Cross-Signing for Windows 10

Mario_Pistrich · June 1, 2016, 8:20am

Hi,

I am wondering if cross-signing a minifilter driver (or in general a kernel mode driver) is still supported under Windows 10. The official FAQ [1] says that it is not recommended:
“A cross-signed driver using a SHA-1 or SHA-256 certificate issued after July 29th, 2015 is not recommended for Windows 10.”

But what does that mean exactly? The wording suggests that it is working currently. Is there a statement that it will stop working in the future? Also, do I need an EV certificate for cross-signing? As I understand it an EV certificate is only needed for the Sysdev account and for signing cab files before submitting them.

My goal is to keep the process of signing the driver to work under 64bit Windows 7 and 10 (Desktop) simple, so ideally I can bypass the process of submitting the driver to Microsoft. I would also appreciate it if I can use a “simple” code signing certificate instead of an EV one.

[1] https://msdn.microsoft.com/en-us/library/windows/hardware/hh801887#Code_Signing_FAQ

Thanks,
Mario

Peter_Viscarola_OSR · June 1, 2016, 8:53am

It works. It even works on the latest Redstone builds, on newly installed systems.

The latest speculation is that it will not work on newly installed Redstone 1 (Windows Anniversary Update) systems that have Secure Boot enabled. Here T OSR we haven’t been able to test that, lacking a system that can be easily installed from scratch with Secure Boot capability.

We have an article describing all this in the upcoming issue of The NT Insider…

Peter
OSR
@OSRDrivers

Mario_Pistrich · June 1, 2016, 11:29am

Thanks Peter, I am looking forward to the new issue of The NT Insider! Hopefully cross-signing still works when Redstone 1 is released.

Tim_Roberts · June 1, 2016, 12:20pm

xxxxx@osr.com wrote:

It works. It even works on the latest Redstone builds, on newly installed systems.

The latest speculation is that it will not work on newly installed Redstone 1 (Windows Anniversary Update) systems that have Secure Boot enabled. Here T OSR we haven’t been able to test that, lacking a system that can be easily installed from scratch with Secure Boot capability.

We have an article describing all this in the upcoming issue of The NT Insider…

Given the number of special cases, corner cases, legacy cases, ifs,
ands, ors, and buts, I would have guessed such an article would exceed
your word limit…

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim_Roberts · June 1, 2016, 12:24pm

xxxxx@gmail.com wrote:

Thanks Peter, I am looking forward to the new issue of The NT Insider! Hopefully cross-signing still works when Redstone 1 is released.

It will not work on a Redstone 1 new install (not an upgrade) on a
machine with secure boot enabled. They told us they were going to do
this in Windows 10, it just hasn’t been enforced until now.

I’m surprised they’re making this change. It puts a rather large burden
on driver distributors, since it’s no longer possible to have a single
driver package cover all systems, and I don’t see the benefit.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

John_McNamee · June 1, 2016, 1:46pm

You can still have a single driver package that supports multiple Windows
versions. However, the driver must pass the HCT/HCK/HLK/WTF/etc. tests, and
be submitted for WHQL signature. Cross-signatures and attestation signing
aren’t sufficient.

You also need to “go full WHQL” for any driver that needs to run on Windows
Server 2016 with Secure Boot enabled. Attestation signing is only for client
SKU’s, and doesn’t work with Windows Server.

Alex_Ionescu-2 · June 1, 2016, 5:48pm

It also won’t work on Windows 10 Enterprise edition if Device Guard has been configured with a custom Signing Policy that enables either EV and/or WHQL enforcement.

Peter_Viscarola_OSR · June 2, 2016, 11:29am

It was just called to our attention that a video from last month’s PlugFest was posted on Channel 9, that describes the rules for driver signing that’ll be enforced starting in Windows Anniversary Update and Windows Server 2016.

We’ve summarized those rules and provided a link to the original Channel 9 video here:

https:</https:>

It looks like FINALLY we’re getting some clarify… even if you DO have to sit through a one hour video to find out what the policy is.

Peter
OSR
@OSRDrivers

OSR_Community_User · June 3, 2016, 10:13am

Hello All,

After watching the video, my understanding is that:

Any driver cross signed with a certificate issued before 29/July/15 will be considered valid (at around 04:20s in the video);
The date of issuance of the certificate will be the only criteria used when determining if a cross signed driver is considered valid or not (at around 04:35s in the video);
Drivers cross signed with a certificate issued before 29/July/15 will also be valid for systems with Secure Boot enabled, unless the system is configured to not trust any cross signed drivers anymore (around 19:20s in the video).

If this is correct any driver, new or old, should work if signed with a pre 29/July/15 certificate.

I appreciate any feedback.

Thanks,
Roney

On 6/2/16, 12:28 PM, “xxxxx@lists.osr.com on behalf of xxxxx@osr.com” wrote:

>It was just called to our attention that a video from last month’s PlugFest was posted on Channel 9, that describes the rules for driver signing that’ll be enforced starting in Windows Anniversary Update and Windows Server 2016.
>
>We’ve summarized those rules and provided a link to the original Channel 9 video here:
>
>https:</https:>
>
>It looks like FINALLY we’re getting some clarify… even if you DO have to sit through a one hour video to find out what the policy is.
>
>Peter
>OSR
>@OSRDrivers
>
>
>—
>NTDEV is sponsored by OSR
>
>Visit the list online at: http:
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Tim_Roberts · June 3, 2016, 12:32pm

Roney Duilio Stein wrote:

After watching the video, my understanding is that:

Any driver cross signed with a certificate issued before 29/July/15 will be considered valid (at around 04:20s in the video);

Yes.

The date of issuance of the certificate will be the only criteria used when determining if a cross signed driver is considered valid or not (at around 04:35s in the video);

Yes. Well, you also have to have a timestamp to prove that the package
was signed before the certificate expired.

Drivers cross signed with a certificate issued before 29/July/15 will also be valid for systems with Secure Boot enabled, unless the system is configured to not trust any cross signed drivers anymore (around 19:20s in the video).

I think that’s right.

If this is correct any driver, new or old, should work if signed with a pre 29/July/15 certificate.

Yes, until it expires. Those people who had the foresight to order a
3-year certificate early last year have some extra time. Mine,
unfortunately, expired in December.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.