Public/VeraCrypt
1
0
Fork 0
mirror of https://github.com/veracrypt/VeraCrypt.git synced 2025-11-11 11:08:02 -06:00
Code Activity

Windows: Implement support for mounting partially encrypted system partitions

Browse Source 
For now, we force ReadOnly mounting for such partitions.
This commit is contained in:
Mounir IDRASSI
2023-08-13 22:50:37 +02:00
parent 8c7962bda7
commit f84d235cf1
7 changed files with 34 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/Common/Apidrvr.h
View File

@@ -166,6 +166,7 @@ typedef struct
BOOL RecoveryMode; BOOL RecoveryMode;
int pkcs5_prf; int pkcs5_prf;
int ProtectedHidVolPkcs5Prf; int ProtectedHidVolPkcs5Prf;
BOOL VolumeMountedReadOnlyAfterPartialSysEnc;
uint32 BytesPerPhysicalSector; uint32 BytesPerPhysicalSector;
int VolumePim; int VolumePim;
int ProtectedHidVolPim; int ProtectedHidVolPim;

11
src/Common/Dlgcode.c
View File

@@ -9253,6 +9253,17 @@ retry:
} }
} }
if (mount.VolumeMountedReadOnlyAfterPartialSysEnc
&& !Silent
&& bDevice)
{
wchar_t msg[1024];
wchar_t mountPoint[] = { L'A' + (wchar_t) driveNo, L':', 0 };
StringCbPrintfW (msg, sizeof(msg), GetString ("PARTIAL_SYSENC_MOUNT_READONLY"), mountPoint);
WarningDirect (msg, hwndDlg);
}
if (mount.wszLabel[0] && !mount.bDriverSetLabel) if (mount.wszLabel[0] && !mount.bDriverSetLabel)
{ {
// try setting the drive label on user-mode using registry // try setting the drive label on user-mode using registry

1
src/Common/Language.xml
View File

@@ -1631,6 +1631,7 @@
<entry lang="en" key="EXPANDER_MOUNTING_VOLUME">Mounting volume ...\n</entry> <entry lang="en" key="EXPANDER_MOUNTING_VOLUME">Mounting volume ...\n</entry>
<entry lang="en" key="EXPANDER_UNMOUNTING_VOLUME">Unmounting volume ...\n</entry> <entry lang="en" key="EXPANDER_UNMOUNTING_VOLUME">Unmounting volume ...\n</entry>
<entry lang="en" key="EXPANDER_EXTENDING_FILESYSTEM">Extending file system ...\n</entry> <entry lang="en" key="EXPANDER_EXTENDING_FILESYSTEM">Extending file system ...\n</entry>
<entry lang="en" key="PARTIAL_SYSENC_MOUNT_READONLY">Warning: The system partition you attempted to mount was not fully encrypted. As a safety measure to prevent potential corruption or unwanted modifications, volume '%s' was mounted as read-only.</entry>
</localization> </localization>
<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="VeraCrypt"> <xs:element name="VeraCrypt">

2
src/Driver/EncryptedIoQueue.c
View File

@@ -797,7 +797,7 @@ static VOID MainThreadProc (PVOID threadArg)
request->OrigDataBufferFragment = dataBuffer; request->OrigDataBufferFragment = dataBuffer;
request->Length = dataFragmentLength; request->Length = dataFragmentLength;
if (queue->IsFilterDevice) if (queue->IsFilterDevice || queue->bSupportPartialEncryption)
{ {
if (queue->EncryptedAreaStart == -1 || queue->EncryptedAreaEnd == -1) if (queue->EncryptedAreaStart == -1 || queue->EncryptedAreaEnd == -1)
{ {

1
src/Driver/EncryptedIoQueue.h
View File

@@ -49,6 +49,7 @@ typedef struct
// File-handle-based IO // File-handle-based IO
HANDLE HostFileHandle; HANDLE HostFileHandle;
BOOL bSupportPartialEncryption;
int64 VirtualDeviceLength; int64 VirtualDeviceLength;
SECURITY_CLIENT_CONTEXT *SecurityClientContext; SECURITY_CLIENT_CONTEXT *SecurityClientContext;

15
src/Driver/Ntdriver.c
View File

@@ -3156,6 +3156,21 @@ VOID VolumeThreadProc (PVOID Context)
Extension->Queue.HostFileHandle = Extension->hDeviceFile; Extension->Queue.HostFileHandle = Extension->hDeviceFile;
Extension->Queue.VirtualDeviceLength = Extension->DiskLength; Extension->Queue.VirtualDeviceLength = Extension->DiskLength;
Extension->Queue.MaxReadAheadOffset.QuadPart = Extension->HostLength; Extension->Queue.MaxReadAheadOffset.QuadPart = Extension->HostLength;
if (bDevice && pThreadBlock->mount->bPartitionInInactiveSysEncScope
&& (!Extension->cryptoInfo->hiddenVolume)
&& (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value)
)
{
// Support partial encryption only in the case of system encryption
Extension->Queue.EncryptedAreaStart = 0;
Extension->Queue.EncryptedAreaEnd = Extension->cryptoInfo->EncryptedAreaLength.Value - 1;
if (Extension->Queue.CryptoInfo->EncryptedAreaLength.Value == 0)
{
Extension->Queue.EncryptedAreaStart = -1;
Extension->Queue.EncryptedAreaEnd = -1;
}
Extension->Queue.bSupportPartialEncryption = TRUE;
}
if (Extension->SecurityClientContextValid) if (Extension->SecurityClientContextValid)
Extension->Queue.SecurityClientContext = &Extension->SecurityClientContext; Extension->Queue.SecurityClientContext = &Extension->SecurityClientContext;

8
src/Driver/Ntvol.c
View File

@@ -88,6 +88,7 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
} }
mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE; mount->VolumeMountedReadOnlyAfterDeviceWriteProtected = FALSE;
mount->VolumeMountedReadOnlyAfterPartialSysEnc = FALSE;
// If we are opening a device, query its size first // If we are opening a device, query its size first
if (bRawDevice) if (bRawDevice)
@@ -677,10 +678,9 @@ NTSTATUS TCOpenVolume (PDEVICE_OBJECT DeviceObject,
if (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value) if (Extension->cryptoInfo->EncryptedAreaLength.Value != Extension->cryptoInfo->VolumeSize.Value)
{ {
// Partial encryption is not supported for volumes mounted as regular // mount as readonly in case of partial system encryption
mount->nReturnCode = ERR_ENCRYPTION_NOT_COMPLETED; Extension->bReadOnly = mount->bMountReadOnly = TRUE;
ntStatus = STATUS_SUCCESS; mount->VolumeMountedReadOnlyAfterPartialSysEnc = TRUE;
goto error;
} }
} }
else if (Extension->cryptoInfo->HeaderFlags & TC_HEADER_FLAG_NONSYS_INPLACE_ENC) else if (Extension->cryptoInfo->HeaderFlags & TC_HEADER_FLAG_NONSYS_INPLACE_ENC)