Windows: Add option to avoid PIM prompt in pre-boot authentication by storing PIM value unencrypted in MBR.

2025-11-11 11:08:02 -06:00 · 2016-04-20 00:30:28 +02:00
parent bd9105794b
commit 1396269d57
14 changed files with 186 additions and 90 deletions
--- a/src/Boot/Windows/BootCommon.h
+++ b/src/Boot/Windows/BootCommon.h
@@ -17,7 +17,7 @@
 #include "BootDefs.h"
 // The user will be advised to upgrade the rescue disk if upgrading from the following or any previous version
-#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x0116
+#define TC_RESCUE_DISK_UPGRADE_NOTICE_MAX_VERSION 0x0117
 #define TC_BOOT_LOADER_AREA_SIZE (TC_BOOT_LOADER_AREA_SECTOR_COUNT * TC_SECTOR_SIZE_BIOS)
--- a/src/Boot/Windows/BootConfig.cpp
+++ b/src/Boot/Windows/BootConfig.cpp
@@ -32,7 +32,7 @@ Partition EncryptedVirtualPartition;
 Partition ActivePartition;
 Partition PartitionFollowingActive;
 bool ExtraBootPartitionPresent = false;
-uint64 HiddenVolumeStartUnitNo;
+uint64 PimValueOrHiddenVolumeStartUnitNo; // reuse this variable for stored PIM value to reduce memory usage
 uint64 HiddenVolumeStartSector;
 #ifndef TC_WINDOWS_BOOT_RESCUE_DISK_MODE
@@ -68,6 +68,14 @@ void ReadBootSectorUserConfiguration ()
 		DisableScreenOutput();
 	}
 	if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)
 	{
 		PimValueOrHiddenVolumeStartUnitNo.LowPart = 0;
 		memcpy (&PimValueOrHiddenVolumeStartUnitNo.LowPart, SectorBuffer + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, TC_BOOT_SECTOR_PIM_VALUE_SIZE);
 	}
 	else
 		PimValueOrHiddenVolumeStartUnitNo.LowPart = -1;
 	OuterVolumeBackupHeaderCrc = *(uint32 *) (SectorBuffer + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET);
 ret:
--- a/src/Boot/Windows/BootConfig.h
+++ b/src/Boot/Windows/BootConfig.h
@@ -36,7 +36,7 @@ extern Partition EncryptedVirtualPartition;
 extern Partition ActivePartition;
 extern Partition PartitionFollowingActive;
 extern bool ExtraBootPartitionPresent;
-extern uint64 HiddenVolumeStartUnitNo;
+extern uint64 PimValueOrHiddenVolumeStartUnitNo; // reuse this variable for stored PIM value to reduce memory usage
 extern uint64 HiddenVolumeStartSector;
--- a/src/Boot/Windows/BootDefs.h
+++ b/src/Boot/Windows/BootDefs.h
@@ -74,6 +74,9 @@
 #define TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE 4
 #define TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET (TC__BOOT_SECTOR_USER_MESSAGE_OFFSET - TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE)
 #define TC__BOOT_SECTOR_PIM_VALUE_SIZE	2
 #define TC__BOOT_SECTOR_PIM_VALUE_OFFSET	(TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET - TC__BOOT_SECTOR_PIM_VALUE_SIZE)
 #define TC__BOOT_LOADER_DECOMPRESSOR_START_SECTOR 2
 #define TC__BOOT_LOADER_DECOMPRESSOR_SECTOR_COUNT 4
 #define TC__BOOT_LOADER_DECOMPRESSOR_MEMORY_SIZE 32768
@@ -100,6 +103,7 @@
 #define TC__BOOT_USER_CFG_FLAG_SILENT_MODE				TC_HEX (01)
 #define TC__BOOT_USER_CFG_FLAG_DISABLE_ESC				TC_HEX (02)
 #define TC__BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION	TC_HEX (04)
 #define TC__BOOT_USER_CFG_FLAG_DISABLE_PIM				TC_HEX (08)
 // The following items are treated as a 2-bit value (apply TC_BOOT_CFG_MASK_HIDDEN_OS_CREATION_PHASE to obtain the value)
 #define TC__HIDDEN_OS_CREATION_PHASE_NONE		0
@@ -163,6 +167,8 @@ TC_HIDDEN_OS_CREATION_PHASE_WIPED = TC__HIDDEN_OS_CREATION_PHASE_WIPED
 #define TC_BOOT_SECTOR_USER_MESSAGE_OFFSET TC__BOOT_SECTOR_USER_MESSAGE_OFFSET
