Windows: Implement Evil-Maid-Attack detection mechanism. Write the correct bootloader when changing the system encryption password: this enables to recover if an attack is detected.

2024-11-28 05:53:29 +01:00 · 2015-07-29 00:09:14 +02:00 · 2015-07-29 00:09:14 +02:00 · 6ca598f841
commit 6ca598f841
parent 69a8ad5bba
10 changed files with 221 additions and 8 deletions
--- a/src/Common/Apidrvr.h
+++ b/src/Common/Apidrvr.h
@ -62,6 +62,7 @@
 #define TC_IOCTL_SET_SYSTEM_FAVORITE_VOLUME_DIRTY		TC_IOCTL (36)
 #define TC_IOCTL_REREAD_DRIVER_CONFIG					TC_IOCTL (37)
 #define TC_IOCTL_GET_SYSTEM_DRIVE_DUMP_CONFIG			TC_IOCTL (38)
+#define VC_IOCTL_GET_BOOT_LOADER_FINGERPRINT			TC_IOCTL (39)

 // Legacy IOCTLs used before version 5.0
 #define TC_IOCTL_LEGACY_GET_DRIVER_VERSION		466968
@ -254,6 +255,11 @@ typedef struct
 	char BootPrfAlgorithmName[256];
 } GetBootEncryptionAlgorithmNameRequest;

+typedef struct
+{
+	byte Fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE];
+} BootLoaderFingerprintRequest;
+
 typedef struct
 {
 	wchar_t DevicePath[TC_MAX_PATH];
--- a/src/Common/BootEncryption.cpp
+++ b/src/Common/BootEncryption.cpp
@ -826,6 +826,12 @@ namespace VeraCrypt
 		return version;
 	}

+	void BootEncryption::GetInstalledBootLoaderFingerprint (byte fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE])
+	{
+		BootLoaderFingerprintRequest request;
+		CallDriver (VC_IOCTL_GET_BOOT_LOADER_FINGERPRINT, NULL, 0, &request, sizeof (request));
+		memcpy (fingerprint, request.Fingerprint, sizeof (request.Fingerprint));
+	}

 	// Note that this does not require admin rights (it just requires the driver to be running)
 	bool BootEncryption::IsBootLoaderOnDrive (char *devicePath)
@ -1492,12 +1498,18 @@ namespace VeraCrypt

 	void BootEncryption::InstallBootLoader (bool preserveUserConfig, bool hiddenOSCreation)
 	{
-		byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE];
+		Device device (GetSystemDriveConfiguration().DevicePath);
+		device.CheckOpened (SRC_POS);
+
+		InstallBootLoader (device, preserveUserConfig, hiddenOSCreation);
+	}
+
+	void BootEncryption::InstallBootLoader (Device& device, bool preserveUserConfig, bool hiddenOSCreation)
+	{
+		byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0};
 		CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, hiddenOSCreation);

 		// Write MBR
-		Device device (GetSystemDriveConfiguration().DevicePath);
-		device.CheckOpened (SRC_POS);
 		byte mbr[TC_SECTOR_SIZE_BIOS];

 		device.SeekAt (0);
@ -1530,6 +1542,38 @@ namespace VeraCrypt
 		device.Write (bootLoaderBuf + TC_SECTOR_SIZE_BIOS, sizeof (bootLoaderBuf) - TC_SECTOR_SIZE_BIOS);
 	}

