Hi all.
I’m trying to understand what is required to certify an NDIS IM driver for
Vista now (i.e. before Vista is RTM). At the beginning the driver will run
on x86 only, in the future it will need to run on x64.
And I’m quite confused.
This is what I understood (correct me if I’m wrong)
- you can authenticode-sign the driver, only. Or go through WHQL
certification, too.
- an authenticode-signed driver is the only way to have a driver running on
Vista x64. On x86, it works (warning the user).
- a WHQL certified driver will install without warnings on x86/x64. If the
driver is only authenticode-signed, it will issue a warning during
installation in any case.
- in order to authenticode-sign a driver you need an SPC, but nothing should
be submitted to Winqual.
- in order to have a Vista-WHQL certified driver, you need to have an SPC,
and you need to use DTM. You are not allowed to use HCT any more. Am I right
or wrong on this?
Thanks for the help
GV
Here’s my current understanding, but in general, don’t hesitate to
mail WHQL directly on stuff like this - they’re usually pretty
responsive for us. With that said, we’re just starting down the Vista
signing path around here, so I’m not as experienced with this stuff
as others on this list.
With that said:
On Oct 10, 2006, at 7:59 PM, Gianluca Varenni wrote:
I’m trying to understand what is required to certify an NDIS IM
driver for
Vista now (i.e. before Vista is RTM). At the beginning the driver
will run
on x86 only, in the future it will need to run on x64.
As far as I know, WHQL will only sign drivers for Vista that support
both 32-bit and 64-bit platforms. At least, that’s the last thing I
heard; has that changed?
- an authenticode-signed driver is the only way to have a driver
running on
Vista x64. On x86, it works (warning the user).
This refers to driver binary signing. The x64 Vista kernel will
refuse to load unsigned binaries, regardless of whether or not the
driver package itself is signed.
- a WHQL certified driver will install without warnings on x86/x64.
If the
driver is only authenticode-signed, it will issue a warning during
installation in any case.
I think there’s an administrative option to trust certain signers
that would suppress that warning.
- in order to have a Vista-WHQL certified driver, you need to have
an SPC,
and you need to use DTM. You are not allowed to use HCT any more.
Am I right
or wrong on this?
Yes, you have to use DTM for Vista certification. In fact, at some
point, they’re going to cut off the HCTs for pre-Vista too; I thought
I heard that it was supposed to be several months after Vista RTM.
-Steve
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Steve Dispensa[SMTP:xxxxx@positivenetworks.net]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 11, 2006 6:18 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
As far as I know, WHQL will only sign drivers for Vista that support
both 32-bit and 64-bit platforms. At least, that’s the last thing I
heard; has that changed?
We have a x86 and x64 driver signed separately i.e. one .sys + .inf + .cat for both. However, we submitted both packages at once.
> - an authenticode-signed driver is the only way to have a driver
> running on
> Vista x64. On x86, it works (warning the user).
This refers to driver binary signing. The x64 Vista kernel will
refuse to load unsigned binaries, regardless of whether or not the
driver package itself is signed.
I don’t think so. Signing binaries is optional i.e. package signing should be enough if driver isn’t boot or maybe system. However, it can be a good idea to have both binaries and package signed. Fortunately, signing tools work now and sign binaries as part of build process isn’t so hard.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
----- Original Message -----
From: “Steve Dispensa”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, October 11, 2006 9:18 AM
Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
> Here’s my current understanding, but in general, don’t hesitate to mail
> WHQL directly on stuff like this - they’re usually pretty responsive for
> us. With that said, we’re just starting down the Vista
which MS alias are you using? xxxxx@microsoft.com?
> signing path around here, so I’m not as experienced with this stuff as
> others on this list.
>
> With that said:
>
> On Oct 10, 2006, at 7:59 PM, Gianluca Varenni wrote:
>> I’m trying to understand what is required to certify an NDIS IM driver
>> for
>> Vista now (i.e. before Vista is RTM). At the beginning the driver will
>> run
>> on x86 only, in the future it will need to run on x64.
>
> As far as I know, WHQL will only sign drivers for Vista that support both
> 32-bit and 64-bit platforms. At least, that’s the last thing I heard;
> has that changed?
Yesterday I found a document/web page saying that the submission of the two
drivers can be done separately (but no more than 30 days between the two).
But today i cannot find it again…
>
>> - an authenticode-signed driver is the only way to have a driver running
>> on
>> Vista x64. On x86, it works (warning the user).