 #define TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE
 #define TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET TC__BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET
 #define TC_BOOT_SECTOR_PIM_VALUE_SIZE TC__BOOT_SECTOR_PIM_VALUE_SIZE
 #define TC_BOOT_SECTOR_PIM_VALUE_OFFSET TC__BOOT_SECTOR_PIM_VALUE_OFFSET
 #define TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH TC__BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH
 #define TC_BOOT_SECTOR_VERSION_OFFSET TC__BOOT_SECTOR_VERSION_OFFSET
 #define TC_BOOT_SECTOR_LOADER_LENGTH_OFFSET TC__BOOT_SECTOR_LOADER_LENGTH_OFFSET
@@ -186,6 +192,7 @@ TC_HIDDEN_OS_CREATION_PHASE_WIPED = TC__HIDDEN_OS_CREATION_PHASE_WIPED
 #define TC_BOOT_USER_CFG_FLAG_SILENT_MODE TC__BOOT_USER_CFG_FLAG_SILENT_MODE
 #define TC_BOOT_USER_CFG_FLAG_DISABLE_ESC TC__BOOT_USER_CFG_FLAG_DISABLE_ESC
 #define TC_BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION TC__BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION
 #define TC_BOOT_USER_CFG_FLAG_DISABLE_PIM TC__BOOT_USER_CFG_FLAG_DISABLE_PIM
 #define TC_HIDDEN_OS_CREATION_PHASE_NONE TC__HIDDEN_OS_CREATION_PHASE_NONE
 #define TC_HIDDEN_OS_CREATION_PHASE_CLONING TC__HIDDEN_OS_CREATION_PHASE_CLONING
 #define TC_HIDDEN_OS_CREATION_PHASE_WIPING TC__HIDDEN_OS_CREATION_PHASE_WIPING
--- a/src/Boot/Windows/BootEncryptedIo.cpp
+++ b/src/Boot/Windows/BootEncryptedIo.cpp
@@ -48,7 +48,7 @@ BiosResult ReadEncryptedSectors (uint16 destSegment, uint16 destOffset, byte dri
 	{
 		// Convert sector number to data unit number of the hidden volume
 		sector -= HiddenVolumeStartSector;
-		sector += HiddenVolumeStartUnitNo;
+		sector += PimValueOrHiddenVolumeStartUnitNo;
 	}
 	if (drive == EncryptedVirtualPartition.Drive)
@@ -96,7 +96,7 @@ BiosResult WriteEncryptedSectors (uint16 sourceSegment, uint16 sourceOffset, byt
 		writeOffset = HiddenVolumeStartSector;
 		writeOffset -= EncryptedVirtualPartition.StartSector;
 		dataUnitNo -= EncryptedVirtualPartition.StartSector;
-		dataUnitNo += HiddenVolumeStartUnitNo;
+		dataUnitNo += PimValueOrHiddenVolumeStartUnitNo;
 	}
 	while (sectorCount-- > 0)
--- a/src/Boot/Windows/BootMain.cpp
+++ b/src/Boot/Windows/BootMain.cpp
@@ -231,6 +231,17 @@ static byte AskPassword (Password &password, int& pim)
 			PrintCharAtCursor (asciiCode);
 	}
 #ifndef TC_WINDOWS_BOOT_RESCUE_DISK_MODE
 	if (PimValueOrHiddenVolumeStartUnitNo.LowPart != -1)
 	{
 		pim = (int) PimValueOrHiddenVolumeStartUnitNo.LowPart;
 		// reset stored PIM value to allow requesting PIM next time in case the stored value is wrong
 		PimValueOrHiddenVolumeStartUnitNo.LowPart = -1;
 		return TC_BIOS_KEY_ENTER;
 	}
 	else
 #endif
 	{
 		pos = 0;
 		Print ("PIM: ");
@@ -298,6 +309,7 @@ static byte AskPassword (Password &password, int& pim)
 				PrintCharAtCursor (asciiCode);
 		}
 	}
 }
 static void ExecuteBootSector (byte drive, byte *sectorBuffer)
@@ -468,7 +480,7 @@ static bool MountVolume (byte drive, byte &exitKey, bool skipNormal, bool skipHi
 		EncryptedVirtualPartition.StartSector = BootCryptoInfo->EncryptedAreaStart >> TC_LB_SIZE_BIT_SHIFT_DIVISOR;
-		HiddenVolumeStartUnitNo = EncryptedVirtualPartition.StartSector;
+		PimValueOrHiddenVolumeStartUnitNo = EncryptedVirtualPartition.StartSector;
 		HiddenVolumeStartSector = PartitionFollowingActive.StartSector;
