How to write a driver to prepare for device guard(memory integrity)?

Yes, My driver is signed.
Windbg is not connected, but debug mode is on.

I found a discussion with something similar to me.
https://community.osr.com/discussion/291104/asking-for-hints-to-get-some-kernel-output

Yes, My driver is signed.

HOW did you sign it? You ATTESTATION signed it via the Microsoft Dashboard, right? Not just “I signed it with my own certificate?”

I found a discussion with something similar to me.

Well, no? Mr. Leggieri’s problem was that he wasn’t using the /INTEGRITYCHECK switch. But you are.

Peter

Device guard is not the same as using the /INTEGRITYCHECK switch. To use the linker switch you need to follow the 64 bit signing requirement. This signing requirement is also required for 32 bit drivers that use this switch. ATTESTATION signing is not required.

Bill Wandel

ATTESTATION signing is not required

ATTESTATION signing is indeed required for the OP to load the driver on Windows 10, if the system has Secure Boot enabled… right? No knowing what the OP’s system has setup, right?

Peter

Peter_Viscarola_(OSR) wrote:

> ATTESTATION signing is not required
ATTESTATION signing is indeed required for the OP to load the driver on Windows 10, if the system has Secure Boot enabled… right? No knowing what the OP’s system has setup, right?

This is actually a very important point on which I’m not 100% clear.  Is
the attestation signing check done at INSTALL time, or is it done at
LOAD time?  If that check is done at LOAD time, then you’re absolutely
correct.  But if it is done at INSTALL time, as was my possibly mistaken
impression, then filter drivers would not require attestation – only
cross-signing.

OP: Let’s eliminate standard driver signing as your issue. Please hook up and active the debugger and try to load your driver.

If it works, its a conventional signing issue. If it doesn’t work, something else is wrong, but be sure, please, 50thst the debugger is actually attached and active.

Peter

HOW did you sign it? You ATTESTATION signed it via the Microsoft Dashboard, right? Not just “I signed it with my own certificate?”

Yes, I signed itvia the Microsoft Dashboard.

Well, no? Mr. Leggieri’s problem was that he wasn’t using the /INTEGRITYCHECK switch. But you are.

Oh! You are right! This is the opposite of my case.

In my case, I removed the /INTEGRITYCHECK switch and the driver I built was successfully loaded.
(However, I did not confirmed that the PsSetCreateProcessNotifyRoutineEx API was called successfully.)

If you don’t link with /INTEGRITYCHECK PsSetCreateNotifyRoutineEx will return ACCESS_DENIED.

Bill Wandel

Interesting question. I might be able to test later this week if I can load a file mini-filter on secure boot without it being attestation signed. All our drivers get attestation signed so this situation never comes up.

Bill Wandel

Agreed but Secure Boot and the integrity setting are not related to each other. Secure Boot requires attestation signing where just setting /INTEGRITY does not.

Bill Wandel

Secure Boot requires attestation signing where just setting /INTEGRITY does not.

Agreed. But the OP can’t load his driver…

In my case, I removed the /INTEGRITYCHECK switch and the driver I built was successfully loaded.

Soooo… It’s been signed, it’s even been atteststion signed. It loads without /INTEGEITYCHECK but not with it.

I have no clue. Seriously. That’s very puzzling.

Peter

I’m sorry. I do not know the terms. Does the term OP refer to me in context? :frowning:
I will understand that.

Let’s eliminate standard driver signing as your issue. Please hook up and active the debugger and try to load your driver.

Does it mean to try to debug the kernel with windbg without any signatures and see if it loads?

If you don’t link with /INTEGRITYCHECK PsSetCreateNotifyRoutineEx will return ACCESS_DENIED.

I think so.

Does the term OP refer to me

Sorry! Yes… “Original Poster” Google is your friend: Abbreviation OP

Does it mean to try to debug the kernel …

Yes. Enable debugging, hookup WinDbg and make sure it’s actively connected… and then load your driver. Signature enforcement is disabled when you have a debugger actively attached.

I’m trying to determine if you’re getting an ordinary signature enforcement problem, or something else.

Peter

I wrote a Dummy Driver (with only DriverEntry and unload functions).
One to build with / INTEGRITYCHECK and the other to build without / INTEGRITYCHECK.
So I tried to load it with osrloader.exe.

  1. Failing to load any unsigned driver with a message that both signs are wrong
  2. When loading after double signing (not ms sign, not EV) with sha1, sha2, the driver built with / INTEGRITYCHECK failed to load and the driver built without / INTEGRITY succeeded.

Does this mean / INTEGRITYCHECK has an impact on the driver’s load?

MS Blog site links are all broken.
So I reattach the link below.
For reference, the link below shows that the driver built with VS2005 and WDK 6000 should be compatible. If not, should this be confirmed by MS?

FYI.
What about existing drivers? Do I need to re-build these drivers to get them to work with Windows 10?

It depends. Many drivers are already compatible. If you are using the WDK and Visual Studio, the INIT section is marked as RWX. In Windows 10, however, it will automatically be stripped, so if this is the only issue, then the driver will be compatible.

https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/driver-compatibility-with-device-guard

The result is the same with a SHA2 (EV) signed driver.
Error is 87(0x57) The parameter is Incorrect.

/INTEGRITYCHECK has to have an impact on driver loading. That is its purpose. I don’t know which cert it checks but it looks like it checks the MS cross cert.
All our drivers are signed with the MS cross cert. Our release drivers are also portal signed. They load on all OSes including those with secure boot enabled.

Bill Wandel

We found the cause. The problem was in code signing.
Signing with signtool.exe was successful when I used the / nph option without using the / ph option.
See the link below for more details.

https://support.microsoft.com/en-us/help/3194715/bugcheck-0x7e-occurs-in-windows-10-when-device-guard-is-active

In addition, we had a project that used RtlVer.lib and we could not load it, but we did not use RtlVer.lib so we did not have any problems.

1 Like

Thank you for co I g back to update us on the ultimate resolution of issue. That’s something that’s always much appreciated.

Peter