Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Need help understand Windows user mode (winusb) driver signing

mm650mm650 Member Posts: 2

After having been away from Windows drivers since 2000 I find myself being asked to look at getting a driver signed. To say I'm thoroughly confused by the recent flux in signing policies is an understatement and hope some of you can help with what I'm sure are basic questions.

We produce a USB device which has a companion application which talks to the device via WinUSB (the application uses libusb if that's relevant). There's an .inf for the USB device whose primary purpose in life is to make WinUSB its function driver. We would like the driver to install on x86 and x64, from Win 7 up to current Windows 10 clients.

So the questions....

  1. Specifically for Windows 10 do we need to submit the package to the Microsoft hardware portal for signing (and if so is attestation signing sufficient)? I've seen stated in various places that user-mode drivers do not need to be Microsoft-signed, but also that with Win 10 Anniversary Edition and later user mode drivers are under the same restrictions as kernel mode drivers.
  2. For pre-Win10 should we produce a separate diver package with a cross-signed cab? Or is it possible (and relatively painless) to create a single single package supporting Win 7 - 10? (We have an EV cert from SSL.com for which there appears to be no cross-certificate, so I assume we would need to obtain another cert from a Microsoft CA partner such as Digicert?)

Thanks in advance,
Mike

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,035
    via Email
    On May 8, 2019, at 5:43 PM, mm650 wrote:
    >
    > We produce a USB device which has a companion application which talks to the device via WinUSB (the application uses libusb if that's relevant). There's an .inf for the USB device whose primary purpose in life is to make WinUSB its function driver. We would like the driver to install on x86 and x64, from Win 7 up to current Windows 10 clients.

    Are you aware that it's possible to create custom string descriptors that will cause Windows to automatically load WinUSB, with no driver package at all?


    > * Specifically for Windows 10 do we need to submit the package to the Microsoft hardware portal for signing (and if so is attestation signing sufficient)? I've seen stated in various places that user-mode drivers do not need to be Microsoft-signed, but also that with Win 10 Anniversary Edition and later user mode drivers are under the same restrictions as kernel mode drivers.

    WinUSB is not a user-mode driver. Unless you use the Microsoft OS Descriptors, you need a PnP driver package, and that requires a Microsoft signature.


    > * For pre-Win10 should we produce a separate diver package with a cross-signed cab? Or is it possible (and relatively painless) to create a single single package supporting Win 7 - 10? (We have an EV cert from SSL.com for which there appears to be no cross-certificate, so I assume we would need to obtain another cert from a Microsoft CA partner such as Digicert?)

    Because you have a PnP driver package (and not just a binary), you will need two packages. The issue is that the attestation signing process throws out your CAT file and creates a new one (WHQL does the same), and the new CAT file created by attestation is only marked for Win 10. And yes, the pre-10 package will need to be signed with a certificate that has a known cross-certificate.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • mm650mm650 Member Posts: 2

    @Tim_Roberts said:

    >

    Are you aware that it's possible to create custom string descriptors that will cause Windows to automatically load WinUSB, with no driver package at all?

    Unfortunately the horse has left the barn so to speak so it's not possible to change the descriptors. Otherwise I agree that would be a preferable solution.

    WinUSB is not a user-mode driver. Unless you use the Microsoft OS Descriptors, you need a PnP driver package, and that requires a Microsoft signature.

    Thanks for the clarification. I was unsure about that as the devs I'm working with keep saying we need to sign a user mode driver.

    Because you have a PnP driver package (and not just a binary), you will need two packages.

    Once again thinks for clarifying things. I think I know what we need to do.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA