libwdi and Windows 10

Xiaofan_Chen · November 24, 2015, 8:39am

I tried to use libwdi based Zadig to install driver package (based on WinUSB,
libusb-win32 kernel driver or libusbK kernel driver) and it seems to work fine.

https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

libwdi uses the above approach and will it continue to work for Windows
10 in the future?

It may sound similar to test signing but it does not seem to need to
enable test signing on the machine.

We are discussing this in the libusb mailing list and the author of
libwdi thinks that it should still work fine.
Ref: http://libusb.6.n5.nabble.com/libusb-libusb-under-Windows-10-tp5715304p5715316.html

–
Xiaofan

Peter_Viscarola_OSR · November 24, 2015, 10:40am

Mr Chen…

I can’t make out what they’re doing from either of those links. What’s signed and by whom? Who’s signing the package and who’s signing the .sys file?

Sorry if that’s incredibly stupid, but I’m confused.

Peter
OSR
@OSRDrivers

Tim_Roberts · November 24, 2015, 12:51pm

xxxxx@osr.com wrote:

I can’t make out what they’re doing from either of those links. What’s signed and by whom? Who’s signing the package and who’s signing the .sys file?

libwdi is an open source installer for USB drivers, designed
specifically as a companion for the libusb generic USB library, which
requires a kernel driver (either WinUSB or one of the alternatives that
were created before WinUSB existed). They generate a new certificate
for each run, then install that certificate in the “Trusted Certificate
Store”. By generating a new certificate each time, rather than using
some common certificate, they are trying to maintain a semblance of
security and accountability.

The scheme satisfies KMCS prior to Windows 8, and for the time being
even works on Windows 10. This is yet another data point that
contradicts the “attestation required” assertion, because these test
certificates are, of course, being generated after the magic August 1
date. The evidence strongly suggests that the attestation requirement
has not yet been enabled, and is waiting for some magic date to crush us
all.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Mark_Roddy · November 24, 2015, 9:45pm

On Tue, Nov 24, 2015 at 12:49 PM, Tim Roberts wrote:

> The evidence strongly suggests that the attestation requirement
> has not yet been enabled, and is waiting for some magic date to crush us
> all.
>

Meanwhile how many EV certs at ~500 got sold because of this? I’m sure
symantec, godaddy et all are quite happy with the situation.

Mark Roddy