I have done a great deal of looking around, and I can't seem to get a straightforward answer to this issue.
I am hobbyist programmer, I have done a great deal of work with windows drivers, and wrote my own personal 'antivirus' driver for windows XP. So don't get me wrong here, I don't work for any software development firm or anything of the like.
My question is: as far as windows 7 x64 is concerned, is there any possible legit and legal method I can use to release sign my driver that would only be for my own personal use?
Yes I am well aware I can test sign my driver and run it in a virtual machine under windows test mode, which I do quite frequently. However if you have used windows in test mode you know there are some major drawbacks.
So to to sum this all up, is it possible for me ( a hobbyist ) to release sign a driver for my own personal use and not have to deal with windows test mode?
Thanks.
If it's a boot time required driver, I don't think there is a way you can get it to use it without signing it with a certificate from a Microsoft sanctioned provider (Verisign only I think for drivers?).
If this is a normal device driver that isn't required at boot you can create your own certificates and use those instead. I did it myself for Vista x64 to get an HP ScanJet driver to work from XP x64 by signing the .sys and the .inf files.
I used Active Directory Certificate Services on my domain to issue a Code Signing certificate for my use and had my machine trust the ADCS CA certificate. These two actions will cause Windows to trust your signed driver.
I believe you could use OpenSSL to create a CA certificate and issue code signing certificates with that, but I've had no practice with it.
Again, to reiterate, if this driver is required at boot then this method will not work, if it's used for a device which can be attached at anytime, it should work.
You can have the ReactOS Foundation do it for you.
Please refer to my answer to this post: Windows 7 kernel driver signing.
So to to sum this all up, is it possible for me ( a hobbyist ) to release sign a driver for my own personal use and not have to deal with windows test mode?
Yes.
For boot time drivers: Go to VeriSign, buy the (only?) code signing certificate ($500), and sign your driver.
For non-boot drivers: You can self-sign, with appropriate warnings.
Related
I'm very new to windows driver development.
I've written a KMDF windows driver and I'm able to test deploy it to my target machine using VS deploy. It worked fine and now I'd like to ship this driver with the application that uses this driver.
Here the problem comes... I couldn't find anything on Google that telling us how to distribute a KMDF driver(like making an installer). This driver is an upper class filter driver and it is only needed for my application so it should not be published to windows update.
My question is how to make something like an installer to distribute this driver? Thanks for any suggestion or tutorial.
EDIT 1
It is a fake device driver(meaning there is no physical device to drive)
Usually, device drivers for software won't be pushed out through Windows Update. There's exceptions for vendors like Intel, AMD, NVIDIA, but that is because of what those companies are and how popular/well-used they are (they will be working with Microsoft for such). You can't just have your driver pushed out via Windows Update.
You're going to need a digital signature to sign your kernel-mode software with as long as you're going to be distributing it onto machines using modern versions of Windows x64 (for the record, even Windows Vista x64 will enforce this requirement). This requirement will not be present on x86 versions of Windows as-of right now, but in all truth, it would be unethical to not sign your kernel-mode software anyway.
Starting on Windows 10 on a specific patch which was released really early-on, the requirement changed from having a normal digital signature which could work for signing kernel-mode binaries to it having to be an EV digital signature; to get your hands on an EV digital signature for kernel-mode software signing, you will undoubtedly need to be legally registered as a company (and likely require a company bank account as well).
See the following for more information about this.
https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/04/01/driver-signing-changes-in-windows-10/
Here's the twist though... For systems which are using Secure Boot (new modern systems tend to have it enabled by default now, it is a security feature), you will need to have your kernel-mode software co-signed by Microsoft themselves. This will require you to share your kernel-mode software with Microsoft by uploading it via an online portal, but you'll still need your EV digital signature before you can move to that stage.
See the following for more information regarding the Microsoft co-signing requirement (depending on the environment):
https://www.osr.com/blog/2017/07/06/attestation-signing-mystery/
Note: Please do not try to come up with ideas to circumvent this (e.g. enabling Test Mode on a clients system and then using a Test certificate for your driver, or disabling Secure Boot on a system which relies on it... such work-arounds come with a huge price of reducing the security on the system, and should never be applied as a solution to this problem in the real-world).
For actually installing the device driver, you could programmatically use the .INF file with the Win32 API and then use the StartService routine to start the service post-installation with the .INF. Also see: https://msdn.microsoft.com/en-us/library/aa376957%28v=vs.85%29.aspx
Alternatively, you can register the service yourself with the CreateService routine and then start it with the StartService routine (or reboot and have it load on start-up depending on the flags for the service creation).