 		HiddenVolumeStartSector += EncryptedVirtualPartition.StartSector;
@@ -749,7 +761,7 @@ static bool CopySystemPartitionToHiddenVolume (byte drive, byte &exitKey)
 		{
 			CopyMemory (TC_BOOT_LOADER_BUFFER_SEGMENT, i * TC_LB_SIZE, SectorBuffer, TC_LB_SIZE);
-			uint64 s = HiddenVolumeStartUnitNo + sectorOffset + i;
+			uint64 s = PimValueOrHiddenVolumeStartUnitNo + sectorOffset + i;
 			EncryptDataUnits (SectorBuffer, &s, 1, BootCryptoInfo);
 			CopyMemory (SectorBuffer, TC_BOOT_LOADER_BUFFER_SEGMENT, i * TC_LB_SIZE, TC_LB_SIZE);
--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@@ -1300,7 +1300,7 @@ namespace VeraCrypt
 	}
-	void BootEncryption::WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage)
+	void BootEncryption::WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim)
 	{
 		Device device (GetSystemDriveConfiguration().DevicePath);
 		device.CheckOpened (SRC_POS);
@@ -1327,6 +1327,15 @@ namespace VeraCrypt
 			memcpy (mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, customUserMessage.c_str(), customUserMessage.size());
 		}
 		if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)
 		{
 			// PIM for pre-boot authentication can be encoded on two bytes since its maximum
 			// value is 65535 (0xFFFF)
 			memcpy (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE);
 		}
 		else
 			memset (mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, 0, TC_BOOT_SECTOR_PIM_VALUE_SIZE);
 		device.SeekAt (0);
 		device.Write (mbr, sizeof (mbr));
@@ -1494,7 +1503,7 @@ namespace VeraCrypt
 		InstallBootLoader (device, preserveUserConfig, hiddenOSCreation);
 	}
-	void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation)
+	void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation, int pim)
 	{
 		byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0};
 		CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, hiddenOSCreation);
@@ -1512,6 +1521,16 @@ namespace VeraCrypt
 			{
 				bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] = mbr[TC_BOOT_SECTOR_USER_CONFIG_OFFSET];
 				memcpy (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, mbr + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH);
 				if (bootLoaderBuf[TC_BOOT_SECTOR_USER_CONFIG_OFFSET] & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)
 				{
 					if (pim >= 0)
 					{
 						memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &pim, TC_BOOT_SECTOR_PIM_VALUE_SIZE);
 					}
 					else
 						memcpy (bootLoaderBuf + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, mbr + TC_BOOT_SECTOR_PIM_VALUE_OFFSET, TC_BOOT_SECTOR_PIM_VALUE_SIZE);
 				}
 			}
 		}
@@ -2499,17 +2518,32 @@ namespace VeraCrypt
 		if (headerUpdated)
 		{
 			bool storedPimUpdateNeeded = false;
 			ReopenBootVolumeHeaderRequest reopenRequest;
 			reopenRequest.VolumePassword = *newPassword;
 			reopenRequest.pkcs5_prf = cryptoInfo->pkcs5;
 			reopenRequest.pim = pim;
 			finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); });
 			if (old_pim != pim)
 			{
 				try
 				{
-				// force update of bootloader if fingerprint doesn't match
+					// check if PIM is stored in MBR
-				if (!CheckBootloaderFingerprint (true))
+					byte userConfig;
-					InstallBootLoader (device, true);
+					ReadBootSectorConfig (nullptr, 0, &userConfig);
 					if (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM)
 						storedPimUpdateNeeded = true;
 				}
 				catch (...)
