Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Re: [OSR-DETECTED-SPAM] RE: SecureBoot/Driver signing for corporate usage

Tim_RobertsTim_Roberts Member - All Emails Posts: 13,007
xxxxx@mail.ru wrote:
> Undoubtedly the driver must be signed and it is signed.
> The problem arose when the sign is not enough in Win10 >1607 and SecureBoot (UEFI BIOS).
> The recommended way is submitting the driver for MS attestation and resigning (cross signing) by MS (via sysdev portal). After resigning the problem will be solved.

Just for accuracy's sake, the attestation process is not "cross
signing". Microsoft is appending their own certificate chain to your
binaries in addition to yours. In "cross signing," you still have a
single certificate chain, but it gets extended to "cross over" from your
certificate authority to Microsoft's.

When you sign a driver, the certificate chain essentially looks like:
I am Joe
Digicert's code-signing vouches for Joe
Digicert's master authority trusts Digicert's code-signing
authority

After cross-signing, that becomes:
I am Joe
Digicert's code-signing vouches for Joe
Digicert's master authority trusts Digicert's code-signing
authority
Microsoft's code verification root trusts Digicert's
master authority
Microsoft's code verification root trusts
Microsoft's code verification root
and the kernel looks for that last one.

But with attestation, that becomes:
I am Joe
Digicert's code-signing vouches for Joe
Digicert's master authority trusts Digicert's code-signing
authority
Microsoft's code verification root trusts Digicert's
master authority
I am also Microsoft
Microsoft's code verification root vouches for Microsoft
Microsoft's code verification root trusts Microsoft's code
verification root

--
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA