> Non-PNP drivers don’t have .cat files, therefore can’t have WHQL signatures.
It depends on what you mean by “having a WHQL signature.” If you mean having a WHQL-signed catalog file, then, yes, that is true. However, it could still have a WHQL signature embedded in the binary. (The information at the bottom of https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/whql-release-signature is dated.) We have had success with this by including a dummy INF in our HLKX package for non-PnP drivers, much as we have to do for signing similar drivers using attestation.
The details for the MS signature that is embedded reveal the following key usage:
Code Signing (1.3.6.1.5.5.7.3.3)
Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5)
Windows Hardware Driver Extended Verification (1.3.6.1.4.1.311.10.3.39)
The details for an attested MS signature are as follows:
Code Signing (1.3.6.1.5.5.7.3.3)
Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5)
Windows Hardware Driver Attested Verification (1.3.6.1.4.1.311.10.3.5.1)
So, it’s possible that the OS could discriminate based on the WHQL-ness of even non-PnP drivers. What do you lose by not having the catalog file? All of the OS version compatibility information that’s in the meta-data, for one.
Also note that in the particular case of Boot Start drivers (of the PNP or non-PNP variety), none of the new Windows 10 driver signing stuff is currently enforced. This will change in the future. (https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/)
We’ve found that some of the things we thought were hard and fast rules (e.g. attestation-
signed drivers refusing to load on anything prior to Windows 10) simply weren’t true, at least
for our drivers, as they load without issue on 8.1 after being signed by the portal.
Now *that* only applies to drivers with an INF and CAT. The catalog file contains the OS compatibility information, so anything that’s only signed for Windows 10 will be blocked at PNP install time on older OSes. The embedded signature in a driver binary has no such information, however, so installing it (with SCM or cramming some keys in the registry or whatever) works fine.
Actually, “blocked” is too strong a term. On Windows 7 you first get the red dialog saying that the publisher cannot be verified. If you choose to cancel, you get the “Windows encountered a problem installing the driver software for your device” dialog with the explanation “The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version.” However, you can choose to proceed with the install, and the driver will work fine save for the device properties showing “Not digitally signed.” On Windows 8.1 you only get the latter dialog, and no way to force an install of the driver.
That does make me wonder, though: What are the technical benefits of WHQL signing for anything other than the oldest OS your driver supports? If you don’t care about the logo or any of the other business benefits, is there any reason to go through the pain of HCK/HLK tests on every single supported OS?