how to disable "Digitally signed driver" check for 64 bits OSes?

Open File Explorer and go to the UltraVNC driver .sys file, and right click,
is there a “digital signature” tab.

The driver property page shows if the .cat has a signature, not if the
binary has a signature.

Jan

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Sunday, September 26, 2010 10:37 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?

Tim & Maxim,

1. I have seen Ultra VNC driver and that is not digitally signed

but I am able to load and use that driver, how? On 64 bits.

Why do you think it is not digitally signed? It may not be WHQL signed,

but it is digitally signed. Also remember that UltraVNC works perfectly

well without its mirror driver.

I have checked in driver property and found “Digital Signer : Not digitally
signed”. Please let me know if my assumption is wrong.

Tim, I know ULTRA VNC can work without driver but my doubt is why my driver
is showing yellow bang and ULTRA VNC driver is not showing yellow bang. Also
I have confirmed from code that it is using driver.

Any suggestion will be highly appreciable.

Thanks,

/sarbojit

Jan,
“digital Signature” tab is present for ULTAR VNC driver’s .sys file. Does it
mean that it is digitally signed? If yes, I have done the same for my driver
and now it is also showing that tab but still in device manager it is
showing yellow bang. Do you have any idea why it is showing Yellow bang now?

One more thing, I did not make .cat file for my driver it is really
required? I did not find it required for 32bits Oses, alteast.

/sarbojit

On Mon, Sep 27, 2010 at 11:43 AM, Jan Bottorff wrote:

> Open File Explorer and go to the UltraVNC driver .sys file, and right
> click, is there a ?digital signature? tab.
>
>
>
> The driver property page shows if the .cat has a signature, not if the
> binary has a signature.
>
>
>
> Jan
>
>
>
>
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Sarbojit Sarkar
> Sent: Sunday, September 26, 2010 10:37 PM
>
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] how to disable “Digitally signed driver” check for
> 64 bits OSes?
>
>
>
> Tim & Maxim,
>
>
>
> > 1. I have seen Ultra VNC driver and that is not digitally signed
>
> > but I am able to load and use that driver, how? On 64 bits.
>
> >
>
>
>
> Why do you think it is not digitally signed? It may not be WHQL signed,
>
> but it is digitally signed. Also remember that UltraVNC works perfectly
>
> well without its mirror driver.
>
>
>
> I have checked in driver property and found “Digital Signer : Not digitally
> signed”. Please let me know if my assumption is wrong.
>
>
>
> Tim, I know ULTRA VNC can work without driver but my doubt is why my driver
> is showing yellow bang and ULTRA VNC driver is not showing yellow bang. Also
> I have confirmed from code that it is using driver.
>
>
>
> Any suggestion will be highly appreciable.
>
>
>
> Thanks,
>
> /sarbojit
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Sarbojit,

Seriously, Do yourself a favor and read the document everyone here
suggested. I Google it for you , here it is :
http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

Kernel Code signing is a must for ANY kernel driver on 64 bit. If you are
planing on shipping your driver within your product, you will have to sign
your driver with a proper kernel code signing certificate.

You will have to read the kmcs_walkthrough.doc to just start understanding
how to sign a kernel driver. This is a simple thing to do, however you will
have a lot of pitfalls if you will not read that document properly and
carefully. Take 3 hours break, and just read it.

My additonal 2 cents here is that you will have to find a certificate
provider that support cross certificate with microsoft and support Kernel
mode signing driver. I find out that many companies are buying certificates
which do not support kernel mode drivers. The last time I checked, even
Verisign loss the cross certificate with microsoft. Make sure you ask your
certificate provide if it does support kernel mode signing.

And again, There is no other way for a commerical product to avoid signing a
64 bit driver. You will have to do it.

Good luck,
jim

On Mon, Sep 27, 2010 at 8:54 AM, Sarbojit Sarkar wrote:

> Jan,
> “digital Signature” tab is present for ULTAR VNC driver’s .sys file. Does
> it mean that it is digitally signed? If yes, I have done the same for my
> driver and now it is also showing that tab but still in device manager it is
> showing yellow bang. Do you have any idea why it is showing Yellow bang now?
>
> One more thing, I did not make .cat file for my driver it is really
> required? I did not find it required for 32bits Oses, alteast.
>
> /sarbojit
>
>
> On Mon, Sep 27, 2010 at 11:43 AM, Jan Bottorff wrote:
>
>> Open File Explorer and go to the UltraVNC driver .sys file, and right
>> click, is there a ?digital signature? tab.
>>
>>
>>
>> The driver property page shows if the .cat has a signature, not if the
>> binary has a signature.
>>
>>
>>
>> Jan
>>
>>
>>
>>
>>
>>
>>
>> From: xxxxx@lists.osr.com [mailto:
>> xxxxx@lists.osr.com] *On Behalf Of *Sarbojit Sarkar
>> Sent: Sunday, September 26, 2010 10:37 PM
>>
>> To: Windows System Software Devs Interest List
>> Subject: Re: [ntdev] how to disable “Digitally signed driver” check for
>> 64 bits OSes?
>>
>>
>>
>> Tim & Maxim,
>>
>>
>>
>> > 1. I have seen Ultra VNC driver and that is not digitally signed
>>
>> > but I am able to load and use that driver, how? On 64 bits.
>>
>> >
>>
>>
>>
>> Why do you think it is not digitally signed? It may not be WHQL signed,
>>
>> but it is digitally signed. Also remember that UltraVNC works perfectly
>>
>> well without its mirror driver.
>>
>>
>>
>> I have checked in driver property and found “Digital Signer : Not
>> digitally signed”. Please let me know if my assumption is wrong.
>>
>>
>>
>> Tim, I know ULTRA VNC can work without driver but my doubt is why my
>> driver is showing yellow bang and ULTRA VNC driver is not showing yellow
>> bang. Also I have confirmed from code that it is using driver.
>>
>>
>>
>> Any suggestion will be highly appreciable.
>>
>>
>>
>> Thanks,
>>
>> /sarbojit
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

On Mon, Sep 27, 2010 at 4:38 PM, Jim wrote:
> The last time I checked, even
> Verisign loss the cross certificate with microsoft. Make sure you ask your
> certificate provide if it does support kernel mode signing.

That can not be true.
http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx

Verisign and GlobalSign seem to be the only two are really viable
option for now.

> And again, There is no other way for a commerical product to avoid signing a
> 64 bit driver. You will have to do it.
>

I agree.Not even commercial product. Even for open source project
like libusb-win32 (I am one of the admins, mainly for supporting and
testing), in order for the project to survive (and beat WinUSB ^-^),
we have to sign the kernel driver (libusb0.sys) with a proper digital
signature (from GlobalSign) in order to work under 64bit Windows
Vista/7.

–
Xiaofan

If there is a yellow bang in driver, there will be device manager error code associated with it. Right click on the device which has yellow bang and go to properties, and see the error code in device status. there is explaination of each device manager error code in MSDN. It might NOT be because of digital signature also.

.Cat file is required if you are signing your driver package. For 32 bit OSes signing is not mandatory to install a driver. So you can install driver without .cat file.

Xioafan,
Half a year ago, Verisign didn’t have a cross certificate with microsoft.
all old certificate provided were still working, but from an half a year
ago, you couldn’t get a valid kernel code certificate. We moved because of
that to GlobalSign. I do not know, maybe they solve their issues with
Microsoft.

Jim

On Mon, Sep 27, 2010 at 11:00 AM, Xiaofan Chen wrote:

> On Mon, Sep 27, 2010 at 4:38 PM, Jim wrote:
> > The last time I checked, even
> > Verisign loss the cross certificate with microsoft. Make sure you ask
> your
> > certificate provide if it does support kernel mode signing.
>
> That can not be true.
> http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx
>
> Verisign and GlobalSign seem to be the only two are really viable
> option for now.
>
> > And again, There is no other way for a commerical product to avoid
> signing a
> > 64 bit driver. You will have to do it.
> >
>
> I agree.Not even commercial product. Even for open source project
> like libusb-win32 (I am one of the admins, mainly for supporting and
> testing), in order for the project to survive (and beat WinUSB ^-^),
> we have to sign the kernel driver (libusb0.sys) with a proper digital
> signature (from GlobalSign) in order to work under 64bit Windows
> Vista/7.
>
> –
> Xiaofan
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Xiaofen Chen wrote:

in order for the project to survive (and beat WinUSB ^-^),
we have to sign the kernel driver (libusb0.sys)

