Testing usb filter driver using Windows HLK

Good afternoon!
I am currently developing a usb driver for filtering connected devices.
One of the steps to include it in software is to sign the Microsoft driver. As far as I understand, it is necessary to pass a list of HLK tests. How to find out which list of tests you need to pass in order to narrow down the number of tests, since they take a lot of time?

The HLK will automatically choose the tests for you.

BUT… You can Attestation Sign your driver for Windows 10 … without having to run or pass the HLKs. And, as of today, you can cross-sign your drivers to load on Win 7, 8 and 8.1 … again, without having to run or pass the HLKs.

Peter

@“Peter_Viscarola_(OSR)” said:
The HLK will automatically choose the tests for you.

BUT… You can Attestation Sign your driver for Windows 10 … without having to run or pass the HLKs. And, as of today, you can cross-sign your drivers to load on Win 7, 8 and 8.1 … again, without having to run or pass the HLKs.

Peter

How can HLK choose tests automatically? Now I have to put ticks by myself.

I tried to submit driver (.hlkx file) but I got an error message when I upload it to Microsoft Dev Center (https://partner.microsoft.com/ru-ru/dashboard/hardware/driver/New)
Error message: " The file you selected is not a valid format for submission. Verify your selection and, if needed, recreate your submission package and try again."

How can HLK choose tests automatically?

HLK usually uses the INF file to do this. If you are filtering every kind of USB device, then it’s not clear to me how you would use HLK. As I’ve said before, HLK tests devices, not drivers. If you are a filter above the hub, I suppose you could aim HLK at your host controller.

" The file you selected is not a valid format for submission…"

Well, what kind of file did you submit? You need to submit a signed cabinet file, with your driver package in a subdirectory, as described in the documentation.

@ksupall … or don’t run the HLKs at all. And sign your driver by doing what I suggested earlier.

Peter

@“Peter_Viscarola_(OSR)” said:
@ksupall … or don’t run the HLKs at all. And sign your driver by doing what I suggested earlier.

Peter

Sorry, but I misunderstand something… Let me please describe you my situation:
I have to sign my driver that filters usb devices (all devices).
I have directory, where I have .cer, .pdb, .sys and .inf files for this driver. In this directory I mentioned I also have another directory which contains .cat, .sys, .cer and .inf files. (I guess they are the same as in previous direcotory) So I adjusted Testing System and Testing Server (HLK Controller and HLK Client). So I would like to know particular steps that I have to do. So how can I use INF file? What tests should I run? Do I have to install my driver to the Client?

@Tim_Roberts said:

How can HLK choose tests automatically?

HLK usually uses the INF file to do this. If you are filtering every kind of USB device, then it’s not clear to me how you would use HLK. As I’ve said before, HLK tests devices, not drivers. If you are a filter above the hub, I suppose you could aim HLK at your host controller.

Well, what kind of file did you submit? You need to submit a signed cabinet file, with your driver package in a subdirectory, as described in the documentation.

Could you please give me a link to the documentation, I used only windows documentation to adjust HLK Client and HLK Controller. You can see my comment higher, so maybe you can help me to realize how to do this.

Have you tried to submit for an attestation signature?

@Tim_Roberts said:
Have you tried to submit for an attestation signature?

Do you mean Ev certificate?
I have GlobalSign one ev-certificate, but I have no ideas how to use it.

No. Let’s go over it all again. There are THREE mechanisms for getting a driver package signed.

  1. Sign the package with your own certificate and a Microsoft cross-certificate.

  2. Do full WHQL testing and submit your package through the dashboard.

  3. Submit your package for attestation signing through the dashboard.

Option 2 has worked forever, and continues to work today.

Option 1 was the traditional mechanism for releasing drivers. This method does not require an EV certificate, but does require you to use a CA for which a Microsoft cross-certificate is available. This method continues to work in Windows 10, but only if the system does not have “Secure Boot” enabled in the BIOS. Option 1 is the one Microsoft intends to disable in July.

Option 3 is new with Windows 10. You submit the driver package through the same dashboard you use for WHQL, but on a different page. No WHQL testing is required, but you do “attest” to the fact (cross your heart and hope to die) that you have done enough testing to ensure the driver isn’t schlock. The driver package and binaries you get back are signed by Microsoft, but the CAT file is only valid on Windows 10.

Options 2 and 3 require you to have a Microsoft Hardware Dashboard account. Establishing such an account requires an EV certificate, and the cabinet files you submit must be signed with a certificate registered with that account.

I have directory, where I have .cer, .pdb, .sys and .inf files for this driver. In this directory I mentioned I also have another directory which contains .cat, .sys, .cer and .inf files.

Note that “the driver package” consist of the .inf, the .sys, and the .cat. The others are just build by-products.

(I guess they are the same as in previous direcotory)

You guess??? You damned well better be sure. If you’re not sure where the files in your build tree are coming from, then you need to find out.

Do I have to install my driver to the Client?

Yes. How else can it test the devices?

@Tim_Roberts said:
Option 1 is the one Microsoft intends to disable in July.

Thank you so much! Now it’s more clear! Tell me please, can I use Option 1 now? I mean Microsoft intends to disable it in July new year? Or has already disabled?

It still works for now, but they have announced plans to kill that option in July 2021.

It’s a good option for internal use, but it’s not practical for public distribution because the user had to disable “Secure Boot”, and corporate IT departments don’t allow that.

@“Peter_Viscarola_(OSR)” said:
The HLK will automatically choose the tests for you.

BUT… You can Attestation Sign your driver for Windows 10 … without having to run or pass the HLKs. And, as of today, you can cross-sign your drivers to load on Win 7, 8 and 8.1 … again, without having to run or pass the HLKs.

So I decided to pass HLK tests, so how should I use my .inf file to make HLK tests be chosen automatically?

  1. First use inf2cat to generate the .cat file, and then use the EV certificate to sign the .cat and .sys;
  2. then use Testing Server (HLK Controller and HLK Client), HLK test, loader CompatPlaylist.xml, HLK will automatically choose the tests for you.
  3. after all the test case is ok, then package the usb driver, last create package,generate .hlkx file.
    (Need to use ev certificate signature in this process)
  4. upload the .hlkx file to microsoft dashboard to whql test, if it’s ok, will generate Microsoft signed driver file.