How to get Certificate for Driver not associated with any Device?

Hi All,

I have a driver which is dynamically loaded (InstallService, StartService) by my application and unloaded once the job is done. How do I get a trusted certificate for this driver. As the DTM cannot detect any device associated with it, it cannot be tested. Is there an alternative?

For reference, the utility HWiNFO comes with drivers for different architecture. These drivers are loaded by the HWiNFO application and unloaded on exit. They don’t associate themselves with any device in the device tree. My driver is exactly like that.

Any help will be greatly appreciated.

Regards

xxxxx@gmail.com wrote:

I have a driver which is dynamically loaded (InstallService, StartService) by my application and unloaded once the job is done. How do I get a trusted certificate for this driver. As the DTM cannot detect any device associated with it, it cannot be tested. Is there an alternative?

Do you mean a WHQL signature? There is no point in getting a WHQL
signature for a legacy driver. The WHQL test is only done when a PnP
driver is installed. The only signing you need is for KMCS, and you do
that with your OWN code-signing certificate.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hi Tim,

Thanks for the reply.

KMCS policy enforces (in 64bit versions of Vista and later) the kernel mode
code to be signed with a trusted certificate signature obtained from one of
the SPC listed in msdn here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx

I was wondering if a software driver can be signed using Windows Hardware
Certification (formerly known as Windows Logo Program). If yes, how to do
that?

Thanks
Anirudha

On Wed, Sep 12, 2012 at 10:10 PM, Tim Roberts wrote:

> xxxxx@gmail.com wrote:
> > I have a driver which is dynamically loaded (InstallService,
> StartService) by my application and unloaded once the job is done. How do I
> get a trusted certificate for this driver. As the DTM cannot detect any
> device associated with it, it cannot be tested. Is there an alternative?
>
> Do you mean a WHQL signature? There is no point in getting a WHQL
> signature for a legacy driver. The WHQL test is only done when a PnP
> driver is installed. The only signing you need is for KMCS, and you do
> that with your OWN code-signing certificate.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

To repeat what Mr. Roberts said: Sign the driver with your OWN certificate. You don’t need the logo to load your driver under KMDS, you JUST need a signature. There’s no WHQL program that I’m aware of that’ll allow you to logo a generic non-PnP driver.

Peter
OSR

Anirudha Kumar wrote:

KMCS policy enforces (in 64bit versions of Vista and later) the kernel
mode code to be signed with a trusted certificate signature obtained
from one of the SPC listed in msdn here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx

I was wondering if a software driver can be signed using Windows
Hardware Certification (formerly known as Windows Logo Program). If
yes, how to do that?

Not possible. Fortunately, you can buy your own certificate for about
the same price as a WHQL submission, and once you have that, you can
sign as many drivers as you want.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Hi Tim,

I’ve decided to go for Code Signing Certificate from GlobalSign and sign
the driver using that.

But I’m still not convinced that MS doesn’t provides any way to sign a
Software Driver. I thought that the Unclassified Category in the WHQL is
meant for that purpose. Also, following MSDN page talks about getting
Software Driver signed by MS through WLK

http://msdn.microsoft.com/en-us/library/windows/hardware/gg463036.aspx

This is why I’m still confused about it.

Regards
Anirudha

On Thu, Sep 13, 2012 at 10:24 PM, Tim Roberts wrote:

> Anirudha Kumar wrote:
> >
> >
> > KMCS policy enforces (in 64bit versions of Vista and later) the kernel
> > mode code to be signed with a trusted certificate signature obtained
> > from one of the SPC listed in msdn here:
> > http://msdn.microsoft.com/en-us/windows/hardware/gg487315.aspx
> >
> > I was wondering if a software driver can be signed using Windows
> > Hardware Certification (formerly known as Windows Logo Program). If
> > yes, how to do that?
>
> Not possible. Fortunately, you can buy your own certificate for about
> the same price as a WHQL submission, and once you have that, you can
> sign as many drivers as you want.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

By the way, about the GlobalSign -

Do they really revoke our certificates after the subscription period
ends, as stated in their User Agreement?
Then, users could not install our software after that period, even it it
has been timestamped.

