KMDF driver signing

I would think this would come up all the time but I can’t find anything useful in the archives.

I’ve written a KMDF driver for a piece of special-purpose hardware built by another company (which doesn’t provide drivers). I’d like to provide a signed version of the driver to my own customers, but as I’m a one-person company, I’m not the HW vendor, and very few of my sales will use this driver, I’m looking for the cheapest possible way to sign the driver.

So: can I sign a driver with a cheapy COMODO $167/year code-signing certificate, or do I have to shell out the $$$ for a Verisign one? COMODO’s web site gushes about how you can sign any kind of binary but they don’t specifically say it’ll cover drivers. I’d get the $179 one-year one just to try it but I also don’t know the answer to the very first question they ask – what key size do I want? The menu defaults to 1536 bits but there are LOT of choices and this is all greek to me, I’m but a lowly programmer.

Also, I don’t understand how expiration works with certificates. I’m assuming that I’ll have to keep renting a certificate forever or else all of my existing customers will be hosed. But if a driver will continue to be installable after the certificate lapses as long as I don’t change a single byte, that’s even better (I’m much less picky about the price of the certificate if it’s a one-time cost, instead of being more than my phone bill, FOREVER, whether I have sales or not). Having to pay $299 every time I fix a bug might teach me some discipline!

There’s tons of documentation about using certificates but it all seems to assume that you already have one, and that your company is big enough that the cost is unimportant.
Thanks!

John Wilson
D Bit

A properly signed driver, sys and/or cat, will work forever. You have to
timestamp the file(s) after it is signed to indicate that the certificate
used to sign was valid at that date & time. The sys only needs to be signed
if you can be a boot start driver, but it is a good idea to do it anyway.

Look on Microsoft.com for a list of certificate vendors that Microsoft has
created cross-certificates. I think WHQL must have Verisign and I recommend
you do a WHQL certification to enable silent installation. You can use DTM
1.4 for the WHQL process, but 1.5 is due out soon or so I hear.

wrote in message news:xxxxx@ntdev…
>I would think this would come up all the time but I can’t find anything
>useful in the archives.
>
> I’ve written a KMDF driver for a piece of special-purpose hardware built
> by another company (which doesn’t provide drivers). I’d like to provide a
> signed version of the driver to my own customers, but as I’m a one-person
> company, I’m not the HW vendor, and very few of my sales will use this
> driver, I’m looking for the cheapest possible way to sign the driver.
>
> So: can I sign a driver with a cheapy COMODO $167/year code-signing
> certificate, or do I have to shell out the $$$ for a Verisign one?
> COMODO’s web site gushes about how you can sign any kind of binary but
> they don’t specifically say it’ll cover drivers. I’d get the $179
> one-year one just to try it but I also don’t know the answer to the very
> first question they ask – what key size do I want? The menu defaults to
> 1536 bits but there are LOT of choices and this is all greek to me, I’m
> but a lowly programmer.
>
> Also, I don’t understand how expiration works with certificates. I’m
> assuming that I’ll have to keep renting a certificate forever or else all
> of my existing customers will be hosed. But if a driver will continue to
> be installable after the certificate lapses as long as I don’t change a
> single byte, that’s even better (I’m much less picky about the price of
> the certificate if it’s a one-time cost, instead of being more than my
> phone bill, FOREVER, whether I have sales or not). Having to pay $299
> every time I fix a bug might teach me some discipline!
>
> There’s tons of documentation about using certificates but it all seems to
> assume that you already have one, and that your company is big enough that
> the cost is unimportant.
> Thanks!
>
> John Wilson
> D Bit
>
>

xxxxx@dbit.com wrote:

I’ve written a KMDF driver for a piece of special-purpose hardware built by another company (which doesn’t provide drivers). I’d like to provide a signed version of the driver to my own customers, but as I’m a one-person company, I’m not the HW vendor, and very few of my sales will use this driver, I’m looking for the cheapest possible way to sign the driver.

So: can I sign a driver with a cheapy COMODO $167/year code-signing certificate, or do I have to shell out the $$$ for a Verisign one? COMODO’s web site gushes about how you can sign any kind of binary but they don’t specifically say it’ll cover drivers. I’d get the $179 one-year one just to try it but I also don’t know the answer to the very first question they ask – what key size do I want? The menu defaults to 1536 bits but there are LOT of choices and this is all greek to me, I’m but a lowly programmer.

Actually, the answer to both questions is NO. You can’t use COMODO, but
it isn’t absolutely necessary to use Verisign. There is a very short
list of certificate vendors that are acceptable for KMCS. It must be
one for which Microsoft has an approved cross-signing certificate (which
you must also download). Here’s the list, although I believe several of
these have since gone out of business:
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx

We are a small consulting company as well, so I got mine from
GlobalSign, $299 for 3 years. Nasty, but not onerous.