>
> This refers to driver binary signing. The x64 Vista kernel will refuse to
> load unsigned binaries, regardless of whether or not the driver package
> itself is signed.
>
>> - a WHQL certified driver will install without warnings on x86/x64. If
>> the
>> driver is only authenticode-signed, it will issue a warning during
>> installation in any case.
>
> I think there’s an administrative option to trust certain signers that
> would suppress that warning.
I think I can use the SPC used for WHQL for authenticode signing, as well.
So this means that if I authenticode-sign my driver in this way, no warning
should be issued, even without changing the trusted signers on the target
machine. Maybe I’m totally wrong.
>
>> - in order to have a Vista-WHQL certified driver, you need to have an
>> SPC,
>> and you need to use DTM. You are not allowed to use HCT any more. Am I
>> right
>> or wrong on this?
>
> Yes, you have to use DTM for Vista certification. In fact, at some point,
> they’re going to cut off the HCTs for pre-Vista too; I thought I heard
> that it was supposed to be several months after Vista RTM.
Well, what I found in the document called “Post HCT 12 DTM Global WHQL
POLICY v1.1.doc” is that
—
Device and system logo submissions can be made at the release of Windows
Vista RC1 using the HCT/DCT or the DTM. Windows Vista Operating System Logo
submissions can only be made using the DTM. HCT/DCT submissions will also be
accepted through the winqual.microsoft.com website for Windows Server 2003
and Windows XP operating systems for 90 days following the release of
Windows Vista RTM.
—
It seems to indicate that for xp/2003 you can still use HCT for 3 more
months.
Thanks for the great help.
GV
>
> -Steve
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
For the x86 certification you used DTM, right? How hard is to migrate from
HCT to DTM?
Have a nice day
GV
----- Original Message -----
From: “Michal Vodicka”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, October 11, 2006 9:49 AM
Subject: RE: [ntdev] Vista driver signing for NDIS IM driver
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Steve Dispensa[SMTP:xxxxx@positivenetworks.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, October 11, 2006 6:18 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
>
> As far as I know, WHQL will only sign drivers for Vista that support
> both 32-bit and 64-bit platforms. At least, that’s the last thing I
> heard; has that changed?
>
We have a x86 and x64 driver signed separately i.e. one .sys + .inf + .cat
for both. However, we submitted both packages at once.
> > - an authenticode-signed driver is the only way to have a driver
> > running on
> > Vista x64. On x86, it works (warning the user).
>
> This refers to driver binary signing. The x64 Vista kernel will
> refuse to load unsigned binaries, regardless of whether or not the
> driver package itself is signed.
>
I don’t think so. Signing binaries is optional i.e. package signing should
be enough if driver isn’t boot or maybe system. However, it can be a good
idea to have both binaries and package signed. Fortunately, signing tools
work now and sign binaries as part of build process isn’t so hard.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
On Oct 11, 2006, at 11:49 AM, Michal Vodicka wrote:
>> - an authenticode-signed driver is the only way to have a driver
>> running on
>> Vista x64. On x86, it works (warning the user).
>
> This refers to driver binary signing. The x64 Vista kernel will
> refuse to load unsigned binaries, regardless of whether or not the
> driver package itself is signed.
>
I don’t think so. Signing binaries is optional i.e. package signing
should be enough if driver isn’t boot or maybe system. However, it
can be a good idea to have both binaries and package signed.
Fortunately, signing tools work now and sign binaries as part of
build process isn’t so hard.
This paper seems to contradict that; is what you’re seeing different
from what this paper says?
From the abstract:
For Microsoft? Windows Vista? and later versions of the Windows?
family of operating systems, kernel-mode software must have a digital
signature to load on x64-based computer systems. Certain
configurations of x86 systems will require kernel-mode software to
have digital signatures in order to access next generation premium
content depending on content protection policy. This paper describes
how to manage the signing process for kernel-mode software for
Windows Vista.
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
-Steve
Gianluca Varenni wrote:
For the x86 certification you used DTM, right? How hard is to migrate
from HCT to DTM?
The HCTs may be complicated, but DTM is a true lifestyle change. It is
a serious commitment.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> ----------
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Steve Dispensa[SMTP:xxxxx@positivenetworks.net]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 11, 2006 8:37 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
> I don’t think so. Signing binaries is optional i.e. package signing
> should be enough if driver isn’t boot or maybe system. However, it
> can be a good idea to have both binaries and package signed.
> Fortunately, signing tools work now and sign binaries as part of
> build process isn’t so hard.
