Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Alternative driver signing method for Windows 10 using libwdi without EV certificate

Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

You may have an existing driver which is already signed before but then you may need to add some variants (eg: adding some VID/PID combination to an existing driver package), it will break the existing signature of the driver package.

There is a way to install this new driver package without getting a new EV signing certificate.

Ref: libwdi wiki:
https://github.com/pbatard/libwdi/wiki/FAQ#What_are_these_USBVID_PID_MI__Autogenerated_certificates_that_libwdi_installs_in_the_Trusted_certificate_stores

The method is actually generic and not limiting to USB drivers. You should be able to sign the driver package by using the same method and then create an installer.

You can use dpscat (which uses libwdi) from libusbk project to make things a bit easier. You can use it to sign the driver package and then use dpinst/dpinst64 to install the driver package, you can also create a driver installer.

dpscat:
https://github.com/mcuee/libusbk/tree/master/libusbK/src/dpscat

Comments

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

    Past discussions:
    https://community.osr.com/discussion/271918/libwdi-and-windows-10

    I believe there is a limitation that the kernel driver (.sys file) itself has to be signed and timestamped.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

    This method may be useful for those niche driver packages and niche use cases.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,094

    This method, of course, requires that the end user trust you enough to add a certificate to their "trusted store". In addition, this will only work pre-WIndows 10. If you have "secure boot" set with Windows 10, your driver binary must be signed by Microsoft.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

    Yes, of course the end user needs to trust the driver package provider.

    The precondition is that the driver binary (.sys) file is signed prior to Windows 10 (for non Microsoft driver) and with valid time stamp, no need to be signed with Microsoft, but with valid code signing certificate at the timestamp time. For example, libusb0.sys version 1.2.6.0 was signed in Jan 2012 with a GlobalSign code (SHA1) signing certificate. libusbk.sys version 3.0.7.0 was signed in April 2014 with a Digicert EV code signing certificate (SHA1). WinUSB.sys itself is signed by Microsoft. You can use any other driver which meets this requirement.

    With this precondition, the driver package (sys, inf, cat, etc) does work under Windows 10, with secure boot on.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

    I have tested this method along the way since 2015 to now across different version of Windows 10, with secure boot on.

  • Xiaofan_ChenXiaofan_Chen Member - All Emails Posts: 223

    https://community.osr.com/discussion/271918/libwdi-and-windows-10

    From Tim in Nov 2015:
    libwdi is an open source installer for USB drivers, designed
    specifically as a companion for the libusb generic USB library, which
    requires a kernel driver (either WinUSB or one of the alternatives that
    were created before WinUSB existed). They generate a new certificate
    for each run, then install that certificate in the "Trusted Certificate
    Store". By generating a new certificate each time, rather than using
    some common certificate, they are trying to maintain a semblance of
    security and accountability.

    The scheme satisfies KMCS prior to Windows 8, and for the time being
    even works on Windows 10. This is yet another data point that
    contradicts the "attestation required" assertion, because these test
    certificates are, of course, being generated after the magic August 1
    date. The evidence strongly suggests that the attestation requirement
    has not yet been enabled, and is waiting for some magic date to crush us
    all.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online