Also, I don’t understand how expiration works with certificates. I’m assuming that I’ll have to keep renting a certificate forever or else all of my existing customers will be hosed. But if a driver will continue to be installable after the certificate lapses as long as I don’t change a single byte, that’s even better (I’m much less picky about the price of the certificate if it’s a one-time cost, instead of being more than my phone bill, FOREVER, whether I have sales or not). Having to pay $299 every time I fix a bug might teach me some discipline!

The certificate needs to be valid when you do the signing. Once signed,
the package will be accepted forever.

There’s tons of documentation about using certificates but it all seems to assume that you already have one, and that your company is big enough that the cost is unimportant.

The learning curve is steep, but once you find the magic spell, it just
works from that point on.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I went through the list on the MS web site (this is familiar, I’ve struck out there before!) and I must be missing something… GlobalSign seems to be $229/year, or $563 for three years. Still way better than $499/year from Verisign but still nowhere near $299 for 3 years which definitely sounds like my kind of ballpark. Am I looking for the wrong kind of certificate or is this my only choice? I assume “code signing” is it but as I said, none of this means anything to me, I’m just trying to get Windows to install my code w/o throwing wild accusations around. WHQL certification sounds really daunting.

Thanks!

John Wilson
D Bit

OK I found what led me astray last time I tried to understand this procedure – MS’s “Using Authenticode to Digitally Sign Driver Packages” design note contains a link to http://msdn.microsoft.com/en-us/library/ms995347.aspx , which includes Comodo in its list of supposedly valid CAs. And Comodo definitely does Authenticode. I guess I don’t understand how the difference between the kernel-/user-mode universes applies to certificates.

John Wilson
D Bit

xxxxx@dbit.com wrote:

I went through the list on the MS web site (this is familiar, I’ve struck out there before!) and I must be missing something… GlobalSign seems to be $229/year, or $563 for three years. Still way better than $499/year from Verisign but still nowhere near $299 for 3 years which definitely sounds like my kind of ballpark. Am I looking for the wrong kind of certificate or is this my only choice?

Hmm, I see what you mean. All I can say is that GlobalSign was cheaper
than that three years ago when I bought mine. I guess I will have a sad
face when it comes up for renewal.

I assume “code signing” is it but as I said, none of this means anything to me, I’m just trying to get Windows to install my code w/o throwing wild accusations around. WHQL certification sounds really daunting.

OK, let’s step back for a minute. This KMCS signing is required to get
your driver to run AT ALL on a 64-bit system. If you are trying to
eliminate the “caution, this driver is unsigned, first sign of the
apocalypse, watch out now” dialog at install time, that’s a completely
separate issue. That happens on all systems (32-bit or 64-bit), and the
only way to eliminate that is to submit for a WHQL signature.

In order to set up a WHQL account, you also need to have a certificate.
And, in an unfortunate twist of fate, WHQL will **ONLY** accept Verisign
certificates. Verisign has a $99 mini-certificate just for that purpose.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> OK I found what led me astray last time I tried to understand this

procedure – MS’s “Using Authenticode to Digitally Sign Driver
Packages” design note contains a link to http://msdn.microsoft.com/en-
us/library/ms995347.aspx , which includes Comodo in its list of
supposedly valid CAs. And Comodo definitely does Authenticode. I
guess I don’t understand how the difference between the kernel-/user-
mode universes applies to certificates.

There are two commonly used kinds of signing for drivers, kernel mode
signatures required on 64-bit kernel code, and signatures on .cat file used
for driver installation. I believe a Comodo Authenticode certificate is
valid for signing a .cat, but isn’t for 64-bit kernel code signing. There is
also DRM signing (which I never have needed to do), which I believe has more
stringent requirements than even 64-bit kernel code signing, but only is
needed by drivers in a trusted media playback path.

I gave MSFT feedback (by clicking the give feedback link at the top of many
msdn pages) about the link you posted, suggesting they add a column about
kernel code signing.

Jan

xxxxx@dbit.com wrote:

OK I found what led me astray last time I tried to understand this procedure – MS’s “Using Authenticode to Digitally Sign Driver Packages” design note contains a link to http://msdn.microsoft.com/en-us/library/ms995347.aspx , which includes Comodo in its list of supposedly valid CAs. And Comodo definitely does Authenticode. I guess I don’t understand how the difference between the kernel-/user-mode universes applies to certificates.

You are not alone.

User-mode certificate authentication can take as much time as it needs
to. It can rummage through the certificate stores on your computer to
look for a match in one of several “trusted issuer” stores.

The KMCS authentication is happening in the kernel loader. It doesn’t
have infinite room, and it doesn’t have infinite time. The KMCS checker
contains exactly one valid root certificate. In order for a driver to
pass muster, it must include a certificate chain that ends up in that
one valid root.

