To get drivers to load:
Pre Windows 7 and non-patched Windows 7 you need SHA1 signed binaries.
Except XP and 2K where it doesn’t matter.
All newer platforms, including Windows 2016 without Secure Boot you need
SHA256 signed binaries. You can dual sign these as Eric pointed out to
be safe.
For Server 2016 with Secure Boot enabled you need them to be attestation
signed.
HCK/HLK testing/signing is not needed in ANY scenario to get your
drivers to load though it is a great way to test your implementation.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295
------ Original Message ------
From: xxxxx@hotmail.com
To: “Windows File Systems Devs Interest List”
Sent: 5/31/2017 6:47:04 AM
Subject: RE:[ntfsd] Do I need HCK/Logo certification for minifilter
driver?
>
>
>Not correct. The file system filter/driver need only be signed.
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>
Hi Pete.
“For Server 2016 with Secure Boot enabled you need them to be attestation signed.”
AFAIK, Windows Server 2016 requires HLK signing if Secure Boot is enabled. Attestation signing is not enough.
See:
https://www.osr.com/blog/2016/06/02/driver-signing-details-emerge/
Am I missing anything?
Regards,
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br
No, all they need is to be attestation signed, this is according to MSFT at the last plugfest. As well, I’ve confirmed this in testing. It was pointed out that this could change in the future but it would be a slow process.
If secure boot is NOT enabled then you only need SHA1 or SHA256 signing.
Pete
On May 31, 2017 9:46:23 AM PDT, xxxxx@driverentry.com.br wrote:
Hi Pete.
“For Server 2016 with Secure Boot enabled you need them to be
attestation signed.”
AFAIK, Windows Server 2016 requires HLK signing if Secure Boot is
enabled. Attestation signing is not enough.
See:
https://www.osr.com/blog/2016/06/02/driver-signing-details-emerge/
Am I missing anything?
Regards,
Fernando Roberto da Silva
DriverEntry Kernel Development
http://www.driverentry.com.br
NTFSD is sponsored by OSR
MONTHLY seminars on crash dump analysis, WDF, Windows internals and
software drivers!
Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:
–
Sent from my Android device with K-9 Mail. Please excuse my brevity.</http:></http:>
Slava is correct here, I was not precise enough in my previous note.
In general, to get your driver to run you only need to sign it with the exception of Secure Boot mode on Windows 10 (which requires Attestation signing) and Secure Boot mode on Server 2016 (which, according to “stated” policy requires HLK signing).
But, again, Attestation signing appears to work in Secure Boot mode on Server 2016 according to our experiments - although I just noticed that someone else on the forum appears to have heard from Microsoft at a Plugfest that Attestation signing is enough for Server 2016 in Secure Boot mode.
However I have yet to see any retraction of the HLK requirement on MSDN – does anyone have more info on official statements from Microsoft in this regard? It would definitely reduce our turnaround time for signing if only Attestation signing was required but without some official statement from Microsoft I’m a little nervous about depending on that for released product.
Eric Berge