 				{}
 			}
 			try
 			{
 				// force update of bootloader if fingerprint doesn't match or if the stored PIM changed
 				if (storedPimUpdateNeeded || !CheckBootloaderFingerprint (true))
 					InstallBootLoader (device, true, false, pim);
 			}
 			catch (...)
 			{}
--- a/src/Common/BootEncryption.h
+++ b/src/Common/BootEncryption.h
@@ -169,7 +169,7 @@ namespace VeraCrypt
 		void GetVolumeProperties (VOLUME_PROPERTIES_STRUCT *properties);
 		SystemDriveConfiguration GetSystemDriveConfiguration ();
 		void Install (bool hiddenSystem);
-		void InstallBootLoader (Device& device, bool preserveUserConfig = false, bool hiddenOSCreation = false);
+		void InstallBootLoader (Device& device, bool preserveUserConfig = false, bool hiddenOSCreation = false, int pim = -1);
 		void InstallBootLoader (bool preserveUserConfig = false, bool hiddenOSCreation = false);
 		bool CheckBootloaderFingerprint (bool bSilent = false);
 		void InvalidateCachedSysDriveProperties ();
@@ -206,7 +206,7 @@ namespace VeraCrypt
 		void WipeHiddenOSCreationConfig ();
 		void WriteBootDriveSector (uint64 offset, byte *data);
 		void WriteBootSectorConfig (const byte newConfig[]);
-		void WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage);
+		void WriteBootSectorUserConfig (byte userConfig, const string &customUserMessage, int pim);
 		void WriteLocalMachineRegistryDwordValue (wchar_t *keyPath, wchar_t *valueName, DWORD value);
 	protected:
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@@ -1394,6 +1394,8 @@
    <string lang="en" key="VOLUME_ID_INVALID">The Volume ID value is invalid</string>
    <string lang="en" key="VOLUME_ID_NOT_FOUND">No Volume with the specified ID was found on the system</string>
    <string lang="en" key="IDPM_COPY_VALUE_TO_CLIPBOARD">Copy Value to Clipboard...</string>
    <control lang="en" key="IDC_DISABLE_BOOT_LOADER_PIM_PROMPT">Do not request PIM in the pre-boot authentication screen (PIM value is stored unencrypted on disk)</control>
    <string lang="en" key="DISABLE_BOOT_LOADER_PIM_PROMPT">WARNING: Please keep in mind that if you enable this option, the PIM value will be stored unencrypted on the disk.\n\nAre you sure you want to enable this option?</string>
  </localization>
  <!-- XML Schema -->
  <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@@ -590,6 +590,7 @@ void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderS
 {
 	// compute Whirlpool+SHA512 fingerprint of bootloader including MBR
 	// we skip user configuration fields:
 	// TC_BOOT_SECTOR_PIM_VALUE_OFFSET = 400
 	// TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402
 	//  => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4
 	// TC_BOOT_SECTOR_USER_MESSAGE_OFFSET     = 406
@@ -604,8 +605,8 @@ void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderS
 	WHIRLPOOL_init (&whirlpool);
 	sha512_begin (&sha2);
-	WHIRLPOOL_add (bootLoaderBuf, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool);
+	WHIRLPOOL_add (bootLoaderBuf, TC_BOOT_SECTOR_PIM_VALUE_OFFSET * 8, &whirlpool);
-	sha512_hash (bootLoaderBuf, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2);
+	sha512_hash (bootLoaderBuf, TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &sha2);
 	WHIRLPOOL_add (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool);
 	sha512_hash (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2);
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@@ -241,6 +241,7 @@ static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte*
 	// compute Whirlpool+SHA512 fingerprint of bootloader including MBR
 	// we skip user configuration fields:
 	// TC_BOOT_SECTOR_PIM_VALUE_OFFSET = 400
 	// TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402
 	//  => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4
 	// TC_BOOT_SECTOR_USER_MESSAGE_OFFSET     = 406
@@ -257,11 +258,11 @@ static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte*
 	status = TCReadDevice (LowerDeviceObject, ioBuffer, offset, TC_SECTOR_SIZE_BIOS);
 	if (NT_SUCCESS (status))
 	{
-		WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool);
+		WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_PIM_VALUE_OFFSET * 8, &whirlpool);
