfterPartialSysEnc; uint32 BytesPerPhysicalSector; int VolumePim; int ProtectedHidVolPim; diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c index 6739a7a3..a9be17c9 100644 --- a/src/Common/Dlgcode.c +++ b/src/Common/Dlgcode.c @@ -9253,6 +9253,17 @@ retry: } } + if (mount.VolumeMountedReadOnlyAfterPartialSysEnc + && !Silent + && bDevice) + { + wchar_t msg[1024]; + wchar_t mountPoint[] = { L'A' + (wchar_t) driveNo, L':', 0 }; + StringCbPrintfW (msg, sizeof(msg), GetString ("PARTIAL_SYSENC_MOUNT_READONLY"), mountPoint); + + WarningDirect (msg, hwndDlg); + } + if (mount.wszLabel[0] && !mount.bDriverSetLabel) { // try setting the drive label on user-mode using registry diff --git a/src/Common/Language.xml b/src/Common/Language.xml index 1abee9d6..4cd959c5 100644 --- a/src/Common/Language.xml +++ b/src/Common/Language.xml @@ -1631,6 +1631,7 @@ <entry lang="en" key="EXPANDER_MOUNTING_VOLUME">Mounting volume ...\n</entry> <entry lang="en" key="EXPANDER_UNMOUNTING_VOLUME">Unmounting volume ...\n</entry> <entry lang="en" key="EXPANDER_EXTENDING_FILESYSTEM">Extending file system ...\n</entry> + <entry lang="en" key="PARTIAL_SYSENC_MOUNT_READONLY">Warning: The system partition you attempted to mount was not fully encrypted. As a safety measure to prevent potential corruption or unwanted modifications, volume '%s' was mounted as read-only.</entry> </localization> <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="VeraCrypt"> diff --git a/src/Driver/EncryptedIoQueue.c b/src/Driver/EncryptedIoQueue.c index 6900fc0d..bdf139a1 100644 --- a/src/Driver/EncryptedIoQueue.c +++ b/src/Driver/EncryptedIoQueue.c @@ -797,7 +797,7 @@ static VOID MainThreadProc (PVOID threadArg) request->OrigDataBufferFragment = dataBuffer; request->Length = dataFragmentLength; - if (queue->IsFilterDevice) + if (queue->IsFilterDevice || queue->bSupportPartialEncryption) { if (queue->EncryptedAreaStart == -1 || queue->EncryptedAreaEnd == -1) { diff --git a/src/Driver/EncryptedIoQueue.h b/src/Driver/EncryptedIoQueue.h index c4b6f269..2ab9dc5b 100644 --- a/src/Driver/EncryptedIoQueue.h +++ b/src/Driver/EncryptedIoQueue.h @@ -49,6 +49,7 @@ typedef struct // File-handle-based IO HANDLE HostFileHandle; + BOOL bSupportPartialEncryption; int64 VirtualDeviceLength; SECURITY_CLIENT_CONTEXT *SecurityClientContext; diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c index 7f00c9e0..b19ffb77 100644 --- a/src/Driver/Ntdriver.c +++ b/src/Driver/Ntdriver.c @@ -3156,6 +3156,21 @@ VOID VolumeThreadProc (PVOID Context) Extension->Queue.HostFileHandle = Extension->hDeviceFile; Extension->Queue.VirtualDeviceLength = Extension->DiskLength; Extension->Queue.MaxReadAheadOffset.QuadPart = Extension->HostLength; + if (bDevice && pThreadBlock->mount->bPartitionInInactiveSysEncScope + && (!Extension->cryptoInfo->hiddenVolume) + && (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value) + ) + { + // Support partial encryption only in the case of system encryption + Extension->Queue.EncryptedAreaStart = 0; + Extension->Queue.EncryptedAreaEnd = Extension->cryptoInfo->EncryptedAreaLength.Value - 1; + if (Extension->Queue.CryptoInfo->EncryptedAreaLength.Value == 0) + { + Extension->Queue.EncryptedAreaStart = -1; + Extension->Queue.EncryptedAreaEnd = -1; + } + Extension->Queue.bSupportPartialEncryption = TRUE; + } if (Extension->SecurityClientContextValid) Extension->Queue.SecurityClientContext = &Extension->SecurityClientContext; diff --git a/src/Driver/Ntvol.c b/src/Driver/Ntvol.c index 177c0bf3..6f2ff399 100644 --- a/src/Driver/Ntvol.c +++ b/src/Driver/Ntvol.c @@ -88,6 +88,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject, } mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE; + mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE; // If we are opening a device, query its size first if (bRawDevice) @@ -677,10 +678,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject, if (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value) { - // Partial encryption is not supported for volumes mounted as regular - mount->nReturnCode = ERR_ENCRYPTION_NOT_COMPLETED; - ntStatus = STATUS_SUCCESS; - goto error; + // mount as readonly in case of partial system encryption + Extension->bReadOnly = mount->bMountReadOnly = TRUE; + mount->VolumeMountedReadOnlyAfterPartialSysEnc = TRUE; } } else if (Extension->cryptoInfo->HeaderFlags & TC_HEADER_FLAG_NONSYS_INPLACE_ENC) |