Whoa. You’re saying one of the stated project goals of libusb-win32 is trying to “beat” WinUSB? I think that might be a losing battle in the end…

On Mon, Sep 27, 2010 at 10:09 PM, wrote:
> Xiaofen Chen wrote:
>
>> in order for the project to survive (and beat WinUSB ^-^),
>> we have to sign the kernel driver (libusb0.sys)
>
> Whoa. ?You’re saying one of the stated project goals of
> libusb-win32 is trying to “beat” WinUSB? ?I think that might
> be a losing battle in the end…

That is not really a stated goal.

But libusb0.sys does have quite some advantages compared
to winusb.sys.

1. OS support: Win2k, XP64 and Windows 2003 are supported
2. Can be a generic upper filter driver for many USB device
3. Support isochronous transfer
4. Support multiple configuration
5. API compatible with libusb-0.1
6. Open Source

WinUSB does have some limitations as listed in libusb.org.
http://www.libusb.org/wiki/windows_backend

–
Xiaofan

Unlike most of the signing documents, the kmcs walkthrough actually makes
some sense, I think.

Good luck,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jim
Sent: Monday, September 27, 2010 4:39 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?

Sarbojit,

Seriously, Do yourself a favor and read the document everyone here
suggested. I Google it for you , here it is :
http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

Kernel Code signing is a must for ANY kernel driver on 64 bit. If you are
planing on shipping your driver within your product, you will have to sign
your driver with a proper kernel code signing certificate.

You will have to read the kmcs_walkthrough.doc to just start understanding
how to sign a kernel driver. This is a simple thing to do, however you will
have a lot of pitfalls if you will not read that document properly and
carefully. Take 3 hours break, and just read it.

My additonal 2 cents here is that you will have to find a certificate
provider that support cross certificate with microsoft and support Kernel
mode signing driver. I find out that many companies are buying certificates
which do not support kernel mode drivers. The last time I checked, even
Verisign loss the cross certificate with microsoft. Make sure you ask your
certificate provide if it does support kernel mode signing.

And again, There is no other way for a commerical product to avoid signing a
64 bit driver. You will have to do it.

Good luck,

jim

On Mon, Sep 27, 2010 at 8:54 AM, Sarbojit Sarkar
wrote:

Jan,

“digital Signature” tab is present for ULTAR VNC driver’s .sys file. Does it
mean that it is digitally signed? If yes, I have done the same for my driver
and now it is also showing that tab but still in device manager it is
showing yellow bang. Do you have any idea why it is showing Yellow bang now?

One more thing, I did not make .cat file for my driver it is really
required? I did not find it required for 32bits Oses, alteast.

/sarbojit

On Mon, Sep 27, 2010 at 11:43 AM, Jan Bottorff
wrote:

Open File Explorer and go to the UltraVNC driver .sys file, and right click,
is there a “digital signature” tab.

The driver property page shows if the .cat has a signature, not if the
binary has a signature.

Jan

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Sunday, September 26, 2010 10:37 PM

To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?

Tim & Maxim,

> 1. I have seen Ultra VNC driver and that is not digitally signed

> but I am able to load and use that driver, how? On 64 bits.

>

Why do you think it is not digitally signed? It may not be WHQL signed,

but it is digitally signed. Also remember that UltraVNC works perfectly

well without its mirror driver.

I have checked in driver property and found “Digital Signer : Not digitally
signed”. Please let me know if my assumption is wrong.

Tim, I know ULTRA VNC can work without driver but my doubt is why my driver
is showing yellow bang and ULTRA VNC driver is not showing yellow bang. Also
I have confirmed from code that it is using driver.

