Windows: Add option to disable detection of "Evil Maid" attacks. This is helpful for users who have software running the modifies the bootloader, like FLEXnet.

This commit is contained in:
Mounir IDRASSI 2015-10-07 04:35:03 +02:00
parent f3c91cb05c
commit 9a6fc789eb
5 changed files with 20 additions and 8 deletions

View File

@ -336,5 +336,6 @@ typedef struct
#define TC_DRIVER_CONFIG_DISABLE_NONADMIN_SYS_FAVORITES_ACCESS 0x4
#define TC_DRIVER_CONFIG_DISABLE_HARDWARE_ENCRYPTION 0x8
#define TC_DRIVER_CONFIG_ENABLE_EXTENDED_IOCTL 0x10
#define TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION 0x20
#endif /* _WIN32 */

View File

@ -120,6 +120,7 @@
<control lang="en" key="IDC_CREATE">Create</control>
<control lang="en" key="IDC_CREATE_VOLUME">&amp;Create Volume</control>
<control lang="en" key="IDC_DISABLE_BOOT_LOADER_OUTPUT">Do not &amp;show any texts in the pre-boot authentication screen (except the below custom message)</control>
<control lang="en" key="IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION">Disable "Evil Maid" attack detection</control>
<control lang="en" key="IDC_ENABLE_HARDWARE_ENCRYPTION">Accelerate AES encryption/decryption by using the AES instructions of the processor (if available)</control>
<control lang="en" key="IDC_ENABLE_KEYFILES">Use keyfiles</control>
<control lang="en" key="IDC_ENABLE_NEW_KEYFILES">Use keyfiles</control>

View File

@ -6206,18 +6206,22 @@ BOOL CALLBACK MainDialogProc (HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lPa
{
if (IsHiddenOSRunning())
{
uint32 driverConfig = ReadDriverConfigurationFlags();
if (BootEncObj->GetInstalledBootLoaderVersion() != VERSION_NUM)
Warning ("UPDATE_TC_IN_HIDDEN_OS_TOO", hwndDlg);
if (!BootEncObj->CheckBootloaderFingerprint ())
if ( !(driverConfig & TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION)
&& !BootEncObj->CheckBootloaderFingerprint ())
Warning ("BOOT_LOADER_FINGERPRINT_CHECK_FAILED", hwndDlg);
}
else if (SysDriveOrPartitionFullyEncrypted (TRUE))
{
uint32 driverConfig = ReadDriverConfigurationFlags();
if (BootEncObj->GetInstalledBootLoaderVersion() != VERSION_NUM)
{
Warning ("BOOT_LOADER_VERSION_DIFFERENT_FROM_DRIVER_VERSION", hwndDlg);
}
if (!BootEncObj->CheckBootloaderFingerprint ())
if ( !(driverConfig & TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION)
&& !BootEncObj->CheckBootloaderFingerprint ())
Warning ("BOOT_LOADER_FINGERPRINT_CHECK_FAILED", hwndDlg);
}
}
@ -10424,6 +10428,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
CheckDlgButton (hwndDlg, IDC_DISABLE_BOOT_LOADER_OUTPUT, (userConfig & TC_BOOT_USER_CFG_FLAG_SILENT_MODE) ? BST_CHECKED : BST_UNCHECKED);
CheckDlgButton (hwndDlg, IDC_ALLOW_ESC_PBA_BYPASS, (userConfig & TC_BOOT_USER_CFG_FLAG_DISABLE_ESC) ? BST_UNCHECKED : BST_CHECKED);
CheckDlgButton (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD, (driverConfig & TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD) ? BST_CHECKED : BST_UNCHECKED);
CheckDlgButton (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION, (driverConfig & TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION) ? BST_CHECKED : BST_UNCHECKED);
SetWindowTextW (GetDlgItem (hwndDlg, IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP), GetString("CUSTOM_BOOT_LOADER_MESSAGE_HELP"));
}
@ -10480,6 +10485,7 @@ static BOOL CALLBACK BootLoaderPreferencesDlgProc (HWND hwndDlg, UINT msg, WPARA
{
BootEncObj->WriteBootSectorUserConfig (userConfig, customUserMessage);
SetDriverConfigurationFlag (TC_DRIVER_CONFIG_CACHE_BOOT_PASSWORD, IsDlgButtonChecked (hwndDlg, IDC_BOOT_LOADER_CACHE_PASSWORD));
SetDriverConfigurationFlag (TC_DRIVER_CONFIG_DISABLE_EVIL_MAID_ATTACK_DETECTION, IsDlgButtonChecked (hwndDlg, IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION));
}
catch (Exception &e)
{