+#ifndef SETUP
+	bool BootEncryption::CheckBootloaderFingerprint (bool bSilent)
+	{
+		byte bootLoaderBuf[TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE] = {0};
+		byte fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE];
+		byte expectedFingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE];
+		bool bRet = false;
+
+		try
+		{
+			// read bootloader fingerprint
+			GetInstalledBootLoaderFingerprint (fingerprint);
+
+			// compute expected fingerprint
+			CreateBootLoaderInMemory (bootLoaderBuf, sizeof (bootLoaderBuf), false, false);
+			::ComputeBootloaderFingerprint (bootLoaderBuf, sizeof (bootLoaderBuf), expectedFingerprint);
+
+			// compare values
+			if (0 == memcmp (fingerprint, expectedFingerprint, sizeof (expectedFingerprint)))
+			{
+				bRet = true;
+			}
+		}
+		catch (Exception& e)
+		{
+			if (!bSilent)
+				e.Show (ParentWindow);
+		}
+
+		return bRet;
+	}
+#endif

 	string BootEncryption::GetSystemLoaderBackupPath ()
 	{
@ -2415,6 +2459,15 @@ namespace VeraCrypt
 			reopenRequest.pim = pim;
 			finally_do_arg (ReopenBootVolumeHeaderRequest*, &reopenRequest, { burn (finally_arg, sizeof (*finally_arg)); });

+			try
+			{
+				// force update of bootloader if fingerprint doesn't match
+				if (!CheckBootloaderFingerprint (true))
+					InstallBootLoader (device, true);
+			}
+			catch (...)
+			{}
+
 			CallDriver (TC_IOCTL_REOPEN_BOOT_VOLUME_HEADER, &reopenRequest, sizeof (reopenRequest));
 		}

--- a/src/Common/BootEncryption.h
+++ b/src/Common/BootEncryption.h
@ -140,6 +140,7 @@ namespace VeraCrypt
 			DumpFilter
 		};

+		void SetParentWindow (HWND parent) { ParentWindow = parent; }
 		void AbortDecoyOSWipe ();
 		void AbortSetup ();
 		void AbortSetupWait ();
@ -157,6 +158,7 @@ namespace VeraCrypt
 		DWORD GetDriverServiceStartType ();
 		unsigned int GetHiddenOSCreationPhase ();
 		uint16 GetInstalledBootLoaderVersion ();
+		void GetInstalledBootLoaderFingerprint (byte fingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE]);
 		Partition GetPartitionForHiddenOS ();
 		bool IsBootLoaderOnDrive (char *devicePath);
 		BootEncryptionStatus GetStatus ();
@ -164,7 +166,9 @@ namespace VeraCrypt
 		void GetVolumeProperties (VOLUME_PROPERTIES_STRUCT *properties);
 		SystemDriveConfiguration GetSystemDriveConfiguration ();
 		void Install (bool hiddenSystem);
+		void InstallBootLoader (Device& device, bool preserveUserConfig = false, bool hiddenOSCreation = false);
 		void InstallBootLoader (bool preserveUserConfig = false, bool hiddenOSCreation = false);
+		bool CheckBootloaderFingerprint (bool bSilent = false);
 		void InvalidateCachedSysDriveProperties ();
 		bool IsCDDrivePresent ();
 		bool IsHiddenSystemRunning ();
--- a/src/Common/Language.xml
+++ b/src/Common/Language.xml
@ -1059,6 +1059,7 @@
    <string lang="en" key="SYS_LOADER_RESTORE_FAILED">Failed to restore the original system loader.\n\nPlease use your VeraCrypt Rescue Disk ('Repair Options' > 'Restore original system loader') or Windows installation medium to replace the VeraCrypt Boot Loader with the Windows system loader.</string>
    <string lang="en" key="SYS_LOADER_UNAVAILABLE_FOR_RESCUE_DISK">The original system loader will not be stored on the Rescue Disk (probable cause: missing backup file).</string>
    <string lang="en" key="ERROR_MBR_PROTECTED">Failed to write the MBR sector.\n\nYour BIOS may be configured to protect the MBR sector. Check your BIOS settings (press F2, Delete, or Esc, after powering on your computer) for MBR/antivirus protection.</string>
+    <string lang="en" key="BOOT_LOADER_FINGERPRINT_CHECK_FAILED">WARNING: The verification of VeraCrypt bootloader fingerprint failed!\nYour disk may have been tampered with by an attacker ("Evil Maid" attack).\n\nThis warning can also be triggered if you restored VeraCrypt boot loader using an Rescue Disk generated using a different VeraCrypt version.\n\nYou are advised to change your password immediately which will also restore the correct VeraCrypt bootloader. It is recommended to reinstall VeraCrypt and to take measures to avoid access to this machine by untrusted entities.</string>
    <string lang="en" key="BOOT_LOADER_VERSION_INCORRECT_PREFERENCES">The required version of the VeraCrypt Boot Loader is currently not installed. This may prevent some of the settings from being saved.</string>
    <string lang="en" key="CUSTOM_BOOT_LOADER_MESSAGE_HELP">Note: In some situations, you may wish to prevent a person (adversary) that is watching you start the computer from knowing that you use VeraCrypt. The above options allow you to do that by customizing the VeraCrypt boot loader screen. If you enable the first option, no texts will be displayed by the boot loader (not even when you enter the wrong password). The computer will appear to be "frozen" while you can type your password. In addition, a custom message can be displayed to mislead the adversary. For example, fake error messages such as "Missing operating system" (which is normally displayed by the Windows boot loader if it finds no Windows boot partition). It is, however, important to note that if the adversary can analyze the content of the hard drive, he can still find out that it contains the VeraCrypt boot loader.</string>
    <string lang="en" key="CUSTOM_BOOT_LOADER_MESSAGE_PROMPT">WARNING: Please keep in mind that if you enable this option, the VeraCrypt boot loader will not display any texts (not even when you enter the wrong password). The computer will appear to be "frozen" (unresponsive) while you can type your password (the cursor will NOT move and no asterisk will be displayed when you press a key).\n\nAre you sure you want to enable this option?</string>
--- a/src/Common/Volumes.c
+++ b/src/Common/Volumes.c
@ -35,6 +35,7 @@

