Device Guard

Rahul_Kumar1 · May 31, 2017, 2:54am

Hi,
Some clarification needed for device guard.

We have couple of driver which are WHQL signed and have couple of
references of ExAllocatePoolWithTag with NonPaged Pool and they are not
crashing.
If I enable the Driver verifier with code integrity it is detecting and
crashing.

Does WHQL drivers are exempted and can use ExAllocatePoolWithTag?
I ran MS DG_CG_hardware_readiness_tool_v3.2 script that list down all
capability of system.

it reports the following non compliance.

HSTI is absent
Anyone have idea which BIOS version has complaint with HSTI ?

NX Protector is absent =>MS documentation says that this is Firmware
feature but I am not able to see how to enable, if someone has tested
please share information.

Does NX protector is used to detect the RWX flag in memory?
Which firmware version is needed for this and how can i enable.

Aleh_Kazakevich · June 1, 2017, 2:39am

>

Rahul Kumar wrote:

We have couple of driver which are WHQL signed and have couple of references
of ExAllocatePoolWithTag with NonPaged Pool and they are not crashing.
Does WHQL drivers are exempted and can use ExAllocatePoolWithTag?

In a simple words, the Device Guard / HVCI is a hypervisor that “hacks” your
operating system and silently makes all kernel memory allocations non-executable.

With HVCI it doesn’t matter whether you using “NonPagedPoolNx” or “NonPagedPool”,
in both cases the result will be the same (?lthough in the point of view of the
operating system the memory pages will have different protection attributes).

Normally it is not problem if your driver not using dynamic code generation,
code patching and some other popular hacker’s technologies.

So, most of existing drivers need not to recompile and they will works without
changes even with use of executable pool. But for a new drivers it is recommended
to use only non-executable memory and follow all other rules. To accept a new
WHQL signature for a Windows 10 driver you MUST follow this rules, otherwise
the HLK tests will failed.

If I enable the Driver verifier with code integrity it is detecting and crashing.

Driver Verifier helps you to find a Code Integrity violations is your driver,
but it doesn’t means that your driver is buggy (see above). Today, most of
existing drivers can’t pass the ‘Code Integrity Checks’ but they still works
fine on the Windows 10 with HVCI enabled.