This paper seems to contradict that; is what you’re seeing different
from what this paper says?
From the abstract:
For Microsoft? Windows Vista> ™> and later versions of the Windows?
family of operating systems, kernel-mode software must have a digital
signature to load on x64-based computer systems. Certain
configurations of x86 systems will require kernel-mode software to
have digital signatures in order to access next generation premium
content depending on content protection policy. This paper describes
how to manage the signing process for kernel-mode software for
Windows Vista.
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
I’m not sure if we understand ourselves. There are two signing possibilities: sign binaries i.e. embed the signature to the driver binary or sign the catalog file and sign it. Both possibilities are valid and sufficient and can be even combined. Only boot drivers need to have embedded signature because OS can’t verify catalogs this time. Above statement doesn’t contradict that, it only doesn’t exactly specify “kernel-mode software” term. The Kernel-Mode Code Signing Walkthrough document (http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx) states following:
On x64 systems, a signed catalog file is all that is necessary to correctly install and load most driver packages. However, embedded signing might also be an option and is required for certain types of drivers. Embedded signing refers to adding a digital signature to the driver’s binary image file itself, rather than putting the file hash in a signed catalog file. Embedded signing of kernel-mode binaries might be required in two instances:
* When the driver package contains a boot-start driver.
* When the driver is installed as part of an application and does not use a catalog file.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
Yes, we used DTM. Fortunately, I wasn’t involved in this process and I intentionally didn’t want to know too much details 
It took few days of work, completely new hardware and new grey hairs of my unfortunate coworker
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Gianluca Varenni[SMTP:xxxxx@gmail.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, October 11, 2006 7:54 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
For the x86 certification you used DTM, right? How hard is to migrate from
HCT to DTM?
Have a nice day
GV
----- Original Message -----
From: “Michal Vodicka”
> To: “Windows System Software Devs Interest List”
> Sent: Wednesday, October 11, 2006 9:49 AM
> Subject: RE: [ntdev] Vista driver signing for NDIS IM driver
>
>
> > ----------
> > From:
> > xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> > on behalf of Steve Dispensa[SMTP:xxxxx@positivenetworks.net]
> > Reply To: Windows System Software Devs Interest List
> > Sent: Wednesday, October 11, 2006 6:18 PM
> > To: Windows System Software Devs Interest List
> > Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
> >
> > As far as I know, WHQL will only sign drivers for Vista that support
> > both 32-bit and 64-bit platforms. At least, that’s the last thing I
> > heard; has that changed?
> >
> We have a x86 and x64 driver signed separately i.e. one .sys + .inf + .cat
> for both. However, we submitted both packages at once.
>
> > > - an authenticode-signed driver is the only way to have a driver
> > > running on
> > > Vista x64. On x86, it works (warning the user).
> >
> > This refers to driver binary signing. The x64 Vista kernel will
> > refuse to load unsigned binaries, regardless of whether or not the
> > driver package itself is signed.
> >
> I don’t think so. Signing binaries is optional i.e. package signing should
> be enough if driver isn’t boot or maybe system. However, it can be a good
> idea to have both binaries and package signed. Fortunately, signing tools
> work now and sign binaries as part of build process isn’t so hard.
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
“Tim Roberts” wrote in message news:xxxxx@ntdev…
> Gianluca Varenni wrote:
>
>> For the x86 certification you used DTM, right? How hard is to migrate
>> from HCT to DTM?
>
>
> The HCTs may be complicated, but DTM is a true lifestyle change. It is
> a serious commitment.
Commitment like “better growing tomatoes on the everest”?
GV
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
Ok, the more I read and experiment and the more I get confused.
I tried loading a WHQL certified driver (WHQL obtained with HCT for XP/2003
a couple of months ago) and it loads without any warning on Vista BETA2 (I
haven’t installed RC1/RC2). Then I signed the WHQL catalog file with my
official SPC + cross certificate. If I use this catalog file, Vista asks me
if I trust my company (ie the owner of the SPC). What??? If I don’t sign it
(only WHQL catalog) I get no warnings, if I sign the cat, I get a warning!?!
This also means that an WHQL certified driver (certified with HCT) installs
on Vista without warnings (at least on beta2). i’m getting crazy…
Have a nice day
GV
“Michal Vodicka” wrote in message
news:xxxxx@ntdev…
> ----------
> From:
> xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com]
> on behalf of Steve Dispensa[SMTP:xxxxx@positivenetworks.net]
> Reply To: Windows System Software Devs Interest List
> Sent: Wednesday, October 11, 2006 8:37 PM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
>
> > I don’t think so. Signing binaries is optional i.e. package signing
> > should be enough if driver isn’t boot or maybe system. However, it
> > can be a good idea to have both binaries and package signed.