 		WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool);
 		WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)) * 8, &whirlpool);
-		sha512_hash (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2);
+		sha512_hash (ioBuffer, TC_BOOT_SECTOR_PIM_VALUE_OFFSET, &sha2);
 		sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2);
 		sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)), &sha2);
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -10359,9 +10359,11 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 				try
 				{
 					VOLUME_PROPERTIES_STRUCT prop;
 					try
 					{
 						BootEncStatus = BootEncObj->GetStatus();
 						BootEncObj->GetVolumeProperties (&prop);
 					}
 					catch (...)
 					{
@@ -10384,7 +10386,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 						else
 							userConfig &= ~TC_BOOT_USER_CFG_FLAG_DISABLE_HW_ENCRYPTION;
-						BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage);
+						BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage, prop.volumePim);
 					}
 					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION, disableHW);
@@ -10724,6 +10726,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 				SendMessage (GetDlgItem (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE), EM_LIMITTEXT, TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, 0);
 				SetDlgItemTextA (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE, customUserMessage.c_str());
 				CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT, (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_PIM) ? BST_CHECKED : BST_UNCHECKED);
 				CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT, (userConfig & TC_BOOT_USER_CFG_FLAG_SILENT_MODE) ? BST_CHECKED : BST_UNCHECKED);
 				CheckDlgButton (hwndDlg, IDC_ALLOW_ESC_PBA_BYPASS, (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_ESC) ? BST_UNCHECKED : BST_CHECKED);
 				CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, bPasswordCacheEnabled ? BST_CHECKED : BST_UNCHECKED);
@@ -10752,12 +10755,25 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 		case IDOK:
 			{
 				VOLUME_PROPERTIES_STRUCT prop;
 				if (!BootEncObj->GetStatus().DriveMounted)
 				{
 					EndDialog (hwndDlg, IDCANCEL);
 					return 1;
 				}
 				try
 				{
 					BootEncObj->GetVolumeProperties (&prop);
 				}
 				catch (Exception &e)
 				{
 					e.Show (hwndDlg);
 					EndDialog (hwndDlg, IDCANCEL);
 					return 1;
 				}
 				char customUserMessage[TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH + 1];
 				GetDlgItemTextA (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE, customUserMessage, sizeof (customUserMessage));
@@ -10772,6 +10788,11 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 					return 1;
 				}
 				if (IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT))
 					userConfig |= TC_BOOT_USER_CFG_FLAG_DISABLE_PIM;
 				else
 					userConfig &= ~TC_BOOT_USER_CFG_FLAG_DISABLE_PIM;
 				if (IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT))
 					userConfig |= TC_BOOT_USER_CFG_FLAG_SILENT_MODE;
 				else
@@ -10786,7 +10807,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 				{
 					BOOL bPasswordCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD);
 					BOOL bPimCacheEnabled = IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PIM);
-					BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage);
+					BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage, prop.volumePim);
 					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, bPasswordCacheEnabled);
 					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PIM, (bPasswordCacheEnabled && bPimCacheEnabled)? TRUE : FALSE);
 					SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION, IsDlgButtonChecked (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION));
@@ -10801,6 +10822,13 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
 				return 1;
 			}
 		case IDC_DISABLE_BOOT_LOADER_PIM_PROMPT:
 			if ((IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT))
 				&& AskWarnYesNo ("DISABLE_BOOT_LOADER_PIM_PROMPT", hwndDlg) == IDNO)
 			{
 				CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_PIM_PROMPT, BST_UNCHECKED);