Any suggestion will be highly appreciable.

Thanks,

/sarbojit

—

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Martin O’Brien wrote:

Unlike most of the signing documents, the kmcs walkthrough actually
makes some sense, I think.

I agree. The whole signature process was a befuddled mystery to me
until I actually sat down at a PC and went through that walkthrough.
Having a practical, step by step guide like that is an incredibly
valuable resource. More important, in my opinion, is that you gain
confidence that the process CAN be made to work.

I wish I had the same kind of thing for DTM. I managed to get a driver
package tested, submitted, and signed, but there are still many parts of
the process that border on voodoo in my brain.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Strange. I acquired my VeriSign in March and had no difficulties with
Microsoft cross certificates when I signed my drivers for my clients.

Gary G. Little

H (952) 223-1349

C (952) 454-4629

xxxxx@comcast.net

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jim
Sent: Monday, September 27, 2010 4:03 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64
bits OSes?

Xioafan,

Half a year ago, Verisign didn’t have a cross certificate with microsoft.
all old certificate provided were still working, but from an half a year
ago, you couldn’t get a valid kernel code certificate. We moved because of
that to GlobalSign. I do not know, maybe they solve their issues with
Microsoft.

Jim

On Mon, Sep 27, 2010 at 11:00 AM, Xiaofan Chen wrote:

On Mon, Sep 27, 2010 at 4:38 PM, Jim wrote:
> The last time I checked, even
> Verisign loss the cross certificate with microsoft. Make sure you ask your
> certificate provide if it does support kernel mode signing.

That can not be true.
http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx

Verisign and GlobalSign seem to be the only two are really viable
option for now.

> And again, There is no other way for a commerical product to avoid signing
a
> 64 bit driver. You will have to do it.
>

I agree.Not even commercial product. Even for open source project
like libusb-win32 (I am one of the admins, mainly for supporting and
testing), in order for the project to survive (and beat WinUSB ^-^),
we have to sign the kernel driver (libusb0.sys) with a proper digital
signature (from GlobalSign) in order to work under 64bit Windows
Vista/7.

–
Xiaofan

—

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

What do you mean a generic upper filter driver? You sit on top of the FDO and send URBs directly to the PDO (sine the FDO probably won’t pass through the submit URB IOCTL)?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Xiaofan Chen
Sent: Monday, September 27, 2010 7:48 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64 bits OSes?

On Mon, Sep 27, 2010 at 10:09 PM, wrote:
> Xiaofen Chen wrote:
>
>> in order for the project to survive (and beat WinUSB ^-^),
>> we have to sign the kernel driver (libusb0.sys)
>
> Whoa. ?You’re saying one of the stated project goals of
> libusb-win32 is trying to “beat” WinUSB? ?I think that might
> be a losing battle in the end…

That is not really a stated goal.

But libusb0.sys does have quite some advantages compared
to winusb.sys.

1. OS support: Win2k, XP64 and Windows 2003 are supported
2. Can be a generic upper filter driver for many USB device
3. Support isochronous transfer
4. Support multiple configuration
5. API compatible with libusb-0.1
6. Open Source

WinUSB does have some limitations as listed in libusb.org.
http://www.libusb.org/wiki/windows_backend

–
Xiaofan

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Got a new one from Verisign at the beginning of June, works fine with
the Microsoft cross-certificate I’ve been using for years.

Gary G. Little wrote:

Strange. I acquired my VeriSign in March and had no difficulties with
Microsoft cross certificates when I signed my drivers for my clients.

*From:* Jim

Half a year ago, Verisign didn’t have a cross certificate with
microsoft. all old certificate provided were still working, but from an
half a year ago, you couldn’t get a valid kernel code certificate. We
moved because of that to GlobalSign. I do not know, maybe they solve
their issues with Microsoft.
>
On Mon, Sep 27, 2010 at 11:00 AM, Xiaofan Chen > On Mon, Sep 27, 2010 at 4:38 PM, Jim > > The last time I checked, even
> > Verisign loss the cross certificate with microsoft. Make sure you ask
> your
> > certificate provide if it does support kernel mode signing.
>
> That can not be true.
> http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx
>
> Verisign and GlobalSign seem to be the only two are really viable
> option for now.

On Tue, Sep 28, 2010 at 2:41 AM, Doron Holan wrote:
> What do you mean a generic upper filter driver? ?You sit on top of the FDO
and send URBs directly to the PDO (sine the FDO probably won’t pass through
> the submit URB IOCTL)?
>

I think you are right. But it seems to work for many USB device
as per our tests.

http://libusb-win32.svn.sourceforge.net/viewvc/libusb-win32/branches/libusb-testing/src/install-filter-help.txt?revision=359&view=markup
Switches For Device Filters:
–device= (-d=)
install : Adds libusb-win32 as an upper device filter for the
specified device.
uninstall: Removes libusb-win32 as an upper device filter for the
specified device.

Reference 1:
http://libusb.6.n5.nabble.com/To-understand-the-behavior-of-WinUSB-backend-td510213.html
> Tim Roberts wrote:
> …Doron Holan of the Microsoft DDK team has stated
> that WinUSB cannot act as a general filter driver.
> Doron is usually right.

At the last post of this thread, I thought we got winusb to work as a generic
filter, in the end, it is not true. Indeed you are right.

Reference 2:
http://libusb.6.n5.nabble.com/Re-libusb-win32-and-WinUSB-as-a-filter-driver-td2642352.html

–
Xiaofan

Sending URBs directly to the PDO (or through the FDO in the event that the FDO mistakenly passes them through) is a really really bad design. You are communicating with the device or modifying the state of the device without coordination of the FDO (not to mention how I don’t know how you are even getting USBPIPE handles as an upper filter since you don’t see the config request the fdo sends), thus putting the FDO driver in an untested (and untestable/unsupported) state

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Xiaofan Chen
Sent: Monday, September 27, 2010 4:25 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64 bits OSes?

On Tue, Sep 28, 2010 at 2:41 AM, Doron Holan wrote:
> What do you mean a generic upper filter driver? ?You sit on top of the
> FDO
and send URBs directly to the PDO (sine the FDO probably won’t pass through
> the submit URB IOCTL)?
>

I think you are right. But it seems to work for many USB device as per our tests.

http://libusb-win32.svn.sourceforge.net/viewvc/libusb-win32/branches/libusb-testing/src/install-filter-help.txt?revision=359&view=markup
Switches For Device Filters:
–device= (-d=)
install : Adds libusb-win32 as an upper device filter for the specified device.
uninstall: Removes libusb-win32 as an upper device filter for the specified device.

Reference 1:
http://libusb.6.n5.nabble.com/To-understand-the-behavior-of-WinUSB-backend-td510213.html
> Tim Roberts wrote:
> …Doron Holan of the Microsoft DDK team has stated that WinUSB
> cannot act as a general filter driver.
> Doron is usually right.

At the last post of this thread, I thought we got winusb to work as a generic filter, in the end, it is not true. Indeed you are right.

Reference 2:
http://libusb.6.n5.nabble.com/Re-libusb-win32-and-WinUSB-as-a-filter-driver-td2642352.html

–
Xiaofan

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Doron Holan wrote:

(not to mention how I don’t know how you are even getting
USBPIPE handles as an upper filter since you don’t see the
config request the fdo sends),

They might just be sending/allowing endpoint zero requests. Or they might have a lower filter portion also.

On Tue, Sep 28, 2010 at 12:38 PM, wrote:
> Doron Holan wrote:
>
>> (not to mention how I don’t know how you are even getting
>> USBPIPE handles as an upper filter since you don’t see the
>> config request the fdo sends),
>
> They might just be sending/allowing endpoint zero requests. ?Or they
> might have a lower filter portion also.

It is only acting as a upper filter when used as a filter driver.

The source code of the driver is here. Comments are welcome.
http://libusb-win32.svn.sourceforge.net/viewvc/libusb-win32/branches/libusb-testing/src/driver/

–
Xiaofan

No way am i going to look at you src

d

dent from a phpne with no keynoard

-----Original Message-----
From: Xiaofan Chen
Sent: September 27, 2010 10:16 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] how to disable “Digitally signed driver” check for 64 bits OSes?

