CheckLogo and driver signing

OSR_Community_User · October 8, 2010, 9:47am

Hi,

We developed a Kernel Mode virtual audio loopback device (software-only). Now we have to pass the CheckLogo test. We submitted the driver to Winqual and we received only the signed .CAT files. Now Chklogo tells us that we must sign also the .SYS files. How do we do that?

Thanks in advance,

Jader Dias

Peter_Viscarola_OSR · October 8, 2010, 9:56am

Are we talking 64-bit drivers or 32-bit drivers?

ANYhow… assuming we’re talking 64-bit, this is the third or fourth post about kernel-mode code signing in a week.

PLEASE check the archives. But, to save you some time, download and read THIS first:

http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

Peter
OSR

OSR_Community_User · October 8, 2010, 10:02am

Hi Peter,

I already know how to sign kernel mode drivers for Windows Vista+ 64 bit. The problem is that in this case (Windows Logo) I can’t sign them myself. Microsoft must do it. But they didn’t.

I wonder if is there any way to:

Bypass CheckLogo (eg. by removing the hardware id from my driver)
or
To request a signed .SYS file to Microsoft throught Winqual

Rossetoecioccolato · October 8, 2010, 10:08am

The post doesn’t concern KMCS so this link won’t help the OP.

OSR_Community_User · October 8, 2010, 10:17am

What Rosseto is trying to say is that no Verisign nor Globalsign certificate can help me now.
The only certificate that would solve the problem is the “Microsoft Windows Hardware Compatibility Publisher” one
The only way to obtain this certificate is through the Windows Logo for Hardware Program
I did obtain this, but only for the CAT file. Now it seems I need obtain it for the binaries, but I don’t know how.
What also would work for me is a way to bypass the CheckLogo test, so I could forget this signature problem
I know that Checklogo verifies only drivers with a HardwareId. If I found a way of removing it from my driver, and I still could install it using a command line tool like “devcon.exe” it would solve my problem.
But I don’t know how to do it.

Don_Burn_1 · October 8, 2010, 10:29am

You are confused. The CAT file you get back from WHQL is file you
should need to prove the INF and driver binary are signed. Of course if
you changed anything (including a recompile of the driver) from what you
submitted to WHQL this will complain that the driver is not signed.

So the question is, you got back the CAT file what did you do to try
this?

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@cits.br” wrote in message
news:xxxxx@ntdev:

> What Rosseto is trying to say is that no Verisign nor Globalsign certificate can help me now.
> The only certificate that would solve the problem is the “Microsoft Windows Hardware Compatibility Publisher” one
> The only way to obtain this certificate is through the Windows Logo for Hardware Program
> I did obtain this, but only for the CAT file. Now it seems I need obtain it for the binaries, but I don’t know how.
> What also would work for me is a way to bypass the CheckLogo test, so I could forget this signature problem
> I know that Checklogo verifies only drivers with a HardwareId. If I found a way of removing it from my driver, and I still could install it using a command line tool like “devcon.exe” it would solve my problem.
> But I don’t know how to do it.

OSR_Community_User · October 8, 2010, 10:41am

Hi Don,

So the question is, you got back the CAT file what did you do to try this?

I sent to Winqual a CAT and Binaries signed with a GlobalSign certificate
When I received the new CAT I tested it installing the driver using the new CAT and the old Binaries

Does this give any hint about what is happening?

Tim_Roberts · October 8, 2010, 1:06pm

xxxxx@cits.br wrote:

Hi Peter,

I already know how to sign kernel mode drivers for Windows Vista+ 64 bit. The problem is that in this case (Windows Logo) I can’t sign them myself. Microsoft must do it. But they didn’t.

I wonder if is there any way to:

Bypass CheckLogo (eg. by removing the hardware id from my driver)
or

To request a signed .SYS file to Microsoft throught Winqual

WHQL never signs SYS files. They only sign CAT files. If the SYS file
really needs to be signed (and I don’t know why it should), then you can
sign the SYS files yourself. Mark asserts that you can sign the SYS
files without invalidating the CAT, and Mark is usually right.

What does the CheckLogo tool do? If you have submitted for WHQL under a
device class (not unclassified) and received the signature, then you
have the right to use the logo. What else is there?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · October 8, 2010, 1:38pm

Thanks Tim and Don,

It worked, I was using the 32-bit CAT with a 64-bit binary.
It worked even it was an “Unclassified” device class.

Tim_Roberts · October 8, 2010, 1:44pm

xxxxx@cits.br wrote:

Thanks Tim and Don,

It worked, I was using the 32-bit CAT with a 64-bit binary.
It worked even it was an “Unclassified” device class.

Now, you do realize that you cannot get the Windows logo for an
unclassified device, don’t you? You can get the signature, but you
cannot get the right to use the Windows logo.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · October 8, 2010, 2:37pm

So that’s what you meant… But that’s not an issue here. Thank you anyway.

J_J_Farrell · October 10, 2010, 8:47pm

George M. Garner Jr. wrote:

The post doesn’t concern KMCS so this link won’t help the OP.

The post asks how to sign the .sys file of a Kernel Mode driver, but
doesn’t concern Kernel Mode Code Signing?