 			}
 		case IDC_DISABLE_BOOT_LOADER_OUTPUT:
 			if ((IsDlgButtonChecked (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT))
 				&& AskWarnYesNo ("CUSTOM_BOOT_LOADER_MESSAGE_PROMPT", hwndDlg) == IDNO)
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -281,28 +281,30 @@ BEGIN
    LTEXT           "",IDT_PKCS11_LIB_HELP,16,63,286,65
 END
-IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 272
+IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 286
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt - System Encryption Settings"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
 BEGIN
    CONTROL         "Do not &show any texts in the pre-boot authentication screen (except the below custom message)",IDC_DISABLE_BOOT_LOADER_OUTPUT,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,22,339,9
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,37,339,9
-    EDITTEXT        IDC_CUSTOM_BOOT_LOADER_MESSAGE,18,52,216,14,ES_AUTOHSCROLL
+    EDITTEXT        IDC_CUSTOM_BOOT_LOADER_MESSAGE,18,67,216,14,ES_AUTOHSCROLL
    CONTROL         "&Cache pre-boot authentication password in driver memory (for mounting of non-system volumes)",IDC_BOOT_LOADER_CACHE_PASSWORD,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,178,339,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,192,339,10
    CONTROL         "Allow pre-boot &authentication to be bypassed by pressing the Esc key (enables boot manager)",IDC_ALLOW_ESC_PBA_BYPASS,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,208,340,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,222,340,10
-    DEFPUSHBUTTON   "OK",IDOK,257,244,50,14
+    DEFPUSHBUTTON   "OK",IDOK,257,262,50,14
-    PUSHBUTTON      "Cancel",IDCANCEL,313,244,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,313,262,50,14
-    LTEXT           "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,41,337,8
+    LTEXT           "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,56,337,8
-    GROUPBOX        "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,8,7,355,150
+    GROUPBOX        "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,8,7,355,165
-    GROUPBOX        "Security Options",IDT_SECURITY_OPTIONS,8,163,355,75
+    GROUPBOX        "Security Options",IDT_SECURITY_OPTIONS,8,177,355,75
-    LTEXT           "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,74,337,73
+    LTEXT           "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,89,337,73
    CONTROL         "Disable ""Evil Maid"" attack detection",IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION,
-                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,223,340,10
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,237,340,10
    CONTROL         "Include PIM when caching pre-boot authentication password",IDC_BOOT_LOADER_CACHE_PIM,
-                    "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,18,193,340,10
+                    "Button",BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,18,207,340,10
    CONTROL         "Do not request PIM in the pre-boot authentication screen (PIM value is stored unencrypted on disk)",IDC_DISABLE_BOOT_LOADER_PIM_PROMPT,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,20,339,9
 END
 IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 370, 248
@@ -456,7 +458,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 363
        TOPMARGIN, 7
-        BOTTOMMARGIN, 258
+        BOTTOMMARGIN, 276
    END
    IDD_PERFORMANCE_SETTINGS, DIALOG
--- a/src/Mount/Resource.h
+++ b/src/Mount/Resource.h
@@ -179,6 +179,7 @@
 #define IDT_VOLUME_ID                   1157
 #define IDC_FAVORITE_VOLUME_ID          1158
 #define IDC_FAVORITE_USE_VOLUME_ID      1159
 #define IDC_DISABLE_BOOT_LOADER_PIM_PROMPT     1160
 #define IDM_HELP                        40001
 #define IDM_ABOUT                       40002
 #define IDM_UNMOUNT_VOLUME              40003
@@ -255,7 +256,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        119
 #define _APS_NEXT_COMMAND_VALUE         40069
-#define _APS_NEXT_CONTROL_VALUE         1160
+#define _APS_NEXT_CONTROL_VALUE         1161
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif