Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How to permanently disable driver signature enforcement during HLK testing?

Richard_MRichard_M Member Posts: 45
edited June 10 in NTDEV

One problem i have encountered during HLK testing, is that when i disable driver signature enforcement during HLK testing and set the testsigning on (because obviously i have not received the Microsoft digital certificate to load and install drivers normally), after reboot which is required by some tests, the signature enforcement comes back on.

Note that i have disabled DSE by holding shift during shutdown and pressing 7 during boot.

My questions are:

  1. Shouldn't i do the tests with a driver that is not signed? Because i think if i do a self sign it might solve the problem, but wouldn't Microsoft just append its signature after my self signed cert in that case? What is the official way of doing the tests?

  2. How is my test passing after reboot when my driver is not even loaded?! For example the Hyper-V test seems to require a reboot even tho it states it doesn't, and the funny thing is that after the reboot, even tho my driver is not even loaded anymore, i pass the tests! This doesn't even make any sense?

Comments

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,576
    via Email
    use bcdedit to enable testsigning and install the test cert.
    Mark Roddy
  • Richard_MRichard_M Member Posts: 45

    @Mark_Roddy said:
    use bcdedit to enable testsigning and install the test cert.
    Mark Roddy

    But if i self sign the driver and then create the package, wouldn't that cause Microsoft to append its signature after my self sign cert? Because that's the case with attestation signing.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,410

    If you sign your SYS file, then they will append their signature. However, they throw out your CAT file and create a brand new one, so it will only contain the Microsoft signature.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Richard_MRichard_M Member Posts: 45
    edited June 10

    @Tim_Roberts said:
    If you sign your SYS file, then they will append their signature. However, they throw out your CAT file and create a brand new one, so it will only contain the Microsoft signature.

    So what should i do if i want the final driver (not the cat) to be signed only by Microsoft and not have a self signed cert? Signtool doesn't seem to have an option to remove a specific signature from the driver.

    Because it seems like i have two options right now:

    1. Self sign the driver and do the HLK tests, but that causes the package to contain the self signed driver, thus Microsoft appends its signature.

    2. Don't self sign the driver and disable the DSE during boot (testsigning is not enough in this case), but this causes the driver to not load when HLK reboots the machine, because disabling the DSE requires holding shift during reboot, etc.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,410

    So what should i do if i want the final driver (not the cat) to be signed only by Microsoft and not have a self signed cert?

    Why would you go to the trouble? What do you gain?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • brad_Hbrad_H Member Posts: 126

    @Tim_Roberts said:

    So what should i do if i want the final driver (not the cat) to be signed only by Microsoft and not have a self signed cert?

    Why would you go to the trouble? What do you gain?

    I Think OP doesn't want their production driver to have a self signed digital certificate in it, also i think having a self signed digital certificate as the first certificate caused problems on some systems, didn't it?

    @Richard_M said:
    2. How is my test passing after reboot when my driver is not even loaded?! For example the Hyper-V test seems to require a reboot even tho it states it doesn't, and the funny thing is that after the reboot, even tho my driver is not even loaded anymore, i pass the tests! This doesn't even make any sense?

    This is really strange, surely if the driver is not loaded after the reboot the test should fail, but then again, nothing is certain with HLK.. i also encounter so many random problems with it.

  • Richard_MRichard_M Member Posts: 45

    @Tim_Roberts said:

    So what should i do if i want the final driver (not the cat) to be signed only by Microsoft and not have a self signed cert?

    Why would you go to the trouble? What do you gain?

    @brad_H said:

    @Tim_Roberts said:

    So what should i do if i want the final driver (not the cat) to be signed only by Microsoft and not have a self signed cert?

    Why would you go to the trouble? What do you gain?

    I Think OP doesn't want their production driver to have a self signed digital certificate in it, also i think having a self signed digital certificate as the first certificate caused problems on some systems, didn't it?

    That is correct, i want my final driver to only have a Microsoft signature, having a self signed signature before the Microsoft signature probably will cause problems and there is no need for a self sign signature to be present in there.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,576
    via Email
    Well as far as I know, you can test with one binary and submit a
    different binary, I don't think there is any verification or attempt to
    exclude you from doing that. But also, again as far as I know, WHQL only
    signs the cat file and it creates its own cat file.

    Before the Big Clamp Down, release signing the binaries was a typical
    approach. Easy to do, easy to test, easy to submit. Now you need
    attestation signing. So do that and stop worrying about it.

    Mark Roddy
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,410

    You don't have to sign the .SYS file for your testing. All you have to sign is the CAT, and Microsoft replaces that.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Jason_T.Jason_T. Member Posts: 98

    Because it seems like i have two options right now:

    1. Self sign the driver and do the HLK tests, but that causes the package to contain the self signed driver, thus Microsoft appends its signature.

    2. Don't self sign the driver and disable the DSE during boot (testsigning is not enough in this case), but this causes the driver to not load when HLK reboots the machine, because disabling the DSE requires holding shift during reboot, etc.

    A third option is what I do. Use the MSFT portal to attestation sign the driver. Put that on your HLK machine without any need to disable signature checks nor install a test cert. When you are done, roll up that same signed driver in the HLK package and send it to MSFT again. When it comes back it (the .sys) has their sig and my real sig (i.e. not a test sig) and we're done. Because a .cat is not a PE file it can only hold one signature so it is limited to the MSFT one no matter what you do. But I like additionally having my sig on the driver itself.

  • Jason_T.Jason_T. Member Posts: 98

    @Mark_Roddy said:
    Well as far as I know, you can test with one binary and submit a
    different binary, I don't think there is any verification or attempt to
    exclude you from doing that. But also, again as far as I know, WHQL only
    signs the cat file and it creates its own cat file.

    I've never tried this but that would be shocking. To the point of making the entire HLK process pointless. If you could just run all the tests with a dummy passthrough driver, and then submit your completely different driver, then what exactly are we certifying? Surely the process can't have that big of a hole??

  • PascalQuesseveurPascalQuesseveur Member Posts: 6

    I can only speak for the case of a non-pnp driver, but from my experience you can request an attestation signature then add your signature to the .sys file after that of MS. It works for Windows 10 and 7.

  • MBond2MBond2 Member Posts: 496

    I don't think that many will disagree that the various testing and signing processes put in place by Microsoft over the years are useless. But consider that their purpose is something a bit different than what you imagine. They artificially increase the barrier to produce a driver; which means that anyone who does so has something to loose, and they establish a legal basis for culpability if your product is constructed in an unethical way. The same is true of all engineering and technical standards processes. Various government and regulatory bodies are tasked with ensuring the safety etc. of things that they can't possibly evaluate themselves, so they turn the regulations around and make it a professional and ethical obligation on the part of the practitioners who can.

  • PascalQuesseveurPascalQuesseveur Member Posts: 6

    @Mark_Roddy said:
    Well as far as I know, you can test with one binary and submit a
    different binary, I don't think there is any verification or attempt to
    exclude you from doing that. But also, again as far as I know, WHQL only
    signs the cat file and it creates its own cat file.

    Is it actually possible with the HLK? If so, by replacing the driver on the test client after passing the tests and before building the packet?

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 January 2023 Live, Online
Developing Minifilters 20 March 2023 Live, Online
Writing WDF Drivers TBD 2023 Live, Online
Internals & Software Drivers 17 April 2023 Live, Online