Linux: refine in-kernel NTFS driver selection

Keep the NTFS kernel-driver option as a generic in-kernel NTFS path rather than an ntfs3-specific path. Add --filesystem=kernel-ntfs and -m kernelntfs routes that select a registered or loadable kernel NTFS driver and mount with -i so mount.ntfs/ntfs-3g helpers are not invoked. Preserve --filesystem=ntfs3 as a literal pin to the ntfs3 driver. Treat both ntfs3 and kernel-ntfs as mount-only selectors; volume creation continues to use filesystem type NTFS. The preference and -m kernelntfs path only select an in-kernel NTFS driver when no explicit filesystem type was supplied and blkid detects NTFS. Treat ntfs as the preferred in-kernel driver on Linux 7.1 and later, where the upstream read/write driver is expected. On earlier kernels, select ntfs only when module metadata identifies the standalone read/write driver and /sys/module confirms it loaded, avoiding ntfs3 read-only ntfs compatibility registrations. Fall back to ntfs3 otherwise, and report a generic kernel-driver error if neither supported driver is available or loadable. Rename the internal preference/config field to MountNtfsWithKernelDriver, migrate the old MountNtfsWithNtfs3 preference key, and update UI strings, CLI help, documentation, release notes, and translation placeholders accordingly. Reference: https://github.com/veracrypt/VeraCrypt/issues/1735
2026-05-21 21:30:48 -05:00 · 2026-05-17 18:33:36 +09:00
parent 9535e65bd8
commit 6bef9e009c
66 changed files with 447 additions and 147 deletions
@@ -1668,8 +1668,9 @@
    <entry lang="en" key="PIM_ARGON2_LARGE_WARNING">You have chosen an Argon2 PIM value that is larger than VeraCrypt default value.\nPlease note that this can require more memory and lead to much slower mounting.</entry>
    <entry lang="en" key="PIM_ARGON2_SMALL_WARNING">You have chosen an Argon2 PIM value that is smaller than the default VeraCrypt value. Please note that if your password is not strong enough, this could lead to weaker security.\n\nDo you confirm that you are using a strong password?</entry>
    <entry lang="en" key="PIM_ARGON2_REQUIRE_LONG_PASSWORD">Password must contain 20 or more characters in order to use the specified Argon2 PIM.\nShorter passwords can only be used if the Argon2 PIM is 12 or greater.</entry>
-    <entry lang="en" key="LINUX_PREF_MOUNT_NTFS_WITH_NTFS3">Mount NTFS volumes with the Linux kernel ntfs3 driver</entry>
-    <entry lang="en" key="LINUX_PREF_MOUNT_NTFS_WITH_NTFS3_HELP">Linux only. When enabled, VeraCrypt probes the decrypted virtual device with blkid -p and mounts detected NTFS filesystems with ntfs3 instead of the default NTFS backend. If NTFS detection fails, VeraCrypt uses the normal automatic filesystem selection. If ntfs3 is unavailable or blocked by the distribution, mounting may fail. This opt-in option can avoid suspend or hibernate hangs caused by frozen user-space FUSE filesystems.</entry>
+    <entry lang="en" key="LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER">Mount NTFS volumes with an in-kernel Linux driver</entry>
+    <entry lang="en" key="LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER_HELP">Linux only. When enabled and no explicit filesystem type was supplied, VeraCrypt probes the decrypted virtual device with blkid -p and mounts detected NTFS filesystems with an available in-kernel NTFS driver, bypassing mount helpers such as ntfs-3g. VeraCrypt uses ntfs when it is positively identified as a modern read/write driver or expected on Linux 7.1 or later, and otherwise uses ntfs3. If NTFS detection fails, VeraCrypt uses the normal automatic filesystem selection. If no supported in-kernel NTFS driver is available or loadable, mounting fails. This opt-in option can avoid suspend or hibernate hangs caused by frozen user-space FUSE filesystems.</entry>
+    <entry lang="en" key="LINUX_KERNEL_NTFS_DRIVER_UNAVAILABLE">No supported in-kernel NTFS driver is available or loadable. To use the system default NTFS backend, disable the NTFS kernel-driver preference or do not request kernel NTFS explicitly.</entry>
    <entry lang="en" key="LINUX_EMERGENCY_UNMOUNT_WARNING">Normal unmount of volume {0} failed. This can happen when applications still have files or directories open on the volume, or when the backing device was disconnected and the mount became stale.\n\nIf the device is still connected, choose No, close applications using the volume, and try unmounting again.\n\nIf the device was disconnected or the mount is stale, VeraCrypt can attempt emergency cleanup by lazy-detaching the filesystem and removing or scheduling removal of VeraCrypt kernel objects. Pending writes may have failed, data may be lost, and cleanup may remain pending until applications close open files. Check the filesystem with fsck or the appropriate repair tool before using it again.\n\nContinue?</entry>
    <entry lang="en" key="LINUX_EMERGENCY_UNMOUNTED">Emergency cleanup for volume {0} has been initiated. If the volume was disconnected, the mount was stale, or there were pending writes, check the filesystem with fsck or the appropriate repair tool before using it again.</entry>
    <entry lang="en" key="FORMAT_STAGE_WRITING_DATA">Creating volume data. Please wait.</entry>
@@ -49,6 +49,7 @@ namespace VeraCrypt
 	TC_EXCEPTION (EncryptedSystemRequired); \
 	TC_EXCEPTION (HigherFuseVersionRequired); \
 	TC_EXCEPTION (KernelCryptoServiceTestFailed); \
+	TC_EXCEPTION (KernelNtfsDriverUnavailable); \
 	TC_EXCEPTION (LoopDeviceSetupFailed); \
 	TC_EXCEPTION (MountPointRequired); \
 	TC_EXCEPTION (MountPointUnavailable); \
@@ -25,7 +25,7 @@ namespace VeraCrypt
 		TC_CLONE (FilesystemOptions);
 		TC_CLONE (FilesystemType);
 #ifdef TC_LINUX
-		TC_CLONE (MountNtfsWithNtfs3);
+		TC_CLONE (MountNtfsWithKernelDriver);
 #endif
 		TC_CLONE_SHARED (KeyfileList, Keyfiles);
 		TC_CLONE_SHARED (DirectoryPath, MountPoint);
@@ -66,7 +66,7 @@ namespace VeraCrypt
 		sr.Deserialize ("FilesystemOptions", FilesystemOptions);
 		sr.Deserialize ("FilesystemType", FilesystemType);
 #ifdef TC_LINUX
-		sr.Deserialize ("MountNtfsWithNtfs3", MountNtfsWithNtfs3);
+		sr.Deserialize ("MountNtfsWithKernelDriver", MountNtfsWithKernelDriver);
 #endif

 		Keyfiles = Keyfile::DeserializeList (stream, "Keyfiles");
@@ -139,7 +139,7 @@ namespace VeraCrypt
 		sr.Serialize ("FilesystemOptions", FilesystemOptions);
 		sr.Serialize ("FilesystemType", FilesystemType);
 #ifdef TC_LINUX
-		sr.Serialize ("MountNtfsWithNtfs3", MountNtfsWithNtfs3);
+		sr.Serialize ("MountNtfsWithKernelDriver", MountNtfsWithKernelDriver);
 #endif
 		Keyfile::SerializeList (stream, "Keyfiles", Keyfiles);

@@ -27,7 +27,7 @@ namespace VeraCrypt
 			:
 			CachePassword (false),
 #ifdef TC_LINUX
-			MountNtfsWithNtfs3 (false),
+			MountNtfsWithKernelDriver (false),
 #endif
 			NoFilesystem (false),
 			NoHardwareCrypto (false),
@@ -55,7 +55,7 @@ namespace VeraCrypt
 		wstring FilesystemOptions;
 		wstring FilesystemType;
 #ifdef TC_LINUX
-		bool MountNtfsWithNtfs3;
+		bool MountNtfsWithKernelDriver;
 #endif
 		shared_ptr <KeyfileList> Keyfiles;
 		shared_ptr <DirectoryPath> MountPoint;
@@ -18,6 +18,9 @@
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <sys/types.h>
+#ifdef TC_LINUX
+#include <sys/utsname.h>
+#endif
 #include <stdio.h>
 #include <unistd.h>
 #include "Platform/FileStream.h"
@@ -30,6 +33,10 @@ namespace VeraCrypt
 {
 #ifdef TC_LINUX
 	static string GetTmpUser ();
+	static bool GetLinuxKernelVersion (int &kernelMajor, int &kernelMinor);
+	static bool IsLinuxKernelModuleLoaded (const string &moduleName);
+	static bool IsLinuxKernelVersionAtLeast (int major, int minor);
+	static bool IsNtfsReadWriteKernelModuleAvailable ();
 	static bool SamePath (const string& path1, const string& path2);
 #endif

@@ -747,6 +754,82 @@ namespace VeraCrypt
 	}

 #ifdef TC_LINUX
+	static bool GetLinuxKernelVersion (int &kernelMajor, int &kernelMinor)
+	{
+		struct utsname kernelInfo;
+		if (uname (&kernelInfo) != 0)
+			return false;
+
+		kernelMajor = 0;
+		kernelMinor = 0;
+		int versionFields = sscanf (kernelInfo.release, "%d.%d", &kernelMajor, &kernelMinor);
+
+		if (versionFields < 1)
+			return false;
+
+		return true;
+	}
+
+	static bool IsLinuxKernelVersionAtLeast (int major, int minor)
+	{
+		int kernelMajor = 0;
+		int kernelMinor = 0;
+		if (!GetLinuxKernelVersion (kernelMajor, kernelMinor))
+			return false;
+
+		return kernelMajor > major || (kernelMajor == major && kernelMinor >= minor);
+	}
+
+	static bool IsLinuxKernelModuleLoaded (const string &moduleName)
+	{
+		string modulePath = "/sys/module/" + moduleName;
+		struct stat moduleStat;
+		return stat (modulePath.c_str(), &moduleStat) == 0 && S_ISDIR (moduleStat.st_mode);
+	}
+
+	static bool IsNtfsReadWriteKernelModuleAvailable ()
+	{
+		list <string> args;
+		args.push_back ("-F");
+		args.push_back ("description");
+		args.push_back ("ntfs");
+
+		try
+		{
+			string description = StringConverter::ToLower (StringConverter::Trim (Process::Execute ("modinfo", args, 2000)));
+			// The upstream fs/ntfs module reports "NTFS read-write filesystem driver".
+			// ntfs3 compatibility aliases report different wording, such as read/write.
+			return description.find ("ntfs") != string::npos
+				&& description.find ("read-write") != string::npos
+				&& description.find ("filesystem driver") != string::npos;
+		}
+		catch (...) { }
+
+		return false;
+	}
+
+	bool CoreUnix::IsNtfsReadWriteKernelFilesystemTypeAvailable () const
+	{
+		if (!IsNtfsReadWriteKernelModuleAvailable ())
+			return false;
+
+		if (!IsLinuxKernelModuleLoaded ("ntfs"))
+		{
+			list <string> args;
+			args.push_back ("-q");
+			args.push_back ("-b");
+			args.push_back ("ntfs");
+
+			try
+			{
+				Process::Execute ("modprobe", args, 5000);
+			}
+			catch (...) { }
+		}
+
+		return IsLinuxKernelModuleLoaded ("ntfs") && IsFilesystemTypeRegistered ("ntfs");
+	}
+
 	string CoreUnix::DetectFilesystemType (const DevicePath &devicePath) const
 	{
 		list <string> args;
@@ -767,9 +850,113 @@ namespace VeraCrypt
 			return string();
 		}
 	}
+
+	bool CoreUnix::IsFilesystemTypeRegistered (const string &filesystemType) const
+	{
+		FILE *procFilesystems = fopen ("/proc/filesystems", "r");
+		if (!procFilesystems)
+			return false;
+
+		bool registered = false;
+		char line[256];
+		finally_do_arg (FILE *, procFilesystems, fclose (finally_arg););
+
+		while (fgets (line, sizeof (line), procFilesystems))
+		{
+			string entry = StringConverter::Trim (line);
+			size_t separator = entry.find_last_of (" \t");
+
+			if (separator != string::npos)
+				entry = entry.substr (separator + 1);
+
+			if (entry == filesystemType)
+			{
+				registered = true;
+				break;
+			}
+		}
+
+		return registered;
+	}
+
+	bool CoreUnix::IsKernelFilesystemTypeAvailable (const string &filesystemType) const
+	{
+		if (IsFilesystemTypeRegistered (filesystemType))
+			return true;
+
+		// This is only used from mount-time paths that run with root-equivalent privileges.
+		// If a future unprivileged caller uses it, modprobe is expected to fail silently here.
+		list <string> moduleNames;
+		moduleNames.push_back (filesystemType);
+		moduleNames.push_back ("fs-" + filesystemType);
+
+		foreach (const string &moduleName, moduleNames)
+		{
+			list <string> args;
+			args.push_back ("-q");
+			args.push_back ("-b");
+			args.push_back (moduleName);
+
+			try
+			{
+				Process::Execute ("modprobe", args, 5000);
+			}
+			catch (...) { }
+
+			if (IsFilesystemTypeRegistered (filesystemType))
+				return true;
+		}
+
+		return false;
+	}
+
+	string CoreUnix::SelectNtfsKernelFilesystemType () const
+	{
+		bool kernelHasStandaloneNtfs = IsLinuxKernelVersionAtLeast (7, 1);
+
+		// Linux 6.9-7.0 may expose an "ntfs" compatibility alias from ntfs3,
+		// but that legacy mount path is forced read-only. Only use "ntfs" where
+		// the standalone read/write in-kernel driver is expected upstream, or when
+		// module metadata and /sys/module positively identify a loaded backport as
+		// the modern driver. Do not trust a pre-existing "ntfs" registration on
+		// pre-7.1 kernels; it may belong to ntfs3's read-only compatibility path.
+		if (!kernelHasStandaloneNtfs && IsNtfsReadWriteKernelFilesystemTypeAvailable ())
+			return "ntfs";
+
+		if (kernelHasStandaloneNtfs && IsKernelFilesystemTypeAvailable ("ntfs"))
+			return "ntfs";
+
+		if (IsKernelFilesystemTypeAvailable ("ntfs3"))
+			return "ntfs3";
+
+		throw KernelNtfsDriverUnavailable (SRC_POS);
+	}
+
+	void CoreUnix::ResolveNtfsKernelMountOptions (const DevicePath &devicePath, bool mountNtfsWithKernelDriver,
+		wstring &filesystemType, bool &internalMountOnly) const
+	{
+		string requestedFilesystemType = StringConverter::ToLower (StringConverter::ToSingle (filesystemType));
+		bool explicitKernelNtfsRequest = requestedFilesystemType == "kernel-ntfs" || requestedFilesystemType == "ntfs-kernel";
+
+		if (requestedFilesystemType == "ntfs3")
+		{
+			// mount.ntfs3 helpers are not required; -i keeps mount(8) on the kernel path.
+			internalMountOnly = true;
+			return;
+		}
+
+		if (!explicitKernelNtfsRequest
+			&& !(mountNtfsWithKernelDriver
+				&& filesystemType.empty()
+				&& DetectFilesystemType (devicePath) == "ntfs"))
+			return;
+
+		filesystemType = StringConverter::ToWide (SelectNtfsKernelFilesystemType());
+		internalMountOnly = true;
+	}
 #endif