Bear in mind, sometimes using the Service Manager, you'll miss important things in registration for some driver types (e.g. Filesystem Minifilter), and you'd need to handle this manually otherwise it won't work. Check the .INF and make sure anything that needs to be done as an requirement is done when you use the Service Manager for installation (if you decide not to rely on the .INF).
Hope this helps you get to where you need to be.
I need some clarification about driver signing in Windows 10.
We have working driver package that uses Winusb.sys driver that is signed from the start by Microsoft. But to install this driver to customer machine we have our own *.inf and 2 generated *.cat files for each supported platforms. Currently we have no issues using this driver in Windows 10 since modifications for Windows 8 support, but we want to add some additional hardware devices support in near future to driver, so it will be modified and need to be resigned.
The question is what certificate (Extended Validation (“EV”) Code Signing Certificate or just Standard Certificate) do we need to sign these *.cat files, so our driver can be installed correctly at Windows 10. Also is it necessary to submit out driver to Windows Hardware Developer Center Dashboard portal?
I saw this and some other articles that states, EV certificate signing is needed only by kernel-mode drivers (it seems after 90 days of Win10 release also user-mode drivers), but WinUSB driver is kernel-mode and fully supported and initially signed by Microsoft. So again what kind of certificate do we need to sign *.cat files and do we need to submit them to Microsoft portal?
The files structure before signing looks like
driver
|--*.inf
|--*amd64.cat
|--*x86.cat
|--amd64
|--WdfCoInstaller01009.dll
|--winusbcoinstaller2.dll
|--i386
|--WdfCoInstaller01009.dll
|--winusbcoinstaller2.dll
|--ia64
|--WdfCoInstaller01009.dll
|--winusbcoinstaller2.dll
My company also uses WinUSB for one of our devices. We currently use a "driver signing" certificate from Godaddy. Once the certificate is installed on your machine (they have step-by-step instructions for how to do this), you need to generate a pfx file and then you can use the signtool utility to sign the security catalog.
This link was a great resource for me: http://www.davidegrayson.com/signing/
Here is a great SO answer which covers the creation of self-signed CA and then signing executables with the obtained certificates: How do I create a self-signed certificate for code signing on Windows?.
I have read a lot of discussions online on how the driver signing works and the answer seems to be almost unequivocally that you can't load unsigned or self-signed drivers without having the test mode enabled. However, the answer I linked to and especially one comment by Roger Lipscombe seems to provide a contradicting view:
If you want to use this for signing drivers, you need to import the CA
certificate into the machine store. My example imports it into the
user store, which is fine for most software, for test/internal
purposes.
To me, it looks like I would be able to install drivers with self-signed certificates (issued by a self-signed CA) as long as the CA cert was imported to the machine store. I won't have to make any other changes to the system (disabling test mode by pressing F8 on boot menu, messing with boot configuration flags such as TESTSIGNING or NOINTEGRITYCHECKS).
Am I correct? What are the obstacles, if any, that this method is not used more widely when people need to load drivers that have no proper digital signatures provided (such as old printer drivers etc.). Instead, people rely on booting to test mode or a third-party software (DSEO) which tampers with your system files to run such drivers.
What are the drawbacks of this method? The process described in the above SO question needs admin privileges but installing drivers should need them anyway. Trusting a self-signed CA might be a security risk - but won't disabling all signature checks be even bigger security risk?
No, this is unfortunately not possible, starting from Windows Vista and Windows Server 2008.
The driver has to be cross-signed. Creating your own CA and adding it to the machine store won't be enough because the newly created CA won't be trusted by the Windows chain of trust.
Driver Signing Requirements for Windows
In Windows Vista and Windows Server 2008, new features take advantage of code-signing technologies, and new requirements for security in the operating system enforce the use of digital signatures for some kinds of code.
Components must be signed by a certificate that Windows "trusts" as described in the white papers on this site.
One of the white papers referred is Digital Signatures for Kernel Modules on Windows
which describes the load process and explains why self-signing won't be sufficient:
When a driver is loaded into kernel memory, Windows Vista verifies the digital signature of the driver image file. Depending on the type of driver, this can be either the signed hash value in the catalog file or an embedded signature in the image file itself. The cross-certificates that are used when signing the kernel driver package are used for the load-time signature verification; each certificate in the path is checked up to a trusted root in the kernel. The load-time signature check does not have access to the Trusted Root Certificate Authorities certificate store. Instead, it must depend on the root authorities that are built into the Windows Vista kernel.
