VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2023-08-13 22:50:37 +0200
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2023-08-13 22:50:37 +0200
commitf84d235cf17a92bb51031833da502660d364013f (patch)
tree4fd5284f0b5f83d6f7ba9d3d8f5e2700f904ca39
parent8c7962bda7ea260049226fe99a351675fd0780a2 (diff)
downloadVeraCrypt-f84d235cf17a92bb51031833da502660d364013f.tar.gz
VeraCrypt-f84d235cf17a92bb51031833da502660d364013f.zip
Windows: Implement support for mounting partially encrypted system partitions
For now, we force ReadOnly mounting for such partitions.
-rw-r--r--src/Common/Apidrvr.h1
-rw-r--r--src/Common/Dlgcode.c11
-rw-r--r--src/Common/Language.xml1
-rw-r--r--src/Driver/EncryptedIoQueue.c2
-rw-r--r--src/Driver/EncryptedIoQueue.h1
-rw-r--r--src/Driver/Ntdriver.c15
-rw-r--r--src/Driver/Ntvol.c8
7 files changed, 34 insertions, 5 deletions
diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
index d8bfc74f..7a3ea868 100644
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -166,6 +166,7 @@ typedef struct
BOOL RecoveryMode;
int pkcs5_prf;
int ProtectedHidVolPkcs5Prf;
+ BOOL VolumeMountedReadOnlyAfterPartialSysEnc;
uint32 BytesPerPhysicalSector;
int VolumePim;
int ProtectedHidVolPim;
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index 6739a7a3..a9be17c9 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -9253,6 +9253,17 @@ retry:
}
}
+ if (mount.VolumeMountedReadOnlyAfterPartialSysEnc
+ && !Silent
+ && bDevice)
+ {
+ wchar_t msg[1024];
+ wchar_t mountPoint[] = { L'A' + (wchar_t) driveNo, L':', 0 };
+ StringCbPrintfW (msg, sizeof(msg), GetString ("PARTIAL_SYSENC_MOUNT_READONLY"), mountPoint);
+
+ WarningDirect (msg, hwndDlg);
+ }
+
if (mount.wszLabel[0] && !mount.bDriverSetLabel)
{
// try setting the drive label on user-mode using registry
diff --git a/src/Common/Language.xml b/src/Common/Language.xml
index 1abee9d6..4cd959c5 100644
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1631,6 +1631,7 @@
<entry lang="en" key="EXPANDER_MOUNTING_VOLUME">Mounting volume ...\n</entry>
<entry lang="en" key="EXPANDER_UNMOUNTING_VOLUME">Unmounting volume ...\n</entry>
<entry lang="en" key="EXPANDER_EXTENDING_FILESYSTEM">Extending file system ...\n</entry>
+ <entry lang="en" key="PARTIAL_SYSENC_MOUNT_READONLY">Warning: The system partition you attempted to mount was not fully encrypted. As a safety measure to prevent potential corruption or unwanted modifications, volume '%s' was mounted as read-only.</entry>
</localization>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="VeraCrypt">
diff --git a/src/Driver/EncryptedIoQueue.c b/src/Driver/EncryptedIoQueue.c
index 6900fc0d..bdf139a1 100644
--- a/src/Driver/EncryptedIoQueue.c
+++ b/src/Driver/EncryptedIoQueue.c
@@ -797,7 +797,7 @@ static VOID MainThreadProc (PVOID threadArg)
request->OrigDataBufferFragment = dataBuffer;
request->Length = dataFragmentLength;
- if (queue->IsFilterDevice)
+ if (queue->IsFilterDevice || queue->bSupportPartialEncryption)
{
if (queue->EncryptedAreaStart == -1 || queue->EncryptedAreaEnd == -1)
{
diff --git a/src/Driver/EncryptedIoQueue.h b/src/Driver/EncryptedIoQueue.h
index c4b6f269..2ab9dc5b 100644
--- a/src/Driver/EncryptedIoQueue.h
+++ b/src/Driver/EncryptedIoQueue.h
@@ -49,6 +49,7 @@ typedef struct
// File-handle-based IO
HANDLE HostFileHandle;
+ BOOL bSupportPartialEncryption;
int64 VirtualDeviceLength;
SECURITY_CLIENT_CONTEXT *SecurityClientContext;
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 7f00c9e0..b19ffb77 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -3156,6 +3156,21 @@ VOID VolumeThreadProc (PVOID Context)
Extension->Queue.HostFileHandle = Extension->hDeviceFile;
Extension->Queue.VirtualDeviceLength = Extension->DiskLength;
Extension->Queue.MaxReadAheadOffset.QuadPart = Extension->HostLength;
+ if (bDevice && pThreadBlock->mount->bPartitionInInactiveSysEncScope
+ && (!Extension->cryptoInfo->hiddenVolume)
+ && (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value)
+ )
+ {
+ // Support partial encryption only in the case of system encryption
+ Extension->Queue.EncryptedAreaStart = 0;
+ Extension->Queue.EncryptedAreaEnd = Extension->cryptoInfo->EncryptedAreaLength.Value - 1;
+ if (Extension->Queue.CryptoInfo->EncryptedAreaLength.Value == 0)
+ {
+ Extension->Queue.EncryptedAreaStart = -1;
+ Extension->Queue.EncryptedAreaEnd = -1;
+ }
+ Extension->Queue.bSupportPartialEncryption = TRUE;
+ }
if (Extension->SecurityClientContextValid)
Extension->Queue.SecurityClientContext = &Extension->SecurityClientContext;
diff --git a/src/Driver/Ntvol.c b/src/Driver/Ntvol.c
index 177c0bf3..6f2ff399 100644
--- a/src/Driver/Ntvol.c
+++ b/src/Driver/Ntvol.c
@@ -88,6 +88,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
}
mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE;
+ mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE;
// If we are opening a device, query its size first
if (bRawDevice)
@@ -677,10 +678,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
if (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value)
{
- // Partial encryption is not supported for volumes mounted as regular
- mount->nReturnCode = ERR_ENCRYPTION_NOT_COMPLETED;
- ntStatus = STATUS_SUCCESS;
- goto error;
+ // mount as readonly in case of partial system encryption
+ Extension->bReadOnly = mount->bMountReadOnly = TRUE;
+ mount->VolumeMountedReadOnlyAfterPartialSysEnc = TRUE;
}
}
else if (Extension->cryptoInfo->HeaderFlags & TC_HEADER_FLAG_NONSYS_INPLACE_ENC)