-	void CoreUnix::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const
+	void CoreUnix::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly) const
 	{
 		if (GetMountedFilesystems (DevicePath(), mountPoint).size() > 0)
 			throw MountPointUnavailable (SRC_POS);
@@ -777,6 +964,9 @@ namespace VeraCrypt
 		list <string> args;
 		string options;

+		if (internalMountOnly)
+			args.push_back ("-i");
+
 		if (!filesystemType.empty())
 		{
 #ifdef TC_SOLARIS
@@ -1118,19 +1308,17 @@ namespace VeraCrypt
 		if (!options.NoFilesystem && options.MountPoint && !options.MountPoint->IsEmpty())
 		{
 			wstring filesystemType = options.FilesystemType;
+			bool internalMountOnly = false;

 #ifdef TC_LINUX
-			if (options.MountNtfsWithNtfs3 && filesystemType.empty()
-				&& DetectFilesystemType (loopDev) == "ntfs")
-			{
-				filesystemType = L"ntfs3";
-			}
+			ResolveNtfsKernelMountOptions (loopDev, options.MountNtfsWithKernelDriver, filesystemType, internalMountOnly);
 #endif

 			MountFilesystem (loopDev, *options.MountPoint,
 				StringConverter::ToSingle (filesystemType),
 				options.Protection == VolumeProtection::ReadOnly,
-				StringConverter::ToSingle (options.FilesystemOptions));
+				StringConverter::ToSingle (options.FilesystemOptions),
+				internalMountOnly);
 		}

 		return loopDev;
@@ -70,12 +70,19 @@ namespace VeraCrypt
 		virtual uid_t GetRealUserId () const;
 		virtual gid_t GetRealGroupId () const;
 		virtual string GetTempDirectory () const;
-		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const;
+		// internalMountOnly maps to mount(8) -i and suppresses /sbin/mount.<type> helpers.
+		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly = false) const;
 		virtual DevicePath MountAuxVolumeImage (const DirectoryPath &auxMountPoint, const MountOptions &options) const;
 		virtual void MountVolumeNative (shared_ptr <Volume> volume, MountOptions &options, const DirectoryPath &auxMountPoint) const { throw NotApplicable (SRC_POS); }
 		virtual void UpdateMountedVolumeInfo (shared_ptr <VolumeInfo> mountedVolume) const { (void) mountedVolume; }
 #ifdef TC_LINUX
 		string DetectFilesystemType (const DevicePath &devicePath) const;
+		bool IsFilesystemTypeRegistered (const string &filesystemType) const;
+		bool IsKernelFilesystemTypeAvailable (const string &filesystemType) const;
+		bool IsNtfsReadWriteKernelFilesystemTypeAvailable () const;
+		void ResolveNtfsKernelMountOptions (const DevicePath &devicePath, bool mountNtfsWithKernelDriver,
+			wstring &filesystemType, bool &internalMountOnly) const;
+		string SelectNtfsKernelFilesystemType () const;
 #endif

 	private:
@@ -183,8 +183,10 @@ namespace VeraCrypt
 		return mountedFilesystems;
 	}

-	void CoreFreeBSD::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const
+	void CoreFreeBSD::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly) const
 	{
+		(void) internalMountOnly;
+
 		std::string chosenFilesystem = "msdos";
 		std::string modifiedMountOptions = systemMountOptions;