As mentioned earlier, this is also outlined on the Requirements for Device Driver Signing and Staging page:
The 64-bit versions of Windows 7 and Windows Server 2008 R2 have special signature requirements for kernel mode device drivers. If you use a 64-bit version of Windows, then you cannot create your own certificate for signing. Instead, you must use a Software Publishing Certificate that chains to an approved certification authority (CA).
The valid CAs for signing kernel mode drivers can be found on the following page:
Cross-Certificates for Kernel Mode Code Signing
User mode drivers will work on Windows 10 X64 with secure boot and everything with self signed certs as long as you add the cert to the Trusted Root CAs. Kerner mode drivers only work with paid MS trusted root CAs.
you are correct, if you create a self signed certificate and save it in user store (or machien store) as a Trusted CA, it will work for you... but keep in mind that:
Secure boot will not work for you.
This is a security breach, if someone get a hold of the certificate, they will have to run kernel mode code on your system.
Other option, is to buy Trusted Code Signing Certificate from GoDaddy :)
I need to install the libusb-win32 driver on Windows 7 64 bit machines. This driver is open source so it is not digitally signed so I want to do this myself, but I wonder if this can be done WITHOUT paying lot of money. Is it possible to use a certificate which is NOT signed by Verisign or GlobalSign? Maybe self-signed or by using StartSSL instead?
And if yes, how do I do it? According to a how-to, The Practical Truth About x64 Kernel Driver Signing, I have to use a "cross-certificate" (and there are only six available on the Microsoft list and most of them are for CAs which are no longer active).
I don't care if the user is confronted with a warning message. I can even accept if the user has to install a special CA certificate first. I only require that the driver runs without manually disabling the signature check on each Windows startup.
No, the driver has to be cross signed by one of those specific certificates and thus the driver has to be signed by one of those CAs. You can disable driver signing on the machine for testing purposes, but obviously you don't want to do this on production machines. Sorry, that's just the way it is.
LibUSB_win32 is now already signed, according to http://sourceforge.net/apps/trac/libusb-win32/wiki
It says: "Vista/7/2008/2008R2 64 bit are supported from version 1.2.0.0 since a Microsoft KMCS accepted digital signature is embedded in the kernel driver libusb0.sys."
So the only thing you have to do is update your libusb_win32 driver.
To allow loading into kernel, you have to sign with those CA and have WHDL checked.
The only alternative would be using the user mode driver framework. (but libusb does not support it -- it was discussed, but never implemented)
I've got some drivers which are basically LibUSB-Win32 with a new .inf file to describe product/vendor IDs and strings which describe my hardware. This works fine for 32 bit windows, but 64 bit versions have problems; namely that Microsoft in their wisdom require all drivers to be digitally signed.
So my questions are thus:
Is there a version of the LibUSB-Win32 drivers which are already signed I could use?
If there aren't already some signed ones I can canibalise, what exactly do I have to do to get my drivers signed.
Do I need to get 64 and 32 bit versions signed separately and will this cost more?
Is this a free alternative to getting them signed?
Are there any other options I should consider besides requiring that my customers boot into test mode each time they start their machines (not an option I'd consider).
Are there any other options for code signing apart from Verisign? Obviously a free/open source initiative like OpenID would be awesome ;-)
There are two separate issues at hand:
Signing the image file (i.e. the driver.sys file) to satisfy Kernel Mode Code Signing (KMCS)
Signing the driver package to satisfy driver installation (i.e. the driver.cat file).
If you take an existing driver signed by another entity (be it Microsoft's WinUSB or libusb-win32), that'll satisfy KMCS.
As to driver installation, you'd need your own Code Signing Certificate to sign a .cat file, which verifies that your .inf and the files it refers to (e.g. your .sys files) were not modified and truly come from you. It's somewhat less of a problem, since unlike KMCS (which stops your driver from loading), it won't prevent your driver from being installed but just present a warning to the user.
A Code Signing Certificate (make sure it supports KMCS!) will cost you hundreds of USD, depends on the CA you choose. Some might have plans which allow you to pay per signing event rather then globally per year. If you don't need to release many versions, this might be cheaper for you.
You might be able to get away with trying the libusb-winusb version of libusb which tries to implement most of the existing functionality around the winusb driver (which is a signed MS binary so you don't need to do it yourself). However YMMV as winusb doesn't 100% map to all the functionality required in libusb.
You can use this tutorial that ignores unsigned drivers. I don't think that you want to pay because it costs something like $400 USD!
Here is an other tutorial
You can also run CMD as administrator and run the following:
bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON
According to my research, it could cost as little as US$266 to have a device driver signed. My understanding is that only a company can get a driver signed. They won't do it for individuals.
Ref.: CERTUM Code Signing Certificates