 #ifdef _WIN32
 #include <Strsafe.h>
+#include "../Boot/Windows/BootCommon.h"
 #endif

 /* Volume header v5 structure (used since TrueCrypt 7.0): */
@ -578,6 +579,42 @@ KeyReady:	;
 	return status;
 }

+#ifdef _WIN32
+void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderSize, byte* fingerprint)
+{
+	// compute Whirlpool+SHA512 fingerprint of bootloader including MBR
+	// we skip user configuration fields:
+	// TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402
+	//  => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4
+	// TC_BOOT_SECTOR_USER_MESSAGE_OFFSET     = 406
+	//  => TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH = 24
+	// TC_BOOT_SECTOR_USER_CONFIG_OFFSET      = 438
+	//
+	// we have: TC_BOOT_SECTOR_USER_MESSAGE_OFFSET = TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE
+
+	WHIRLPOOL_CTX whirlpool;
+	sha512_ctx sha2;
+	
+	WHIRLPOOL_init (&whirlpool);
+	sha512_begin (&sha2);
+
+	WHIRLPOOL_add (bootLoaderBuf, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool);
+	sha512_hash (bootLoaderBuf, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2);
+
+	WHIRLPOOL_add (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool);
+	sha512_hash (bootLoaderBuf + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2);
+
+	WHIRLPOOL_add (bootLoaderBuf + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)) * 8, &whirlpool);
+	sha512_hash (bootLoaderBuf + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)), &sha2);
+
+	WHIRLPOOL_add (bootLoaderBuf + TC_SECTOR_SIZE_BIOS, (bootLoaderSize - TC_SECTOR_SIZE_BIOS) * 8, &whirlpool);
+	sha512_hash (bootLoaderBuf + TC_SECTOR_SIZE_BIOS, (bootLoaderSize - TC_SECTOR_SIZE_BIOS), &sha2);
+
+	WHIRLPOOL_finalize (&whirlpool, fingerprint);
+	sha512_end (&fingerprint [WHIRLPOOL_DIGESTSIZE], &sha2);
+}
+#endif
+
 #else // TC_WINDOWS_BOOT

 int ReadVolumeHeader (BOOL bBoot, char *header, Password *password, int pim, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo)
--- a/src/Common/Volumes.h
+++ b/src/Common/Volumes.h
@ -130,6 +130,9 @@ UINT64_STRUCT GetHeaderField64 (byte *header, int offset);
 int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pim, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
 #else
 int ReadVolumeHeader (BOOL bBoot, char *encryptedHeader, Password *password, int pkcs5_prf, int pim, BOOL truecryptMode, PCRYPTO_INFO *retInfo, CRYPTO_INFO *retHeaderCryptoInfo);
+#ifdef _WIN32
+void ComputeBootloaderFingerprint (byte *bootLoaderBuf, unsigned int bootLoaderSize, byte* fingerprint);
+#endif
 #endif

 #if !defined (DEVICE_DRIVER) && !defined (TC_WINDOWS_BOOT)
--- a/src/Driver/DriveFilter.c
+++ b/src/Driver/DriveFilter.c
@ -35,6 +35,7 @@ static KMUTEX MountMutex;
 static volatile BOOL BootDriveFound = FALSE;
 static DriveFilterExtension *BootDriveFilterExtension = NULL;
 static LARGE_INTEGER BootDriveLength;
+static byte BootLoaderFingerprint[WHIRLPOOL_DIGESTSIZE + SHA512_DIGESTSIZE];

 static BOOL CrashDumpEnabled = FALSE;
 static BOOL HibernationEnabled = FALSE;
@ -121,6 +122,9 @@ NTSTATUS LoadBootArguments ()
 				if (CacheBootPassword && BootArgs.BootPassword.Length > 0)
 					AddPasswordToCache (&BootArgs.BootPassword);

+				// clear fingerprint
+				burn (BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
+
 				status = STATUS_SUCCESS;
 			}
 		}
@ -216,6 +220,77 @@ static void DismountDrive (DriveFilterExtension *Extension, BOOL stopIoQueue)
 	Extension->DriveMounted = FALSE;
 }

