Hi all!
I’m trying to figure out how to certify a Windows kernel driver, software only (no hardware device involved).
Microsoft’s documentation has various documents, some of which are out-of-date, and some seem to contradict other information.
For a start, I’m trying to understand requirements: Do I have to test with the HLK to certify/sign a software-only driver? If yes, do I need a client machine per each Windows major version? Or for each minor version? Or some other matrix of machines?
Thanks!
Unless there is some compelling reason to not just use attestation signing, that is the way to go. No HLK tests required.
If instead you just have to get a WHQL signature, then if you intend to support legacy versions of windows like win8, you need to test using the HCK and the HLK and combine them in one submission. Otherwise you can test using the latest HLK and the latest client (or server) and just check all the available versions in the submission.
Thank you @Mark_Roddy ! Very helpful!
Question is, do I need to get a WHQL signature if I have no hardware involved? Or do I have to test with HLK? Assuming no legacy support is needed, only win10+ and win server 2016+, from your answer I understand that (for software only kernel driver) attestation signing should be enough, but according to the statement on https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs :
“Windows Server 2016 and greater will not accept attested device and filter driver signing submissions.
The dashboard will only sign device and filter drivers that have successfully passed the HLK tests.
Windows Server 2016 and greater will only load dashboard signed drivers that have successfully passed the HLK tests.”
Also, from https://learn.microsoft.com/en-us/security/trusted-root/program-requirements#f-windows-10-kernel-mode-code-signing-kmcs-requirements :
“Windows 10 has heightened requirements to validate kernel-mode drivers. Drivers must be signed by both Microsoft and a Program partner using Extended Validation requirements. All developers who wish to have their kernel-mode drivers included in Windows must follow the procedures outlined by the Microsoft Hardware Development Team. For more information, see the Partner Center for Windows Hardware”
Since we I am talking about a kernel mode drive that is aimed to be published to users, both Windows 10 and Windows Server, I am unclear per Microsoft’s text above if that is possible without HLK/with attestation signing… If you know, please clarify. and thanks again!
Thank you @Mark_Roddy , but According to https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/code-signing-reqs :
- “Attestation signing only works on Windows 10 Desktop and later versions of Windows. An attestation signed driver won’t work for other versions of Windows, such as Windows Server 2016, Windows 8, or Windows 7.”
- “If you wish to publish your driver to retail audiences, you must submit your driver through the Windows Hardware Compatibility Program (WHCP).”
- “Windows Server 2016 and greater will not accept attested device and filter driver signing submissions.
The dashboard will only sign device and filter drivers that have successfully passed the HLK tests.
Windows Server 2016 and greater will only load dashboard signed drivers that have successfully passed the HLK tests.”
Also, according to https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- :
“Starting with Windows 10, version 1607, Windows will not load any new kernel-mode drivers which are not signed by the Dev Portal. To get your driver signed, first Register for the Windows Hardware Dev Center program.”
Since we want to have customers use the driver also on Windows Server 2016 potentially, to my understanding (which may be wrong) from the above, attestation signing will not be an option for us, correct? Any way we can go around HLK testing (again, software only driver, no hardware involved).
Also, do you/anybody happen to know, in case we do need to test with HLK, what is the criteria according to which it is decided how many dedicated physical client/target machines we need to test on? is it per major windows version? minor version? something else?
Thanks again and have a wonderful weekend!
Microsoft threatened to have Windows 2016 ignore attestation signing, but last I heard they never implemented it.
Also remember that the “Dev Portal” in that last bullet point includes attestation signing.
Test for the oldest version you need – one server, one client.