@@ -30,7 +30,7 @@ namespace VeraCrypt
 		virtual DevicePath AttachFileToLoopDevice (const FilePath &filePath, bool readOnly) const;
 		virtual void DetachLoopDevice (const DevicePath &devicePath) const;
 		virtual MountedFilesystemList GetMountedFilesystems (const DevicePath &devicePath = DevicePath(), const DirectoryPath &mountPoint = DirectoryPath()) const;
-		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const;
+		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly = false) const;

 	private:
 		CoreFreeBSD (const CoreFreeBSD &);
@@ -455,7 +455,7 @@ namespace VeraCrypt
 		return mountedFilesystems;
 	}

-	void CoreLinux::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const
+	void CoreLinux::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly) const
 	{
 		bool fsMounted = false;

@@ -466,14 +466,14 @@ namespace VeraCrypt
 				stringstream userMountOptions;
 				userMountOptions << "uid=" << GetRealUserId() << ",gid=" << GetRealGroupId() << ",umask=077" << (!systemMountOptions.empty() ? "," : "");

-				CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType, readOnly, userMountOptions.str() + systemMountOptions);
+				CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType, readOnly, userMountOptions.str() + systemMountOptions, internalMountOnly);
 				fsMounted = true;
 			}
 		}
 		catch (...) { }

 		if (!fsMounted)
-			CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType, readOnly, systemMountOptions);
+			CoreUnix::MountFilesystem (devicePath, mountPoint, filesystemType, readOnly, systemMountOptions, internalMountOnly);
 	}

 	void CoreLinux::MountVolumeNative (shared_ptr <Volume> volume, MountOptions &options, const DirectoryPath &auxMountPoint) const
@@ -629,17 +629,15 @@ namespace VeraCrypt
 			if (!options.NoFilesystem && options.MountPoint && !options.MountPoint->IsEmpty())
 			{
 				wstring filesystemType = options.FilesystemType;
+				bool internalMountOnly = false;

-				if (options.MountNtfsWithNtfs3 && filesystemType.empty()
-					&& DetectFilesystemType (nativeDevPath) == "ntfs")
-				{
-					filesystemType = L"ntfs3";
-				}
+				ResolveNtfsKernelMountOptions (nativeDevPath, options.MountNtfsWithKernelDriver, filesystemType, internalMountOnly);

 				MountFilesystem (nativeDevPath, *options.MountPoint,
 					StringConverter::ToSingle (filesystemType),
 					options.Protection == VolumeProtection::ReadOnly,
-					StringConverter::ToSingle (options.FilesystemOptions));
+					StringConverter::ToSingle (options.FilesystemOptions),
+					internalMountOnly);

 				filesystemMounted = true;
 			}
@@ -33,7 +33,7 @@ namespace VeraCrypt
 		virtual void DismountNativeVolumeDeferred (shared_ptr <VolumeInfo> mountedVolume) const;
 		virtual MountedFilesystemList GetMountedFilesystems (const DevicePath &devicePath = DevicePath(), const DirectoryPath &mountPoint = DirectoryPath()) const;
 		virtual bool IsLoopDeviceAttached (const DevicePath &devicePath) const;
-		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const;
+		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly = false) const;
 		virtual void MountVolumeNative (shared_ptr <Volume> volume, MountOptions &options, const DirectoryPath &auxMountPoint) const;

 	private:
@@ -141,8 +141,10 @@ namespace VeraCrypt
 		return mountedFilesystems;
 	}

-	void CoreOpenBSD::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const
+	void CoreOpenBSD::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly) const
 	{
+		(void) internalMountOnly;
+
 		try
 		{
 			// Try to mount FAT by default as mount is unable to probe filesystem type on BSD
@@ -33,7 +33,7 @@ namespace VeraCrypt
 		virtual DevicePath AttachFileToLoopDevice (const FilePath &filePath, bool readOnly) const;
 		virtual void DetachLoopDevice (const DevicePath &devicePath) const;
 		virtual MountedFilesystemList GetMountedFilesystems (const DevicePath &devicePath = DevicePath(), const DirectoryPath &mountPoint = DirectoryPath()) const;
-		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const;
+		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly = false) const;

 	private:
 		CoreOpenBSD (const CoreOpenBSD &);
@@ -157,8 +157,10 @@ namespace VeraCrypt
 		return mountedFilesystems;
 	}