( from
https://www.globalsign.com/repository/GlobalSign%20Code%20Signing%20SA%20v1.7%20(US).pdf
)

Regards,
– pa

On 16-Sep-2012 07:54, Anirudha Kumar wrote:> Hi Tim,
>
> I’ve decided to go for Code Signing Certificate from GlobalSign and sign
> the driver using that.

Even for a WHQL signature you need a certificate [from Verisign]. It is
used to sign the package submission sent to WHQL.

If you are simply trying to avoid the purchase (and maintenance) of a Code
Signing Certificate there is no real way to do so.

Good Luck,

Dave Cattley

Pavel A wrote:

By the way, about the GlobalSign -

Do they really revoke our certificates after the subscription period
ends, as stated in their User Agreement?
Then, users could not install our software after that period, even it it
has been timestamped.

The certificate is not actively revoked, it simply expires. When
someone installs your driver years later, the validation process asks
“was this certificate valid at the time of the signature?” That’s why
we use a validated timestamp.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Anirudha Kumar wrote:

I’ve decided to go for Code Signing Certificate from GlobalSign and
sign the driver using that.

But I’m still not convinced that MS doesn’t provides any way to sign a
Software Driver. I thought that the Unclassified Category in the WHQL
is meant for that purpose. Also, following MSDN page talks about
getting Software Driver signed by MS through WLK

This is why I’m still confused about it.

You can submit a software PnP driver, but not a legacy (non-PnP)
driver. There wouldn’t be any point to it, because (as I said) the WHQL
check is only done at installation time, and PnP drivers are the only
ones that have an installation process.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Eventually the root certificate expires, at which point I would think signed drivers will stop working. I suppose an interesting test would be to set the system clock forward 20 years, past the root expiration, and see what happens.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, September 17, 2012 10:21 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How to get Certificate for Driver not associated with any Device?

Pavel A wrote:

By the way, about the GlobalSign -

Do they really revoke our certificates after the subscription period
ends, as stated in their User Agreement?
Then, users could not install our software after that period, even it
it has been timestamped.

The certificate is not actively revoked, it simply expires. When someone installs your driver years later, the validation process asks “was this certificate valid at the time of the signature?” That’s why we use a validated timestamp.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Jan Bottorff wrote:

Eventually the root certificate expires, at which point I would think signed drivers will stop working. I suppose an interesting test would be to set the system clock forward 20 years, past the root expiration, and see what happens.

I’m not sure that’s true, although I admit there are subtleties in this
process that I do not fully appreciate. The KMCS process doesn’t have
to answer the question “is this chain valid right now?” It has to
answer the question “does this chain end at a root that I know”, and
“were all the certificates in this chain valid on the date it was
timestamped?”


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 17-Sep-2012 20:20, Tim Roberts wrote:

Pavel A wrote:
> By the way, about the GlobalSign -
>
> Do they really revoke our certificates after the subscription period
> ends, as stated in their User Agreement?
> Then, users could not install our software after that period, even it it
> has been timestamped.

The certificate is not actively revoked, it simply expires. When
someone installs your driver years later, the validation process asks
“was this certificate valid at the time of the signature?” That’s why
we use a validated timestamp.

Tim, what you say is what I hoped for - but, if I understand
the legalese text correctly, they talk about active revoke (CRL).
Apparently, so that we won’t stop paying.
– pa

Pavel A wrote:

Tim, what you say is what I hoped for - but, if I understand
the legalese text correctly, they talk about active revoke (CRL).
Apparently, so that we won’t stop paying.

I’ve sent them a note about this. The language is not correct. I will
note that it says “GlobalSign may revoke the Subscriber’s Digital
Certificate”, and “may” is not the same as “will”, but even so, it’s not
right.

For what it’s worth, I have already had one GlobalSign certificate
expire, and the signatures are still valid.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

On 19-Sep-2012 19:19, Tim Roberts wrote:

Pavel A wrote:
>
> Tim, what you say is what I hoped for - but, if I understand
> the legalese text correctly, they talk about active revoke (CRL).
> Apparently, so that we won’t stop paying.

I’ve sent them a note about this. The language is not correct. I will
note that it says “GlobalSign may revoke the Subscriber’s Digital
Certificate”, and “may” is not the same as “will”, but even so, it’s not
right.

For what it’s worth, I have already had one GlobalSign certificate
expire, and the signatures are still valid.

Thank you Tim, when (and if) they respond, keep us updated, please.

– pa