Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Certifying a WIndows kernel driver
Hi all!
I'm trying to figure out how to certify a Windows kernel driver, software only (no hardware device involved).
Microsoft's documentation has various documents, some of which are out-of-date, and some seem to contradict other information.
For a start, I'm trying to understand requirements: Do I have to test with the HLK to certify/sign a software-only driver? If yes, do I need a client machine per each Windows major version? Or for each minor version? Or some other matrix of machines?
Thanks!
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 13-17 May 2024 | Live, Online |
| Developing Minifilters | 1-5 Apr 2024 | Live, Online |
| Internals & Software Drivers | 11-15 Mar 2024 | Live, Online |
| Writing WDF Drivers | 26 Feb - 1 Mar 2024 | Live, Online |
Comments
Unless there is some compelling reason to not just use attestation signing, that is the way to go. No HLK tests required.
If instead you just have to get a WHQL signature, then if you intend to support legacy versions of windows like win8, you need to test using the HCK and the HLK and combine them in one submission. Otherwise you can test using the latest HLK and the latest client (or server) and just check all the available versions in the submission.
Thank you @Mark_Roddy ! Very helpful!
Question is, do I need to get a WHQL signature if I have no hardware involved? Or do I have to test with HLK? Assuming no legacy support is needed, only win10+ and win server 2016+, from your answer I understand that (for software only kernel driver) attestation signing should be enough, but according to the statement on https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs :
"Windows Server 2016 and greater will not accept attested device and filter driver signing submissions.
The dashboard will only sign device and filter drivers that have successfully passed the HLK tests.
Windows Server 2016 and greater will only load dashboard signed drivers that have successfully passed the HLK tests."
Also, from https://learn.microsoft.com/en-us/security/trusted-root/program-requirements#f-windows-10-kernel-mode-code-signing-kmcs-requirements :
"Windows 10 has heightened requirements to validate kernel-mode drivers. Drivers must be signed by both Microsoft and a Program partner using Extended Validation requirements. All developers who wish to have their kernel-mode drivers included in Windows must follow the procedures outlined by the Microsoft Hardware Development Team. For more information, see the Partner Center for Windows Hardware"
Since we I am talking about a kernel mode drive that is aimed to be published to users, both Windows 10 and Windows Server, I am unclear per Microsoft's text above if that is possible without HLK/with attestation signing... If you know, please clarify. and thanks again!
Thank you @Mark_Roddy , but According to https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs :
The dashboard will only sign device and filter drivers that have successfully passed the HLK tests.
Windows Server 2016 and greater will only load dashboard signed drivers that have successfully passed the HLK tests."
Also, according to https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- :
"Starting with Windows 10, version 1607, Windows will not load any new kernel-mode drivers which are not signed by the Dev Portal. To get your driver signed, first Register for the Windows Hardware Dev Center program."
Since we want to have customers use the driver also on Windows Server 2016 potentially, to my understanding (which may be wrong) from the above, attestation signing will not be an option for us, correct? Any way we can go around HLK testing (again, software only driver, no hardware involved).
Also, do you/anybody happen to know, in case we do need to test with HLK, what is the criteria according to which it is decided how many dedicated physical client/target machines we need to test on? is it per major windows version? minor version? something else?
Thanks again and have a wonderful weekend!
Microsoft threatened to have Windows 2016 ignore attestation signing, but last I heard they never implemented it.
Also remember that the "Dev Portal" in that last bullet point includes attestation signing.
Test for the oldest version you need -- one server, one client.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Thank you Tim!