+static void ComputeBootLoaderFingerprint(PDEVICE_OBJECT LowerDeviceObject, byte* ioBuffer /* ioBuffer must be at least 512 bytes long */)
+{
+	NTSTATUS status;
+	LARGE_INTEGER offset;
+	WHIRLPOOL_CTX whirlpool;
+	sha512_ctx sha2;
+	ULONG bytesToRead, remainingBytes, bootloaderTotalSize = TC_BOOT_LOADER_AREA_SIZE - TC_BOOT_ENCRYPTION_VOLUME_HEADER_SIZE;
+
+	// clear fingerprint
+	burn (BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
+
+	// compute Whirlpool+SHA512 fingerprint of bootloader including MBR
+	// we skip user configuration fields:
+	// TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET = 402
+	//  => TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE = 4
+	// TC_BOOT_SECTOR_USER_MESSAGE_OFFSET     = 406
+	//  => TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH = 24
+	// TC_BOOT_SECTOR_USER_CONFIG_OFFSET      = 438
+	//
+	// we have: TC_BOOT_SECTOR_USER_MESSAGE_OFFSET = TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET + TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_SIZE
+	
+	WHIRLPOOL_init (&whirlpool);
+	sha512_begin (&sha2);
+	// read the first 512 bytes
+	offset.QuadPart = 0;
+
+	status = TCReadDevice (LowerDeviceObject, ioBuffer, offset, TC_SECTOR_SIZE_BIOS);
+	if (NT_SUCCESS (status))
+	{
+		WHIRLPOOL_add (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET * 8, &whirlpool);
+		WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)) * 8, &whirlpool);
+		WHIRLPOOL_add (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)) * 8, &whirlpool);
+
+		sha512_hash (ioBuffer, TC_BOOT_SECTOR_OUTER_VOLUME_BAK_HEADER_CRC_OFFSET, &sha2);
+		sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH, (TC_BOOT_SECTOR_USER_CONFIG_OFFSET - (TC_BOOT_SECTOR_USER_MESSAGE_OFFSET + TC_BOOT_SECTOR_USER_MESSAGE_MAX_LENGTH)), &sha2);
+		sha512_hash (ioBuffer + TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1, (TC_MAX_MBR_BOOT_CODE_SIZE - (TC_BOOT_SECTOR_USER_CONFIG_OFFSET + 1)), &sha2);
+
+		// we has the reste of the bootloader, 512 bytes at a time
+		offset.QuadPart = TC_SECTOR_SIZE_BIOS;
+		remainingBytes = bootloaderTotalSize - TC_SECTOR_SIZE_BIOS;
+
+		while (NT_SUCCESS (status) && (remainingBytes > 0))
+		{
+			bytesToRead = (remainingBytes >= TC_SECTOR_SIZE_BIOS)? TC_SECTOR_SIZE_BIOS : remainingBytes;
+			status = TCReadDevice (LowerDeviceObject, ioBuffer, offset, bytesToRead);
+			if (NT_SUCCESS (status))
+			{
+				remainingBytes -= bytesToRead;
+				offset.QuadPart += bytesToRead;
+				WHIRLPOOL_add (ioBuffer, bytesToRead * 8, &whirlpool);
+				sha512_hash (ioBuffer, bytesToRead, &sha2);
+			}
+			else
+			{
+				Dump ("TCReadDevice error %x during ComputeBootLoaderFingerprint call\n", status);
+				break;
+			}
+		}
+
+		if (NT_SUCCESS (status))
+		{
+			WHIRLPOOL_finalize (&whirlpool, BootLoaderFingerprint);
+			sha512_end (&BootLoaderFingerprint [WHIRLPOOL_DIGESTSIZE], &sha2);
+		}
+	}
+	else
+	{
+		Dump ("TCReadDevice error %x during ComputeBootLoaderFingerprint call\n", status);
+	}
+}
+

 static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password, uint32 *headerSaltCrc32)
 {
@ -303,6 +378,9 @@ static NTSTATUS MountDrive (DriveFilterExtension *Extension, Password *password,
 		status = STATUS_SUCCESS;
 		Dump ("Header decrypted\n");

+		// calculate Fingerprint
+		ComputeBootLoaderFingerprint (Extension->LowerDeviceObject, header);
+			
 		if (Extension->Queue.CryptoInfo->hiddenVolume)
 		{
 			int64 hiddenPartitionOffset = BootArgs.HiddenSystemPartitionStart;
@ -807,6 +885,7 @@ void ReopenBootVolumeHeader (PIRP irp, PIO_STACK_LOCATION irpSp)
 	if (ReadVolumeHeader (!BootDriveFilterExtension->HiddenSystem, header, &request->VolumePassword, request->pkcs5_prf, request->pim, FALSE, NULL, BootDriveFilterExtension->HeaderCryptoInfo) == 0)
 	{
 		Dump ("Header reopened\n");
+		ComputeBootLoaderFingerprint (BootDriveFilterExtension->LowerDeviceObject, header);
 		
 		BootDriveFilterExtension->Queue.CryptoInfo->header_creation_time = BootDriveFilterExtension->HeaderCryptoInfo->header_creation_time;
 		BootDriveFilterExtension->Queue.CryptoInfo->pkcs5 = BootDriveFilterExtension->HeaderCryptoInfo->pkcs5;
@ -1681,6 +1760,24 @@ void GetBootLoaderVersion (PIRP irp, PIO_STACK_LOCATION irpSp)
 	}
 }

+void GetBootLoaderFingerprint (PIRP irp, PIO_STACK_LOCATION irpSp)
+{
+	if (ValidateIOBufferSize (irp, sizeof (BootLoaderFingerprintRequest), ValidateOutput))
+	{
+		if (BootArgsValid)
+		{
+			BootLoaderFingerprintRequest *bootLoaderFingerprint = (BootLoaderFingerprintRequest *) irp->AssociatedIrp.SystemBuffer;
+			memcpy (bootLoaderFingerprint->Fingerprint, BootLoaderFingerprint, sizeof (BootLoaderFingerprint));
+			irp->IoStatus.Information = sizeof (BootLoaderFingerprintRequest);
+			irp->IoStatus.Status = STATUS_SUCCESS;
+		}
+		else
+		{
+			irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
+			irp->IoStatus.Information = 0;
+		}
+	}
+}

 void GetBootEncryptionAlgorithmName (PIRP irp, PIO_STACK_LOCATION irpSp)
 {
--- a/src/Driver/DriveFilter.h
+++ b/src/Driver/DriveFilter.h
@ -59,6 +59,7 @@ void GetBootDriveVolumeProperties (PIRP irp, PIO_STACK_LOCATION irpSp);
 void GetBootEncryptionAlgorithmName (PIRP irp, PIO_STACK_LOCATION irpSp);
 void GetBootEncryptionStatus (PIRP irp, PIO_STACK_LOCATION irpSp);
 void GetBootLoaderVersion (PIRP irp, PIO_STACK_LOCATION irpSp);
+void GetBootLoaderFingerprint (PIRP irp, PIO_STACK_LOCATION irpSp);
 NTSTATUS GetSetupResult ();
 DriveFilterExtension *GetBootDriveFilterExtension ();
 CRYPTO_INFO *GetSystemDriveCryptoInfo ();
--- a/src/Driver/Ntdriver.c
+++ b/src/Driver/Ntdriver.c
@ -1493,6 +1493,10 @@ NTSTATUS ProcessMainDeviceControlIrp (PDEVICE_OBJECT DeviceObject, PEXTENSION Ex
 		ReopenBootVolumeHeader (Irp, irpSp);
 		break;

+	case VC_IOCTL_GET_BOOT_LOADER_FINGERPRINT:
+		GetBootLoaderFingerprint (Irp, irpSp);
+		break;
+
 	case TC_IOCTL_GET_BOOT_ENCRYPTION_ALGORITHM_NAME:
 		GetBootEncryptionAlgorithmName (Irp, irpSp);
 		break;
--- a/src/Mount/Mount.c
+++ b/src/Mount/Mount.c
@ -5769,6 +5769,7 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa

 			try
 			{
+				BootEncObj->SetParentWindow (hwndDlg);
 				BootEncStatus = BootEncObj->GetStatus();
 				RecentBootEncStatus = BootEncStatus;
 			}
@ -5808,14 +5809,20 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
 			{
 				if (IsHiddenOSRunning())
 				{
-					if (BootEncObj->GetInstalledBootLoaderVersion() > VERSION_NUM)
+					if (BootEncObj->GetInstalledBootLoaderVersion() != VERSION_NUM)
 						Warning ("UPDATE_TC_IN_HIDDEN_OS_TOO", hwndDlg);
+					if (!BootEncObj->CheckBootloaderFingerprint ())
+						Warning ("BOOT_LOADER_FINGERPRINT_CHECK_FAILED", hwndDlg);
 				}
-				else if (SysDriveOrPartitionFullyEncrypted (TRUE)
-					&& BootEncObj->GetInstalledBootLoaderVersion() != VERSION_NUM)
+				else if (SysDriveOrPartitionFullyEncrypted (TRUE))
+				{
+					if (BootEncObj->GetInstalledBootLoaderVersion() != VERSION_NUM)
 					{
 						Warning ("BOOT_LOADER_VERSION_DIFFERENT_FROM_DRIVER_VERSION", hwndDlg);
 					}
+					if (!BootEncObj->CheckBootloaderFingerprint ())
+						Warning ("BOOT_LOADER_FINGERPRINT_CHECK_FAILED", hwndDlg);
+				}
 			} 
 			catch (...) { }