On Tue, Sep 28, 2010 at 12:38 PM, wrote:
> Doron Holan wrote:
>
>> (not to mention how I don’t know how you are even getting
>> USBPIPE handles as an upper filter since you don’t see the
>> config request the fdo sends),
>
> They might just be sending/allowing endpoint zero requests. Or they
> might have a lower filter portion also.

It is only acting as a upper filter when used as a filter driver.

The source code of the driver is here. Comments are welcome.
http://libusb-win32.svn.sourceforge.net/viewvc/libusb-win32/branches/libusb-testing/src/driver/

–
Xiaofan

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> http://www.microsoft.com/whdc/driver/install/drvsign/kmcs-walkthrough.mspx

Read this, understand it, experiment, read again, experiment more, read
up on PK, certificates and certificate chains, experiment more.

This will take a few days, but is necessary and well worth the effort.

Make sure you ask your certificate provide if it does support kernel
mode signing.

The “Class-3 Code Signing” certificates itself are not the problem.
But you need to make sure Microsoft offers a cross certificate for your
provider’s CA for the driver-embedded signatures.

(Signatures embedded in the driver SYS file are *required* for boot-time
kernel drivers like HDD drivers. But I’m not completely sure you need
them for non-DRM PnP drivers like for a simple BulkUSB-derived one.
We add one anyway, because this allows users to perform a very simple
integrity check on the driver binary: cert valid -> binary OK.)

Other pitfalls:

(1) On the PC you use for signing, you can’t install-test if a signature
was embedded correctly.
Because all necessary certificates will also be in the PC registry,
Windows always finds a correct path to a “trusted root” certificate.

=> You need to test your signed drivers on a “clean” test machine.

(2) You need to ensure you get your embedded signature certificate chain
*complete*. On Win7/x64, *if* there is a certificate embedded in a SYS
file, not only this itself must be valid, but also the complete chain to
the “MS Code Certification Root” must be embedded.

One example where this can fail:

With our cert provider WDK’s signtool.exe used the “newer” (longer
valid) root certificate of two provided ones. It would normally be a
good idea to use the longest-valid and newest cert you can find.
However, the chosen cert was not valid for the Microsoft cross
certificate from our provider to the “MS Code Certification Root”.

Win7/64bit happily *installed* the driver, but it did not work. In
device manager a little triangle with an exclamation mark in was shown
next to the driver symbol. Driver properties stated than “no chain to a
trusted root” could be found.

The temporary solution was to manually remove the newer (=longer valid)
root certificate (and one intermediate cert) of the CA we use. Then the
(correct) older one was used for signing the driver binary, and then
signtool.exe also included the cross-certificate. Win7/64bit was happy.

(Using the older cert was not a problem because we also time-stamp SYS
and CAT files. When you sign and timestamp in 2010, it does not matter
if the CA’s cert is valid until 2014 or 2028.)

The final solution will be a new, matching, Microsoft cross cert issued
to the provider’s CA [hopefully within the next three years :-)].

Sarbojit Sarkar wrote:

Note: I have tried and found there are other digitally unsigned
drivers which are running on 64 bits OSes, so I believe it is
possible.

Well, on Linux/64bit we certainly have some unsigned drivers. Yes, it is
possible, e.g. on another OS, or by cracking the signature enforcement.

Tim Roberts wrote:

I don’t know where you looked, but without taking special steps at
each boot, there’s no way to load an unsigned driver in 64-bit
Windows.

Well, there is *one*: UMDF

If there were an easy way to disable the check, there wouldn’t be
much point in having a check, would there?

If a driver does not require embedded signing, there is likely some way
around the signing requirements. [For obvious reasons I don’t approve of
this, hence will not describe it.]

Driver developers simply have to resign themselves to buying a
certificate as a cost of doing business. They cost less than a day’s
labor, so if you’ve spent a day trying to figure out a way around
it, you are already wasting your money.

+1.