Or, as I said, find your oem##.inf in C:\Windows\Inf. That can also be used to uninstall. Your driver registry keys include an entry that has your assigned INF name.

That's not what the _Id parameter is for. The NetBufferListInfo member of the NET_BUFFER_LIST structure is basically a big anonymous structure that contains different things at different times. The _Id parameter specifies which element of that structure you want to read or write. If you look at <ndis.h> in "typedef enum _NDIS_NET_BUFFER_LIST_INFO", that is the list of things you can fetch, by passing one of the enums as the _Id parameter.

Note that I'm not an NDIS guy -- I was able to figure this out by reading the .H file. Nothing beats going straight to the source.

First you can encrypt in the kernel, the operating system even has calls for the common model it provides in user space. If you really need to send it to user space look up "inverted call" that is well documented on the OSR site see https://www.osr.com/nt-insider/2013-issue1/inverted-call-model-kmdf/

Just FYI to confirm that it's my understanding too that the SHA-2 support is -- and remains -- a separate post-SP1 update, "KB3033929 Windows 7 SP1 SHA-2 Support". While we're talking about it, I'll also give a shout-out to "KB2921916 Windows 7 Publisher Verification Prompt SHA-256", if you find your "always trust software from xxxxxx" selection isn't working after applying SHA-2 support.

I don't know definitive answers to the "what does Microsoft do for SHA-1", but the answer USED to be that Microsoft still provided an SHA-1 signature when you're testing and submitting for an SHA-1 dependent platform like Windows Server 2008. (Which will be an HCK testing process, not HLK.) You didn't get it "regardless of platform", but did get the signature required for the platform you were tested and signing for.

I say "used to be the answer" since SHA-1 has been deprecated since then, and I don't know what Microsoft might do or no longer do. Nor do I perform HCK testing of any drivers myself to have encountered what this answer might be. If HCK testing and signing for these down-level platforms is still allowed, it would seem like Microsoft "has to be" still providing an SHA-1 signature. But who knows.

Regarding what will happen to the existing signature on individual binary files, at least in the Attested Signing process it would append Microsoft's signature to whatever signature was already on the binary. We directly relied on this behavior with our product, and knew it was true.

But, that "existing signature in the binary" was also a Microsoft cross-signing signature, and Microsoft cross-signing has also been deprecated at this point. So it's not possible to submit a binary with a pre-existing kernel-policy signature any more, since you can't cross-sign your binary. What Microsoft's process might do with an unverifiable self-signed certificate signature, or other private CA certificate signature, or what they might do with any non-kernel-policy signature (non-cross signed, normal Authenticode signature) on the binary file is unknown to me.

That's maybe the final thing to point out: If you're getting a Microsoft SHA-2 signature on your signed binary files, you want to NOT SIGN those binary files before submission to Microsoft if you want to have any chance of those files being used on an SHA2-compatible down-level platform. The down-level platforms do not successfully traverse "what is the SECOND signature on the binary file", and will be stuck looking only at whatever your non-Microsoft first signature was.

Oh okay I think I understand, passing or using any sort of floats in a 32bit system needs to be done in protected region not just doing calculations on it.

Right. The issue is not executing floating point instructions, the issue is holding stuff in floating point registers. The 32-bit systems do not automatically save and restore the floating point registers on every kernel thread context switch, so if you tweak a register without following the rules, you could screw up some other thread.

… and the warnings go away?

I think that your confusion is that you expect KeSaveFloatingPointState to protect the code that does computations with floating point variables, but really it needs to protect all code that uses any floating point variables (including return codes)

Any stack frame that has a float or double local variable or return code (or accesses any float or double global) needs to use the floating point registers to move those values around. Historically, those registers were not preserved during certain context switches to improve performance. So executing code that uses them will clobber values that are expected to remain invariant between instructions that are interrupted by a KM thread - causing random errors in whatever process got corrupted. Explicitly saving those values via KeSaveFloatingPointState and restoring them after any possible use of those registers has completed solves this problem. But they have to be saved before any possible access and restored after any possible use