View File

@ -275,7 +275,7 @@ BEGIN
LTEXT "",IDT_PKCS11_LIB_HELP,16,63,286,65
END
IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 242
IDD_SYSENC_SETTINGS DIALOGEX 0, 0, 370, 261
STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU
CAPTION "VeraCrypt - System Encryption Settings"
FONT 8, "MS Shell Dlg", 400, 0, 0x1
@ -287,12 +287,14 @@ BEGIN
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,178,339,10
CONTROL "Allow pre-boot &authentication to be bypassed by pressing the Esc key (enables boot manager)",IDC_ALLOW_ESC_PBA_BYPASS,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,193,340,10
DEFPUSHBUTTON "OK",IDOK,257,220,50,14
PUSHBUTTON "Cancel",IDCANCEL,313,220,50,14
DEFPUSHBUTTON "OK",IDOK,257,233,50,14
PUSHBUTTON "Cancel",IDCANCEL,313,233,50,14
LTEXT "Display this custom message in the pre-boot authentication screen (24 characters maximum):",IDT_CUSTOM_BOOT_LOADER_MESSAGE,18,41,337,8
GROUPBOX "Boot Loader Screen Options",IDT_BOOT_LOADER_SCREEN_OPTIONS,8,7,355,150
GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,8,163,355,49
GROUPBOX "Security Options",IDT_SECURITY_OPTIONS,8,163,355,62
LTEXT "",IDC_CUSTOM_BOOT_LOADER_MESSAGE_HELP,18,74,337,73
CONTROL "Disable ""Evil Maid"" attack detection",IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION,
"Button",BS_AUTOCHECKBOX | WS_TABSTOP,18,208,340,10
END
IDD_PERFORMANCE_SETTINGS DIALOGEX 0, 0, 370, 248
@ -442,6 +444,7 @@ BEGIN
LEFTMARGIN, 7
RIGHTMARGIN, 363
TOPMARGIN, 7
BOTTOMMARGIN, 247
END
IDD_PERFORMANCE_SETTINGS, DIALOG
@ -588,7 +591,7 @@ BEGIN
MENUITEM SEPARATOR
MENUITEM "Create Rescue Disk...", IDM_CREATE_RESCUE_DISK
MENUITEM "Verify Rescue Disk", IDM_VERIFY_RESCUE_DISK
MENUITEM "Verify Rescue Disk ISO Image",IDM_VERIFY_RESCUE_DISK_ISO
MENUITEM "Verify Rescue Disk ISO Image", IDM_VERIFY_RESCUE_DISK_ISO
MENUITEM SEPARATOR
MENUITEM "Mount Without Pre-Boot &Authentication...", IDM_MOUNT_SYSENC_PART_WITHOUT_PBA
MENUITEM SEPARATOR

View File

@ -172,6 +172,7 @@
#define IDC_COPY_EXPANDER 1148
#define IDT_DRIVER_OPTIONS 1149
#define IDC_ENABLE_EXTENDED_IOCTL_SUPPORT 1150
#define IDC_DISABLE_EVIL_MAID_ATTACK_DETECTION 1151
#define IDM_HELP 40001
#define IDM_ABOUT 40002
#define IDM_UNMOUNT_VOLUME 40003
@ -248,7 +249,7 @@
#define _APS_NO_MFC 1
#define _APS_NEXT_RESOURCE_VALUE 119
#define _APS_NEXT_COMMAND_VALUE 40069
#define _APS_NEXT_CONTROL_VALUE 1151
#define _APS_NEXT_CONTROL_VALUE 1152
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif