Driver security, was: Global Sign certificate and Vista x64

OSR_Community_User · March 21, 2007, 4:24am

cristalink wrote:

Besides, it is relatively easy to install an unsigned driver silently
> anyway, without interfering with signature checking.
> Don’t ask me how, I won’t tell.

Of course - if you know what the system does with your driver, it is
obvious. (If you don’t, go play elsewhere.)

Unfortunately, this is too far from being convenient. What’s easier -
> click Continue Anyway or install a certificate?

For an “end-user” it is easier if their admin installs a certificate
beforehand.
(But I learned we don’t talk about “end users” - sorry, my fault.)

Example:
If you have a USB device and plug it in at a different port, you need to
install its driver again. IMHO this is pretty ugly(*1) for PnP devices.

Your admin probably wants to install a certificate, if you’re in a
company with a “no-admin-account-for-users” policy.

-H

(*1) Read “braindead”.
Well, for testing this is of course great, e.g. if you use different
driver classes you can actually have the same device with different
driver technologies running on the same machine, e.g. a WDM driver on
USB port A and with a WUDF driver on USB port B.
Iff this was a special ‘test mode’ you can enable, this would be OK.
From a system perspective it is of course an unnecessary nightmare -
the “other port install” can/does actually overwrite the common driver
binary, thus possibly changing behavious also for the other ports.

Maxim_S_Shatskih · March 28, 2007, 4:55am

> Users without administrator rights might need to install something too

think of PnP USB drivers.

Drivers can be installed without administrator rights only if no UI must be
displayed during install, so PnP will be happy with server-side install.

As you may know, class installers and coinstallers have a parameter of
“server-side install, UI prohibited”, which is set when they are called by the
PnP service. In this case, if some installer/coinstaller will need UI, then it
must be coded to fail the code path with some distinct error code.

Catching such error, PnP service will schedule a GUI app of client-side install
to be executed by administrator. When installers and coinstallers are running
in the context of such app, they are called with “UI allowed” parameter.

So, UI during driver install will require administrator logon.

Now note that the WHQL warning box is the UI. So, WHQL-failing drivers will
require the administrator logon to be installed. Only WHQL-signed drivers can
be silently installed by plugging the device in, regardless of the currently
logged on user.

Now about “driver per each USB port”. This is not a WHQL question. This is a
question of the presense of the unique ID in the USB device.

If the USB device has unique ID in its config descriptor - then no need to
install drivers for each USB port. The same device instance will be recognized
when inserted to a new port.

Otherwise, inserting the same device to a new USB port will start driver
installation once again.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim_S_Shatskih · March 28, 2007, 5:58am

> If you have a USB device and plug it in at a different port, you need to

install its driver again. IMHO this is pretty ugly(*1) for PnP devices.

Only if the device has no unique ID embedded to it.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · March 28, 2007, 11:16am

On Mar 28, 2007, at 3:55 AM, Maxim S. Shatskih wrote:

Now note that the WHQL warning box is the UI. So, WHQL-failing
drivers will
require the administrator logon to be installed. Only WHQL-signed
drivers can
be silently installed by plugging the device in, regardless of the
currently
logged on user.

I think silent install should also work on Vista with an Authenticode-
signed driver, if the computer administrator has already trusted the
publisher.

-Steve

OSR_Community_User · March 28, 2007, 11:18am

Maxim S. Shatskih wrote:

So, UI during driver install will require administrator logon.

Now note that the WHQL warning box is the UI. So, WHQL-failing drivers will
require the administrator logon to be installed. Only WHQL-signed drivers can
be silently installed by plugging the device in, regardless of the currently
logged on user.

So non-Admins can only install a driver if it is WHQL-certified. (QED.)
Thanks for the background!

Now about “driver per each USB port”. This is not a WHQL question. This is a
question of the presense of the unique ID in the USB device.

So if my device has a “Serial Number” index in its config descriptor
(and the matching string descriptor) it will not need re-installation?

Or do I need to have the MS-specific 0xEE string descriptor present?

Or are you referring to some of the other config descriptor fields?

I would really like to know what we can do to avoid re-installation,
hence my questions. Thanks!

Thanks! -H

Maxim_S_Shatskih · March 28, 2007, 11:33am

> So if my device has a “Serial Number” index in its config descriptor

(and the matching string descriptor) it will not need re-installation?

Or do I need to have the MS-specific 0xEE string descriptor present?

No, the standard one described in the USB spec. But note, this must be really
unique.

Some Windows versions will BSOD if 2 devices with the same “unique” (in
quotes - actually not unique) IDs are inserted.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim_S_Shatskih · March 28, 2007, 11:34am

> I think silent install should also work on Vista with an Authenticode-

signed driver, if the computer administrator has already trusted the
publisher.

Exactly so. Too bad Jennifer had no PowerPoint file with her presentation on
different kinds of signing.

Anyway I think her story is also in the WDK docs or at least on the MS’s site.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · March 28, 2007, 11:56am

On Mar 28, 2007, at 10:34 AM, Maxim S. Shatskih wrote:

> I think silent install should also work on Vista with an
> Authenticode-
> signed driver, if the computer administrator has already trusted the
> publisher.

Exactly so. Too bad Jennifer had no PowerPoint file with her
presentation on
different kinds of signing.

Anyway I think her story is also in the WDK docs or at least on the
MS’s site.

I did a little blogging on it recently too, with some pics of the
whiteboard:

http://kernelmustard.com

-sd

cristalink-2 · April 3, 2007, 10:56pm

“cristalink” wrote in message news:xxxxx@ntdev…

> Be careful with spreading this reasonable argument.
> Otherwise it might be that in the next M[company] OS release “Admin”
> accounts can only start WHQL signed software packages.

This will definitely happen if everyone keeps happy silence. I have a
small hope that somebody from Microsoft will read this, and another hope
(though even smaller one) that because of this the things will eventually
get better.

Microsoft’s signing policy caters for DRM. It has little, if nothing at all,
to do with driver quality or better user experience. I new it before, I just
forgot about it by the time I was posting my comments. It’s pointless to
complain, because Microsoft is not concerned about end users or driver
developers in this particular case.