> > Fortunately, signing tools work now and sign binaries as part of
> > build process isn’t so hard.
>
> This paper seems to contradict that; is what you’re seeing different
> from what this paper says?
>
> From the abstract:
>
> For Microsoft® Windows Vista> ™> and later versions of the Windows®
> family of operating systems, kernel-mode software must have a digital
> signature to load on x64-based computer systems. Certain
> configurations of x86 systems will require kernel-mode software to
> have digital signatures in order to access next generation premium
> content depending on content protection policy. This paper describes
> how to manage the signing process for kernel-mode software for
> Windows Vista.
>
> http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
>
>
I’m not sure if we understand ourselves. There are two signing
possibilities: sign binaries i.e. embed the signature to the driver binary
or sign the catalog file and sign it. Both possibilities are valid and
sufficient and can be even combined. Only boot drivers need to have embedded
signature because OS can’t verify catalogs this time. Above statement
doesn’t contradict that, it only doesn’t exactly specify “kernel-mode
software” term. The Kernel-Mode Code Signing Walkthrough document
(http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx) states
following:
On x64 systems, a signed catalog file is all that is necessary to correctly
install and load most driver packages. However, embedded signing might also
be an option and is required for certain types of drivers. Embedded signing
refers to adding a digital signature to the driver’s binary image file
itself, rather than putting the file hash in a signed catalog file. Embedded
signing of kernel-mode binaries might be required in two instances:
* When the driver package contains a boot-start driver.
* When the driver is installed as part of an application and does not use a
catalog file.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
Gianluca Varenni wrote:
Ok, the more I read and experiment and the more I get confused.
I tried loading a WHQL certified driver (WHQL obtained with HCT for XP/2003
a couple of months ago) and it loads without any warning on Vista BETA2 (I
haven’t installed RC1/RC2). Then I signed the WHQL catalog file with my
official SPC + cross certificate. If I use this catalog file, Vista asks me
if I trust my company (ie the owner of the SPC). What??? If I don’t sign it
(only WHQL catalog) I get no warnings, if I sign the cat, I get a warning!?!
This also means that an WHQL certified driver (certified with HCT) installs
on Vista without warnings (at least on beta2). i’m getting crazy…
Why should this be a surprise? Signed driver packages are allowed.
Microsoft-signed driver packages are accepted silently. User-signed
driver packages are accepted with warnings. Unsigned driver packages
can be loaded on Vista 32-bit with a dire warning, but not at all on
Vista 64-bit.
I believe that last clause is really the only substantial change for
Vista (although it is a big one).
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, October 11, 2006 3:18 PM
Subject: Re: [ntdev] Vista driver signing for NDIS IM driver
> Gianluca Varenni wrote:
>
>>Ok, the more I read and experiment and the more I get confused.
>>
>>I tried loading a WHQL certified driver (WHQL obtained with HCT for
>>XP/2003
>>a couple of months ago) and it loads without any warning on Vista BETA2 (I
>>haven’t installed RC1/RC2). Then I signed the WHQL catalog file with my
>>official SPC + cross certificate. If I use this catalog file, Vista asks
>>me
>>if I trust my company (ie the owner of the SPC). What??? If I don’t sign
>>it
>>(only WHQL catalog) I get no warnings, if I sign the cat, I get a
>>warning!?!
>>
>>This also means that an WHQL certified driver (certified with HCT)
>>installs
>>on Vista without warnings (at least on beta2). i’m getting crazy…
>>
>>
>
> Why should this be a surprise? Signed driver packages are allowed.
> Microsoft-signed driver packages are accepted silently. User-signed
> driver packages are accepted with warnings. Unsigned driver packages
> can be loaded on Vista 32-bit with a dire warning, but not at all on
> Vista 64-bit.
Well, this means that I can WQHL-certify my driver with HCT for a couple
more months, and have it load on vista without any warning. uh…
Have a nice day
GV
>
> I believe that last clause is really the only substantial change for
> Vista (although it is a big one).
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
> driver packages are accepted with warnings. Unsigned driver packages
can be loaded on Vista 32-bit with a dire warning
If we are speaking about non-PnP kernel modules - then no warning on Vista/32
at all.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com