-	void CoreSolaris::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const
+	void CoreSolaris::MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly) const
 	{
+		(void) internalMountOnly;
+
 		try
 		{
 			// Try to mount FAT by default as mount is unable to probe filesystem type on Solaris
@@ -30,7 +30,7 @@ namespace VeraCrypt
 		virtual DevicePath AttachFileToLoopDevice (const FilePath &filePath, bool readOnly) const;
 		virtual void DetachLoopDevice (const DevicePath &devicePath) const;
 		virtual MountedFilesystemList GetMountedFilesystems (const DevicePath &devicePath = DevicePath(), const DirectoryPath &mountPoint = DirectoryPath()) const;
-		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions) const;
+		virtual void MountFilesystem (const DevicePath &devicePath, const DirectoryPath &mountPoint, const string &filesystemType, bool readOnly, const string &systemMountOptions, bool internalMountOnly = false) const;

 	private:
 		CoreSolaris (const CoreSolaris &);
@@ -367,8 +367,20 @@ namespace VeraCrypt
 					ArgFilesystem = VolumeCreationOptions::FilesystemType::Ext4;
 				else if (str.IsSameAs (L"NTFS", false))
 					ArgFilesystem = VolumeCreationOptions::FilesystemType::NTFS;
+				else if (str.IsSameAs (L"kernel-ntfs", false)
+					|| str.IsSameAs (L"ntfs-kernel", false))
+				{
+					if (ArgCommand == CommandId::CreateVolume)
+						throw_err (LangString["UNKNOWN_OPTION"] + L": " + str);
+
+					ArgMountOptions.FilesystemType = L"kernel-ntfs";
+					ArgFilesystem = VolumeCreationOptions::FilesystemType::NTFS;
+				}
 				else if (str.IsSameAs (L"ntfs3", false))
 				{
+					if (ArgCommand == CommandId::CreateVolume)
+						throw_err (LangString["UNKNOWN_OPTION"] + L": " + str);
+
 					ArgMountOptions.FilesystemType = L"ntfs3";
 					ArgFilesystem = VolumeCreationOptions::FilesystemType::NTFS;
 				}
@@ -466,6 +478,10 @@ namespace VeraCrypt
 					ArgMountOptions.PartitionInSystemEncryptionScope = true;
 				else if (token == L"timestamp" || token == L"ts")
 					ArgMountOptions.PreserveTimestamps = false;
+#ifdef TC_LINUX
+				else if (token == L"kernelntfs" || token == L"kernel-ntfs")
+					ArgMountOptions.MountNtfsWithKernelDriver = true;
+#endif
 #ifdef TC_WINDOWS
 				else if (token == L"removable" || token == L"rm")
 					ArgMountOptions.Removable = true;
@@ -28,14 +28,14 @@
 namespace VeraCrypt
 {
 #ifdef TC_LINUX
-	class Ntfs3HelpIconWindow : public wxWindow
+	class KernelNtfsHelpIconWindow : public wxWindow
 	{
 	public:
-		Ntfs3HelpIconWindow (wxWindow *parent)
+		KernelNtfsHelpIconWindow (wxWindow *parent)
 			: wxWindow (parent, wxID_ANY, wxDefaultPosition, wxSize (16, 16))
 		{
 			SetMinSize (wxSize (16, 16));
-			Bind (wxEVT_PAINT, &Ntfs3HelpIconWindow::OnPaint, this);
+			Bind (wxEVT_PAINT, &KernelNtfsHelpIconWindow::OnPaint, this);
 		}

 	protected:
@@ -98,18 +98,18 @@ namespace VeraCrypt

 		FilesystemOptionsTextCtrl->SetValue (Preferences.DefaultMountOptions.FilesystemOptions);
 #ifdef TC_LINUX
-		wxBoxSizer *ntfs3PreferenceSizer = new wxBoxSizer (wxHORIZONTAL);
-		MountNtfsWithNtfs3CheckBox = new wxCheckBox (FilesystemSizer->GetStaticBox(), wxID_ANY, LangString["LINUX_PREF_MOUNT_NTFS_WITH_NTFS3"]);
-		MountNtfsWithNtfs3CheckBox->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_NTFS3_HELP"]);
-		ntfs3PreferenceSizer->Add (MountNtfsWithNtfs3CheckBox, 0, wxALIGN_CENTER_VERTICAL | wxRIGHT, 5);
+		wxBoxSizer *kernelNtfsPreferenceSizer = new wxBoxSizer (wxHORIZONTAL);
+		MountNtfsWithKernelDriverCheckBox = new wxCheckBox (FilesystemSizer->GetStaticBox(), wxID_ANY, LangString["LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER"]);
+		MountNtfsWithKernelDriverCheckBox->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER_HELP"]);
+		kernelNtfsPreferenceSizer->Add (MountNtfsWithKernelDriverCheckBox, 0, wxALIGN_CENTER_VERTICAL | wxRIGHT, 5);

-		wxWindow *ntfs3HelpIcon = new Ntfs3HelpIconWindow (FilesystemSizer->GetStaticBox());
-		ntfs3HelpIcon->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_NTFS3_HELP"]);
-		ntfs3PreferenceSizer->Add (ntfs3HelpIcon, 0, wxALIGN_CENTER_VERTICAL | wxLEFT, 10);
+		wxWindow *kernelNtfsHelpIcon = new KernelNtfsHelpIconWindow (FilesystemSizer->GetStaticBox());
+		kernelNtfsHelpIcon->SetToolTip (LangString["LINUX_PREF_MOUNT_NTFS_WITH_KERNEL_DRIVER_HELP"]);
+		kernelNtfsPreferenceSizer->Add (kernelNtfsHelpIcon, 0, wxALIGN_CENTER_VERTICAL | wxLEFT, 10);

