Windows: Implement RAM encryption for keys on 64-bit machines using ChaCha12 cipher and t1ha non-cryptographic fast hash (https://github.com/leo-yuriev/t1ha)

2025-11-12 19:38:26 -06:00 · 2019-02-26 01:50:27 +01:00
parent 29b749bdd9
commit cf48b532b4
21 changed files with 2241 additions and 21 deletions
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@@ -11125,6 +11125,16 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_CPU_RNG), FALSE);
 			}

+			if (IsOSAtLeast (WIN_7) && IsRamEncryptionSupported())
+			{
+				CheckDlgButton (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION, (driverConfig & VC_DRIVER_CONFIG_ENABLE_RAM_ENCRYPTION) ? BST_CHECKED : BST_UNCHECKED);
+			}
+			else
+			{
+				CheckDlgButton (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION,  BST_UNCHECKED);
+				EnableWindow (GetDlgItem (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION), FALSE);
+			}
+
 			SYSTEM_INFO sysInfo;
 			GetSystemInfo (&sysInfo);

@@ -11181,6 +11191,7 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM

 				BOOL disableHW = !IsDlgButtonChecked (hwndDlg, IDC_ENABLE_HARDWARE_ENCRYPTION);
 				BOOL enableCpuRng = IsDlgButtonChecked (hwndDlg, IDC_ENABLE_CPU_RNG);
+				BOOL enableRamEncryption = IsDlgButtonChecked (hwndDlg, IDC_ENABLE_RAM_ENCRYPTION);
 				BOOL enableExtendedIOCTL = IsDlgButtonChecked (hwndDlg, IDC_ENABLE_EXTENDED_IOCTL_SUPPORT);
 				BOOL allowTrimCommand = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_TRIM_NONSYS_SSD);
 				BOOL allowWindowsDefrag = IsDlgButtonChecked (hwndDlg, IDC_ALLOW_WINDOWS_DEFRAG);
@@ -11224,6 +11235,8 @@ static BOOL CALLBACK PerformanceSettingsDlgProc (HWND hwndDlg, UINT msg, WPARAM
 					if (IsOSAtLeast (WIN_8_1))
 						SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ALLOW_WINDOWS_DEFRAG, allowWindowsDefrag);
 					SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ENABLE_CPU_RNG, enableCpuRng);
+					if (IsOSAtLeast (WIN_7))
+						SetDriverConfigurationFlag (VC_DRIVER_CONFIG_ENABLE_RAM_ENCRYPTION, enableRamEncryption);

 					DWORD bytesReturned;
 					if (!DeviceIoControl (hDriver, TC_IOCTL_REREAD_DRIVER_CONFIG, NULL, 0, NULL, 0, &bytesReturned, NULL))
--- a/src/Mount/Mount.rc
+++ b/src/Mount/Mount.rc
@@ -311,7 +311,7 @@ BEGIN
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,16,112,340,10
 END

-IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 279
+IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 371, 293
 STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
 CAPTION "VeraCrypt - Performance Options"
 FONT 8, "MS Shell Dlg", 400, 0, 0x1
@@ -329,17 +329,19 @@ BEGIN
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,198,337,10
    CONTROL         "Allow TRIM command for non-system SSD partition/drive",IDC_ALLOW_TRIM_NONSYS_SSD,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,212,337,10
-    PUSHBUTTON      "&Benchmark",IDC_BENCHMARK,7,258,59,14
-    DEFPUSHBUTTON   "OK",IDOK,257,258,50,14
-    PUSHBUTTON      "Cancel",IDCANCEL,314,258,50,14
+    PUSHBUTTON      "&Benchmark",IDC_BENCHMARK,7,272,59,14
+    DEFPUSHBUTTON   "OK",IDOK,257,272,50,14
+    PUSHBUTTON      "Cancel",IDCANCEL,314,272,50,14
    LTEXT           "Processor (CPU) in this computer supports hardware acceleration for AES:",IDT_HW_AES_SUPPORTED_BY_CPU,18,23,273,9
    GROUPBOX        "Hardware Acceleration",IDT_ACCELERATION_OPTIONS,7,6,355,74
    GROUPBOX        "Thread-Based Parallelization",IDT_PARALLELIZATION_OPTIONS,7,84,355,93
-    GROUPBOX        "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,72
+    GROUPBOX        "Driver Configuration",IDT_DRIVER_OPTIONS,7,183,357,86
    CONTROL         "Allow Windows Disk Defragmenter to defragment non-system partition/drive",IDC_ALLOW_WINDOWS_DEFRAG,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,226,337,10
    CONTROL         "Use CPU hardware random generator as an additional source of entropy",IDC_ENABLE_CPU_RNG,
                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,240,335,10
+    CONTROL         "Activate encryption of keys and passwords stored in RAM",IDC_ENABLE_RAM_ENCRYPTION,
+                    "Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,254,337,10
 END

 IDD_FAVORITE_VOLUMES DIALOGEX 0, 0, 380, 368
@@ -508,7 +510,7 @@ BEGIN
        LEFTMARGIN, 7
        RIGHTMARGIN, 364
        TOPMARGIN, 7
-        BOTTOMMARGIN, 272
+        BOTTOMMARGIN, 286
    END

    IDD_FAVORITE_VOLUMES, DIALOG
--- a/src/Mount/Resource.h
+++ b/src/Mount/Resource.h
@@ -193,6 +193,7 @@
 #define IDC_LOWER_BOX                   1170
 #define IDC_CLEAR_KEYS_ON_NEW_DEVICE_INSERTION 1171
 #define IDC_ENABLE_CPU_RNG              1172
+#define IDC_ENABLE_RAM_ENCRYPTION       1173
 #define IDM_HELP                        40001
 #define IDM_ABOUT                       40002
 #define IDM_UNMOUNT_VOLUME              40003
@@ -269,7 +270,7 @@
 #define _APS_NO_MFC                     1
 #define _APS_NEXT_RESOURCE_VALUE        120
 #define _APS_NEXT_COMMAND_VALUE         40069
-#define _APS_NEXT_CONTROL_VALUE         1173
+#define _APS_NEXT_CONTROL_VALUE         1174
 #define _APS_NEXT_SYMED_VALUE           101
 #endif
 #endif