Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Windows 11 and alternative driver installation method in libwdi

Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

Ref: https://github.com/pbatard/libwdi/issues/155#issuecomment-918883668
It is mentioned by libwdi developer that "Microsoft is no longer trusting certificates that are installed in Trusted Publishers for the signing of driver packages" for Windows 11. Just want to know if this is really true or not.

Background: libwdi used to work up until latest version of Windows 10.

Quick explanation of how libwdi works by Tim Roberts
Ref: https://community.osr.com/discussion/271918/libwdi-and-windows-10

libwdi is an open source installer for USB drivers, designed specifically as a companion for the libusb generic USB library, which requires a kernel driver (either WinUSB or one of the alternatives that were created before WinUSB existed). They generate a new certificate for each run, then install that certificate in the "Trusted Certificate Store". By generating a new certificate each time, rather than using some common certificate, they are trying to maintain a semblance of security and accountability.
The scheme satisfies KMCS prior to Windows 8, and for the time being even works on Windows 10.

Comments

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

    Tim's assertion is that the method was supposed not to work under Windows 10 if Secure Boot is ON, however, that is not true. It works under Windows 10 even if Secure Boot is ON.

    Ref: https://community.osr.com/discussion/293016/alternative-driver-signing-method-for-windows-10-using-libwdi-without-ev-certificate

    This method, of course, requires that the end user trust you enough to add a certificate to their "trusted store". In addition, this will only work pre-WIndows 10. If you have "secure boot" set with Windows 10, your driver binary must be signed by Microsoft.

  • AkeoAkeo Member Posts: 1

    For what is worth, this is an excerpt from setupapidev.log from trying to install a driver package on Windows 11 where the .cat signing certificate has been added to Trusted Publishers:

    +++  [Device Install (DiInstallDriver) - C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf]
    +++  Section start 2021/09/12 14:33:48.262
          cmd: "C:\Windows\System32\InfDefaultInstall.exe" "C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf"
         ndv: Flags: 0x00000000
         ndv: INF path: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         dvs: {DrvSetupInstallDriver - C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf}
         dvs:      Flags: 0x00000000
         dvs:      {Driver Setup Import Driver Package: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.262
         sto:           {Copy Driver Package: C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.262
         sto:                Driver Package = C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sto:                Flags          = 0x00000007
         sto:                Destination    = C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}
         sto:                Copying driver package files to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}'.
         flq:                {FILE_QUEUE_COMMIT} 14:33:48.278
         flq:                     Copying 'C:\Users\pete\usb_driver\amd64\WdfCoInstaller01011.dll' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WdfCoInstaller01011.dll'.
         flq:                     Copying 'C:\Users\pete\usb_driver\amd64\WinUSBCoInstaller2.dll' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WinUSBCoInstaller2.dll'.
         flq:                     Copying 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat'.
         flq:                     Copying 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' to 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'.
         flq:                {FILE_QUEUE_COMMIT - exit(0x00000000)} 14:33:48.293
         sto:           {Copy Driver Package: exit(0x00000000)} 14:33:48.293
         ump:           Import flags: 0x00000000
         pol:           {Driver package policy check} 14:33:48.293
         pol:           {Driver package policy check - exit(0x00000000)} 14:33:48.293
         sto:           {Stage Driver Package: C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.293
         inf:                {Query Configurability: C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf} 14:33:48.293
         inf:                     Driver package uses WDF.
         inf:                     Driver package 'Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' is configurable.
         inf:                {Query Configurability: exit(0x00000000)} 14:33:48.309
         flq:                {FILE_QUEUE_COMMIT} 14:33:48.309
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WdfCoInstaller01011.dll' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\amd64\WdfCoInstaller01011.dll'.
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\amd64\WinUSBCoInstaller2.dll' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\amd64\WinUSBCoInstaller2.dll'.
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat'.
         flq:                     Copying 'C:\Users\pete\AppData\Local\Temp\{9262bb57-e7be-6848-8ecc-90aaff321777}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf' to 'C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'.
         flq:                {FILE_QUEUE_COMMIT - exit(0x00000000)} 14:33:48.356
         sto:                {DRIVERSTORE IMPORT VALIDATE} 14:33:48.356
         sig:                     Driver package catalog is valid.
         sig:                     {_VERIFY_FILE_SIGNATURE} 14:33:48.372
         sig:                          Key      = Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
    !    sig:                          Verifying file against specific (valid) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 14:33:48.372
         sig:                     {_VERIFY_FILE_SIGNATURE} 14:33:48.372
         sig:                          Key      = Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          FilePath = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf
         sig:                          Catalog  = C:\Windows\System32\DriverStore\Temp\{3ca189b2-0f99-9d4e-989d-647ed50d0493}\Yubikey_4_OTP+U2F+CCID_(Interface_2).cat
    !    sig:                          Verifying file against specific Authenticode(tm) catalog failed.
    !    sig:                          Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
         sig:                     {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 14:33:48.372
    !!!  sig:                     Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.
    !!!  sig:                     Driver package failed signature validation. Error = 0x800B0109
         sto:                {DRIVERSTORE IMPORT VALIDATE: exit(0x800b0109)} 14:33:48.372
    !!!  sig:                Driver package failed signature verification. Error = 0x800B0109
    !!!  sto:                Failed to import driver package into Driver Store. Error = 0x800B0109
         sto:           {Stage Driver Package: exit(0x800b0109)} 14:33:48.387
         dvs:      {Driver Setup Import Driver Package - exit (0x800b0109)} 14:33:48.387
    !!!  dvs:      Failed to import driver packages under 'C:\Users\pete\usb_driver\Yubikey_4_OTP+U2F+CCID_(Interface_2).inf'. Error = 0x800b0109
         dvs: {DrvSetupInstallDriver - exit(800b0109)}
    <<<  Section end 2021/09/12 14:33:48.419
    <<<  [Exit status: FAILURE(0x800b0109)]
    

    (NB: I had to replace the >>> at the beginning of the first two lines because it looks like OSR's markdown chokes on those in a code block).

    This is pretty much the same error you'd see on Windows 10 if the certificate that was used to sign the .cat was missing from Trusted Publishers, so it certainly looks like Windows 11 is no longer using a trust chain with certificates that users have access to, for driver package installation.

    Of course I validated that the relevant certificate was present in Trusted Publishers, and I also tried to copy it in virtually every other store, including Trusted Root, with no success.

    I suspect that one of driver isolation or device guard is being formally enforced on Windows 11, and that this is what is preventing the method, where you could just self sign a driver package and add the cert to Trusted Publishers, from working.

    And I also confirm that this method works just fine on a Windows 10 platform with Secure Boot enabled.

    Note that this method is not libwdi specific. You should easily be able to replicate these findings by generating self-signed credentials, signing a driver package with them, and installing the public cert into Trusted Publisher before trying to proceed to the driver installation.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online