Maxim S. Shatskih wrote:
> Well, if you always install using a CAT file, then it’s not necessary to sign the SYS file at all.
Not so for boot-time drivers, which require signature in the SYS itself.
I don’t do boot-time drivers, so I could be wrong, but it was my
understanding that this was merely a strong recommendation for
performance purposes, and not a requirement.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
elahe shekuhi wrote:
Thanks for the useful comments.
Now I can verify the catalog file and the chain ends at the
Microsoft Code Verification Root. However, after installing the
driver I get the error code 52 again. I’m a little confused.What is the point I haven’t consider?
Did you uninstall the old driver? Did you sign the SYS, or just the
CAT? Make sure your new driver actually got copied into place during
the install. That is, check the date/time/size in
\Windows\System32\Drivers against the date/time/size in your build
directory. Maybe you copied the file from the wrong place. Maybe the
system grabbed the old one.
If the installation completed successfully, then you should just be able
to copy your signed SYS file into place and restart the device.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Dear Tim, Thanks a lot for your attention. Yes I uninstalled the old
driver. Must the chain for the sys file end at the Microsoft Code
Verification Root? Or Is it necessary just for catalog file?
On 11/18/14, Tim Roberts wrote:
> elahe shekuhi wrote:
>>
>> Thanks for the useful comments.
>> Now I can verify the catalog file and the chain ends at the
>> Microsoft Code Verification Root. However, after installing the
>> driver I get the error code 52 again. I’m a little confused.
>>
>> What is the point I haven’t consider?
>
> Did you uninstall the old driver? Did you sign the SYS, or just the
> CAT? Make sure your new driver actually got copied into place during
> the install. That is, check the date/time/size in
> \Windows\System32\Drivers against the date/time/size in your build
> directory. Maybe you copied the file from the wrong place. Maybe the
> system grabbed the old one.
>
> If the installation completed successfully, then you should just be able
> to copy your signed SYS file into place and restart the device.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
elahe shekuhi wrote:
Dear Tim, Thanks a lot for your attention. Yes I uninstalled the old
driver. Must the chain for the sys file end at the Microsoft Code
Verification Root? Or Is it necessary just for catalog file?
Well, that’s an interesting question. It’s a hypothesis I’ve never
tested. Maybe (and I’m just theorizing here) the kernel only falls back
to the CAT file if there is no signature at all in the SYS.
My advice is to sign both the same way. You can certainly re-sign the
SYS file when you create the CAT. Signing is free.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
elahe shekuhi wrote:
Dear Tim, Thanks a lot for your attention. Yes I uninstalled the old
driver. Must the chain for the sys file end at the Microsoft Code
Verification Root? Or Is it necessary just for catalog file?
This may be a good time to expand on the excellent point Maxim made
overnight.
There are two completely separate signature requirements in Windows, and
they use two separate sets of rules. First is the install-time
signature check, which determines whether your driver can be installed.
This check applies to all systems clear back to Windows 2000, and it
applies to all PnP installations that use an INF file. This check only
looks at the CAT file. This is where WHQL comes into play. If your CAT
file is signed by WHQL, your package installs with no user involvement.
If your CAT file is signed by you, you get a dialog saying “Do you trust
this publisher?”. If your CAT file is unsigned, you get the dreaded
“CAUTION! Unsigned driver!” warning. However, even if you don’t pass
this check, the user can still say “sure, I don’t care, go ahead.” This
check is only done once, when your driver is installed.
The other check is the KMCS check. This is only done on the 64-bit
systems, but it is done each and every time your driver is loaded into
memory. There is no override dialog; if you fail this check, your
driver will not be loaded. Here, the kernel first checks the SYS file.
If the SYS file is unsigned, it tries to find the CAT file. This check
DOES require a cross-certificate ending in the Microsoft Code
Verification Root.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> Well, that’s an interesting question. It’s a hypothesis I’ve never
tested.
From what I remember of MS’s KMCS document - yes.
CI.DLL (who checks the signatures on boot drivers) has no cert store at all, it only has a public part of the MS’s root in it.
Thus the requirement for cross-certs.
Yes, signing both SYS and CAT is the way to go. CAT signature is WHQL (or vendor-specific, in which case the message box “Do you trust” will appear). SYS signature is KMCS cross-cert.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
> understanding that this was merely a strong recommendation for
performance purposes, and not a requirement.
Look at MS’s KMCS doc.
It is a requirement for boot drivers.
The thing is that the boot loader (and CI.DLL in it) have no access to cert store, as also to CAT files in “catroot” directory.
Thus the cert must be a) on SYS b) cross-cert.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
> applies to all PnP installations that use an INF file. This check only
looks at the CAT file. This is where WHQL comes into play. If your CAT
More things to note:
The result of driver package install is: driver files are put to DriverStore/FileRepository, which is only writeable by TrustedInstaller.
Then, probably later on first devnode creation (or maybe just now at install), the .INF is copied to “inf” and .CAT to “system32/catroot/{some guid named in the WDK headers, I forgot the name}”.
Immediately after this, CopyFiles in INF is executed, which usually copies .SYS to “system32/drivers” (and probably coinstaller DLLs or such).
After this, all PnP files are laid out correctly, and PnP only needs to create the devnode in the registry.
on XP, it looks like (I’m not 100% sure, it was 4 years ago when I was deep into this) that .CAT signature is checked on each devnode creation. Surely this is not the case for Vista+. Probably this is a registry/Group Policy setting.
on Srv2003, IIRC it just fails non-WHQL driver packages without questions. This is probably a Group Policy setting which can be overriden, or a Control Panel/System item where you can choose Ignore/Warn/Block or such.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
Maxim S. Shatskih wrote:
> applies to all PnP installations that use an INF file. This check only
> looks at the CAT file. This is where WHQL comes into play. If your CAT
More things to note:
- on Vista+, the CAT signature is only checked on driver package install process, which is triggered by “devcon dp_inst” or “Update Driver” in the UI, or if PnP cannot find the already installed package, or if you point at yellow question mark and say “install the driver”.
…- on XP, it looks like (I’m not 100% sure, it was 4 years ago when I was deep into this) that .CAT signature is checked on each devnode creation. Surely this is not the case for Vista+. Probably this is a registry/Group Policy setting.
I think you are remembering incorrectly. Even on Win 7, the WHQL
signature check is triggered on every new devnode. So, if you do a
“software first” install, you have to answer the “Do you trust this
publisher?” question twice.
Otherwise, it would be pretty easy to subvert the WHQL requirement by
manually pre-populating the driver store.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.