-		FilesystemSizer->Add (ntfs3PreferenceSizer, 0, wxALL, 5);
+		FilesystemSizer->Add (kernelNtfsPreferenceSizer, 0, wxALL, 5);

-		MountNtfsWithNtfs3CheckBox->SetValidator (wxGenericValidator (&Preferences.DefaultMountOptions.MountNtfsWithNtfs3));
+		MountNtfsWithKernelDriverCheckBox->SetValidator (wxGenericValidator (&Preferences.DefaultMountOptions.MountNtfsWithKernelDriver));
 #endif

 		int index, prfInitialIndex = 0;
@@ -56,7 +56,7 @@ namespace VeraCrypt

 		KeyfilesPanel *DefaultKeyfilesPanel;
 #ifdef TC_LINUX
-		wxCheckBox *MountNtfsWithNtfs3CheckBox;
+		wxCheckBox *MountNtfsWithKernelDriverCheckBox;
 #endif
 		int LastVirtualKeyPressed;
 		unique_ptr <wxTimer> mTimer;
@@ -53,6 +53,7 @@ namespace VeraCrypt
 		VC_CONVERT_EXCEPTION (EncryptedSystemRequired);
 		VC_CONVERT_EXCEPTION (HigherFuseVersionRequired);
 		VC_CONVERT_EXCEPTION (KernelCryptoServiceTestFailed);
+		VC_CONVERT_EXCEPTION (KernelNtfsDriverUnavailable);
 		VC_CONVERT_EXCEPTION (LoopDeviceSetupFailed);
 		VC_CONVERT_EXCEPTION (MountPointRequired);
 		VC_CONVERT_EXCEPTION (MountPointUnavailable);
@@ -526,6 +526,7 @@ namespace VeraCrypt
 		EX2MSG (InvalidSecurityTokenKeyfilePath,	LangString["INVALID_TOKEN_KEYFILE_PATH"]);
 		EX2MSG (HigherVersionRequired,				LangString["NEW_VERSION_REQUIRED"]);
 		EX2MSG (KernelCryptoServiceTestFailed,		LangString["LINUX_EX2MSG_KERNELCRYPTOSERVICETESTFAILED"]);
+		EX2MSG (KernelNtfsDriverUnavailable,		LangString["LINUX_KERNEL_NTFS_DRIVER_UNAVAILABLE"]);
 		EX2MSG (KeyfilePathEmpty,					LangString["ERR_KEYFILE_PATH_EMPTY"]);
 		EX2MSG (LoopDeviceSetupFailed,				LangString["LINUX_EX2MSG_LOOPDEVICESETUPFAILED"]);
 		EX2MSG (MissingArgument,					LangString["LINUX_EX2MSG_MISSINGARGUMENT"]);
@@ -1307,13 +1308,22 @@ const FileManager fileManagers[] = {
 					" option specifies the filesystem to be created on the new volume.\n"
 					" Filesystem type 'none' disables mounting or creating a filesystem.\n"
 #ifdef TC_LINUX
-					" On Linux, filesystem type 'ntfs3' mounts an NTFS volume using the\n"
-					" in-kernel ntfs3 driver. The ntfs3 kernel module must be available\n"
-					" and allowed by the distribution; otherwise mounting may fail.\n"
-					" The Linux preference \"Mount NTFS volumes with the Linux kernel ntfs3\n"
+					" On Linux, filesystem type 'ntfs3' mounts with the in-kernel ntfs3\n"
+					" driver and bypasses mount helpers. Filesystem type 'kernel-ntfs'\n"
+					" mounts an NTFS volume using an available in-kernel NTFS driver.\n"
+					" These Linux driver selectors are mount-only; use filesystem type\n"
+					" 'NTFS' when creating a new NTFS volume.\n"
+					" VeraCrypt uses ntfs when it is positively identified as a modern\n"
+					" read/write driver or expected on Linux 7.1 or later;\n"
+					" otherwise it selects ntfs3.\n"
+					" The Linux preference \"Mount NTFS volumes with an in-kernel Linux\n"
 					" driver\" is disabled by default. When enabled, VeraCrypt probes the\n"
-					" decrypted virtual device with blkid -p and applies ntfs3 only when\n"
-					" NTFS is detected and no explicit filesystem type was supplied. If\n"
+					" decrypted virtual device with blkid -p and uses an available in-kernel\n"
+					" NTFS driver only when NTFS is detected and no explicit filesystem type\n"
+					" was supplied. The mount option -m kernelntfs enables the same detected\n"
+					" NTFS selection for the current mount; use --filesystem=kernel-ntfs to\n"
+					" force kernel-driver selection. If no supported in-kernel NTFS driver is\n"
+					" available, mounting fails instead of falling back to ntfs-3g. If\n"
 					" detection fails, VeraCrypt uses the normal automatic filesystem\n"
 					" selection. This can avoid suspend or hibernate hangs caused by frozen\n"
 					" user-space FUSE filesystems during kernel filesystem sync; use findmnt\n"
@@ -1369,6 +1379,10 @@ const FileManager fileManagers[] = {
 					"   is unmounted (note that the operating system under certain circumstances\n"
 					"   does not alter host-file timestamps, which may be mistakenly interpreted\n"
 					"   to mean that this option does not work).\n"
+#ifdef TC_LINUX
+					"  kernelntfs: Use an available in-kernel NTFS driver when NTFS is\n"
+					"   detected and no filesystem type was supplied.\n"
+#endif
 					" See also option --fs-options.\n"
 					"\n"
 					"--new-keyfiles=KEYFILE1[,KEYFILE2,KEYFILE3,...]\n"
@@ -1468,8 +1482,8 @@ const FileManager fileManagers[] = {
 					"veracrypt -t -k \"\" --pim=0 --protect-hidden=no volume.hc /media/veracrypt1\n"
 					"\n"
 #ifdef TC_LINUX
-					"Mount an NTFS volume using the Linux in-kernel ntfs3 driver:\n"
-					"veracrypt -t --filesystem=ntfs3 volume.hc /media/veracrypt1\n"
+					"Mount an NTFS volume using a Linux in-kernel NTFS driver:\n"
+					"veracrypt -t --filesystem=kernel-ntfs volume.hc /media/veracrypt1\n"
 					"\n"
 #endif
 					"Unmount a volume:\n"
@@ -1762,6 +1776,7 @@ const FileManager fileManagers[] = {
 		VC_CONVERT_EXCEPTION (EncryptedSystemRequired);
 		VC_CONVERT_EXCEPTION (HigherFuseVersionRequired);
 		VC_CONVERT_EXCEPTION (KernelCryptoServiceTestFailed);
+		VC_CONVERT_EXCEPTION (KernelNtfsDriverUnavailable);
 		VC_CONVERT_EXCEPTION (LoopDeviceSetupFailed);
 		VC_CONVERT_EXCEPTION (MountPointRequired);
 		VC_CONVERT_EXCEPTION (MountPointUnavailable);
@@ -103,7 +103,9 @@ namespace VeraCrypt
 			DefaultMountOptions.Protection = readOnly ? VolumeProtection::ReadOnly : VolumeProtection::None;

 #ifdef TC_LINUX
-			if (configMap.count(L"MountNtfsWithNtfs3") > 0) { SetValue (configMap[L"MountNtfsWithNtfs3"], DefaultMountOptions.MountNtfsWithNtfs3); configMap.erase (L"MountNtfsWithNtfs3"); }
+			if (configMap.count(L"MountNtfsWithKernelDriver") > 0) { SetValue (configMap[L"MountNtfsWithKernelDriver"], DefaultMountOptions.MountNtfsWithKernelDriver); configMap.erase (L"MountNtfsWithKernelDriver"); }
+			else if (configMap.count(L"MountNtfsWithNtfs3") > 0) { SetValue (configMap[L"MountNtfsWithNtfs3"], DefaultMountOptions.MountNtfsWithKernelDriver); }
+			configMap.erase (L"MountNtfsWithNtfs3");
 #endif
 			if (configMap.count(L"MountVolumesRemovable") > 0) { SetValue (configMap[L"MountVolumesRemovable"], DefaultMountOptions.Removable); configMap.erase (L"MountVolumesRemovable"); }
 			if (configMap.count(L"NoHardwareCrypto") > 0) { SetValue (configMap[L"NoHardwareCrypto"], DefaultMountOptions.NoHardwareCrypto); configMap.erase (L"NoHardwareCrypto"); }
@@ -225,7 +227,7 @@ namespace VeraCrypt
 		TC_CONFIG_ADD (MountFavoritesOnLogon);
 		formatter.AddEntry (L"MountVolumesReadOnly", DefaultMountOptions.Protection == VolumeProtection::ReadOnly);
 #ifdef TC_LINUX
-		formatter.AddEntry (L"MountNtfsWithNtfs3", DefaultMountOptions.MountNtfsWithNtfs3);
+		formatter.AddEntry (L"MountNtfsWithKernelDriver", DefaultMountOptions.MountNtfsWithKernelDriver);
 #endif
 		formatter.AddEntry (L"MountVolumesRemovable", DefaultMountOptions.Removable);
 		formatter.AddEntry (L"NoHardwareCrypto", DefaultMountOptions.NoHardwareCrypto);