From f84d235cf17a92bb51031833da502660d364013f Mon Sep 17 00:00:00 2001
From: Mounir IDRASSI <mounir.idrassi@idrix.fr>
Date: Sun, 13 Aug 2023 22:50:37 +0200
Subject: Windows: Implement support for mounting partially encrypted system
 partitions

For now, we force ReadOnly mounting for such partitions.
---
 src/Common/Apidrvr.h          |  1 +
 src/Common/Dlgcode.c          | 11 +++++++++++
 src/Common/Language.xml       |  1 +
 src/Driver/EncryptedIoQueue.c |  2 +-
 src/Driver/EncryptedIoQueue.h |  1 +
 src/Driver/Ntdriver.c         | 15 +++++++++++++++
 src/Driver/Ntvol.c            |  8 ++++----
 7 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/src/Common/Apidrvr.h b/src/Common/Apidrvr.h
index d8bfc74f..7a3ea868 100644
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@@ -166,6 +166,7 @@ typedef struct
 	BOOL RecoveryMode;
 	int pkcs5_prf;
 	int ProtectedHidVolPkcs5Prf;
+	BOOL VolumeMountedReadOnlyAfterPartialSysEnc;
 	uint32 BytesPerPhysicalSector;
 	int VolumePim;
 	int ProtectedHidVolPim;
diff --git a/src/Common/Dlgcode.c b/src/Common/Dlgcode.c
index 6739a7a3..a9be17c9 100644
--- a/src/Common/Dlgcode.c
+++ b/src/Common/Dlgcode.c
@@ -9253,6 +9253,17 @@ retry:
 		}
 	}
 
+	if (mount.VolumeMountedReadOnlyAfterPartialSysEnc
+		&& !Silent
+		&& bDevice)
+	{
+		wchar_t msg[1024];
+		wchar_t mountPoint[] = { L'A' + (wchar_t) driveNo, L':', 0 };
+		StringCbPrintfW (msg, sizeof(msg), GetString ("PARTIAL_SYSENC_MOUNT_READONLY"), mountPoint);
+
+		WarningDirect (msg, hwndDlg);
+	}
+
 	if (mount.wszLabel[0] && !mount.bDriverSetLabel)
 	{
 		// try setting the drive label on user-mode using registry
diff --git a/src/Common/Language.xml b/src/Common/Language.xml
index 1abee9d6..4cd959c5 100644
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1631,6 +1631,7 @@
     <entry lang="en" key="EXPANDER_MOUNTING_VOLUME">Mounting volume ...\n</entry>
     <entry lang="en" key="EXPANDER_UNMOUNTING_VOLUME">Unmounting volume ...\n</entry>
     <entry lang="en" key="EXPANDER_EXTENDING_FILESYSTEM">Extending file system ...\n</entry>
+    <entry lang="en" key="PARTIAL_SYSENC_MOUNT_READONLY">Warning: The system partition you attempted to mount was not fully encrypted. As a safety measure to prevent potential corruption or unwanted modifications, volume '%s' was mounted as read-only.</entry>
   </localization>
   <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
     <xs:element name="VeraCrypt">
diff --git a/src/Driver/EncryptedIoQueue.c b/src/Driver/EncryptedIoQueue.c
index 6900fc0d..bdf139a1 100644
--- a/src/Driver/EncryptedIoQueue.c
+++ b/src/Driver/EncryptedIoQueue.c
@@ -797,7 +797,7 @@ static VOID MainThreadProc (PVOID threadArg)
 				request->OrigDataBufferFragment = dataBuffer;
 				request->Length = dataFragmentLength;
 
-				if (queue->IsFilterDevice)
+				if (queue->IsFilterDevice || queue->bSupportPartialEncryption)
 				{
 					if (queue->EncryptedAreaStart == -1 || queue->EncryptedAreaEnd == -1)
 					{
diff --git a/src/Driver/EncryptedIoQueue.h b/src/Driver/EncryptedIoQueue.h
index c4b6f269..2ab9dc5b 100644
--- a/src/Driver/EncryptedIoQueue.h
+++ b/src/Driver/EncryptedIoQueue.h
@@ -49,6 +49,7 @@ typedef struct
 
 	// File-handle-based IO
 	HANDLE HostFileHandle;
+	BOOL bSupportPartialEncryption;
 	int64 VirtualDeviceLength;
 	SECURITY_CLIENT_CONTEXT *SecurityClientContext;
 
diff --git a/src/Driver/Ntdriver.c b/src/Driver/Ntdriver.c
index 7f00c9e0..b19ffb77 100644
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@@ -3156,6 +3156,21 @@ VOID VolumeThreadProc (PVOID Context)
 	Extension->Queue.HostFileHandle = Extension->hDeviceFile;
 	Extension->Queue.VirtualDeviceLength = Extension->DiskLength;
 	Extension->Queue.MaxReadAheadOffset.QuadPart = Extension->HostLength;
+	if (bDevice && pThreadBlock->mount->bPartitionInInactiveSysEncScope
+		&& (!Extension->cryptoInfo->hiddenVolume)
+		&& (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value)
+		)
+	{
+		// Support partial encryption only in the case of system encryption
+		Extension->Queue.EncryptedAreaStart = 0;
+		Extension->Queue.EncryptedAreaEnd = Extension->cryptoInfo->EncryptedAreaLength.Value - 1;
+		if (Extension->Queue.CryptoInfo->EncryptedAreaLength.Value == 0)
+		{
+			Extension->Queue.EncryptedAreaStart = -1;
+			Extension->Queue.EncryptedAreaEnd = -1;
+		}
+		Extension->Queue.bSupportPartialEncryption = TRUE;
+	}
 
 	if (Extension->SecurityClientContextValid)
 		Extension->Queue.SecurityClientContext = &Extension->SecurityClientContext;
diff --git a/src/Driver/Ntvol.c b/src/Driver/Ntvol.c
index 177c0bf3..6f2ff399 100644
--- a/src/Driver/Ntvol.c
+++ b/src/Driver/Ntvol.c
@@ -88,6 +88,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 	}
 
 	mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE;
+	mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE;
 
 	// If we are opening a device, query its size first
 	if (bRawDevice)
@@ -677,10 +678,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
 
 					if (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value)
 					{
-						// Partial encryption is not supported for volumes mounted as regular
-						mount->nReturnCode = ERR_ENCRYPTION_NOT_COMPLETED;
-						ntStatus = STATUS_SUCCESS;
-						goto error;
+						// mount as readonly in case of partial system encryption
+						Extension->bReadOnly = mount->bMountReadOnly = TRUE;
+						mount->VolumeMountedReadOnlyAfterPartialSysEnc = TRUE;
 					}
 				}
 				else if (Extension->cryptoInfo->HeaderFlags & TC_HEADER_FLAG_NONSYS_INPLACE_ENC)
-- 
cgit v1.2.3