Hence, the cross-certificate requirement. GlobalSign issue you a
certificate. You fetch the GlobalSign cross-certificate from MSDN,
which was generated by the Microsoft code signing authority. You sign
your driver with BOTH, in a chain. (When I sign, I actually end up with
a chain of 5 certificates, ending in the Microsoft code signing authority).

So, you can use any code-signing cert to sign a user-mode application.
But for KMCS, it must be a code-signing cert issued by a company for
which there is a cross-certificate issued by the Microsoft code-signing
authority. That’s what the short list represents.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OK I think I’m starting to get it – thanks! And thanks for the x64-unsigned-total-refusal vs. x86-non-WHQL-scolding distinction. I’ve been lumping them together in my head because I’m assuming that MS is testing the waters with the x64 rule and it’ll apply everywhere as soon as they think they can get away with it, and sort of hoping that dealing with that (because I have to) would make the (cosmetic) scolding go away too. Guess not!

Anyway for now I’ll just cough up the $229 and see how things go from there.

Thanks very much for the help,

John Wilson
D Bit

> Also, I don’t understand how expiration works with certificates. I’m assuming that I’ll have to keep

renting a certificate forever or else all of my existing customers will be hosed.

Timestamping relaxes this requirement.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

> I’d like to provide a signed version of the driver to my own

customers, […] I’m looking for the cheapest possible way to sign
the driver.

We use GlobalSign. They are not very expensive, and also have an office
not too far away. This made the necessary identity checks easier.
Also we know that for our product we do not need WHQL signing.

Just to make sure you really get what you want, here are two scenarios
with explanations:

A: “In Driver Manager, I see our driver marked as ‘unsigned’. My
customer wants this to go.”

On all Windows versions, only WHQL signed drivers can “silent install”
and only these do not show the “unsigned driver” mark in Device Manager.

=> You need a WHQL = Windows Hardware Quality Labs Signature.

To get one, you need (1) to code-sign your driver, (2) test your driver
using the Driver Test Manager (DTM), (3) sign the DTM logs and (4)
submit these together with your driver and INF/CAT files to Microsoft.
If all is well, (5) Microsoft will sign your CAT file with a WHQL signature.

Note: There are a number of Microsoft-approved Certification Authorities
(CAs) for Kernel Mode Code-Signing (KMCS). But the number of CAs that
are also approved for WHQL submissions is smaller (Verisign).

If you start with a “cheaper” code-signing certificate from another CA,
you might have to buy an additional (cheaper) Verisign certificate for
WHQL submission later.

B: “My driver does not load on my Window 64bit system. But it needs to!”

1. On Win64, all “normal” kernel drivers must come with a signed CAT
   file to be installed and loaded at run-time.

2. On Win64, kernel drivers that are needed for system boot must be
   signed with an embedded signature. This also needs to contain a
   cross-certificate linking the CA to the Microsoft code signing root.

3. On Win64, user-mode drivers using the User Mode Driver Framework
   (UMDF) do not need to be signed. UMDF improves system stability - if you
   can, go for it!

Note:
It is not (yet) mandatory to use signed drivers on 32bit machines to get
your driver loaded and executed.
That said, I would always recommend to use signatures where possible.
(E.g. we have a USB bulk driver that will never be needed at system boot
time, but nevertheless we sign the SYS file: this way anyone can easily
check if the file has been altered. Once you need a certificate anyway,
it’s basically a free extra.)

So: can I sign a driver with a cheapy COMODO $167/year code-signing
certificate, or do I have to shell out the $$$ for a Verisign one?

If you need WHQL, you possibly want to go for Verisign. But please
thoroughly check the Microsoft web sites about this: for some time,
there was an offer to obtain a WHQL-submission certificate for little
money. It may better fit your needs to have an inexpensive
three-year-valid code-signing certificate, and e.g. get a Verisign
one-year WHQL-submission-only certificate when you need it.

Also, I don’t understand how expiration works with certificates.

All certificates expire after some time. CA Root certificates can have
very long expiration times (10 and more years). Code-signing
certificates typically expire after one to three years.

To avoid expiration of your driver binary, you add a (free-of-charge)
cryptographic time-stamp when you sign the driver.

What happens “under the hood” is that the timestamp provider signs the
cryptographic hash of a given file (you can e.g. also pack an arbitrary
file - eg. a *.DOC file - into a *.CAB archive and have this timestamped).

If the file is a driver package (actually the CAT file), and your driver
certificate was valid at the date/time of the timestamping, Windows will
accept your driver.

Hope this helps,
Hagen

> >[…] "caution, this driver is unsigned, first sign of the

apocalypse, watch out now" dialog at install time […]

Tim, I love that graphic statement. Thanks!

> On all Windows versions, only WHQL signed drivers can “silent install”

and only these do not show the “unsigned driver” mark in Device Manager.

Only WHQL drivers do not show the “unsigned driver” mark in Device
Manager. They don’t need to “silent install” for that.