Hello,
I had a question about Windows 7 driver signing. As I understand it, a
hotfix enables SHA256 support for kernel drivers.
After 2016, SHA1 support is dropped for new kernel drivers. If this is
the case, what does one install when the installer detects Windows 7?
If the SHA1 driver is installed (as for XP and Vista), it will break
unexpectedly when they patch their system.
If the SHA2 driver is installed, well, it won’t work if their system is
unpatched.
Thanks!
James
?Yes, that sounds correct, although the timing appears to be changing from the behaviors I’m seeing.
I did some experiments today and signed our drivers only with an SHA1 certificate that was just issued on February 6, 2016. I was able to install and run these drivers on Windows 10 (fully up-to-date with Windows Update as of today, February 22).
Note that we have non-PNP drivers and others appear to have at least run into warnings when installing PNP drivers but I believe they were still able to install and run. Consider that hearsay.
So I did this experiment just to see what’s going on, but for our releases we’re double-signing our binaries with SHA1 and SHA256 so that it works on Vista and Windows 7 unpatched as well as being ready for when Microsoft started to enforce the use of SHA256.
The other thing to be aware of is that Windows 10 has “Device Guard” which allows admins to configure policy regarding what are valid binaries. I’m still trying to get my head around configuring this so I’m not an expert, but it does appear to have mechanisms to make signing requirements either more restrictive or less restrictive.
xxxxx@gmail.com wrote:
I did some experiments today and signed our drivers only with an SHA1 certificate that was just issued on February 6, 2016. I was able to install and run these drivers on Windows 10 (fully up-to-date with Windows Update as of today, February 22).
Correct. Many of the things that have been rumored and threatened have
not been implemented, and it is not clear when they will be
implemented. SHA1 support at the application and browser level is
certainly being phased out. SHA1 support at the kernel level would
break existing devices, and no one really wants to do that. As of
today, any driver signing technique that works in Win 7 will also work
in Win 10.
The other thing to be aware of is that Windows 10 has “Device Guard” which allows admins to configure policy regarding what are valid binaries. I’m still trying to get my head around configuring this so I’m not an expert, but it does appear to have mechanisms to make signing requirements either more restrictive or less restrictive.
This is an excellent point, and it is one that I have not played with yet.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
James Bellinger wrote:
After 2016, SHA1 support is dropped for new kernel drivers.
That has certainly been announced for application signing. I don’t
think it has been asserted for kernel drivers. The Microsoft driver
signing page merely “discourages” the use of an SHA1 certificate.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
FYI, just heard from a support person at Microsoft. It seems likely that Microsoft has selected Windows 10 Redstone 1 release as the vehicle where they will begin enforcement of the previously announced Attestation policy, with a slight twist.
If the Win10 RS1 target is an upgrade, it will accept any driver that already installs and loads correctly. ONLY if the RS1 installation is a new installation will non-Microsoft drivers be blocked if they were signed with a cert issued after July 29th, 2015.
Apparently Redstone 1 is due to make its first appearance on the Fast Ring sometime in March, with actual release sometime around summer (maybe).
xxxxx@gmail.com wrote:
FYI, just heard from a support person at Microsoft. It seems likely that Microsoft has selected Windows 10 Redstone 1 release as the vehicle where they will begin enforcement of the previously announced Attestation policy, with a slight twist.
If the Win10 RS1 target is an upgrade, it will accept any driver that already installs and loads correctly. ONLY if the RS1 installation is a new installation will non-Microsoft drivers be blocked if they were signed with a cert issued after July 29th, 2015.
Apparently Redstone 1 is due to make its first appearance on the Fast Ring sometime in March, with actual release sometime around summer (maybe).
I have two marginally related comments.
Remember McCabe’s “cyclomatic complexity” metric? He established the
“complexity” of a section of code based on the number of changes in the
control flow: ifs,whiles, gotos, switchs, etc. The higher the
complexity, the more difficult the code is to understand, debug, and
maintain. A function with a complexity of 5 needed to be refactored.
I’m guessing the cyclomatic complexity of the Windows signature
processing code may be nearing the limits of an unsigned long.
I’m uncomfortable with the persistence of the upgrade/new distinction.
That has never been a thing before. Most of my Windows 10 installs are
upgrades from 7 and 8. On those boxes, the upgrade to TH2 earlier this
month happened without a hitch. But on my big test box, I have one
partition with a Win 10 new install. When THAT machine did the TH2
upgrade, it did not bring forward all of my existing apps and drivers.
I had to reinstall them. It was almost like “if this was a new install
to begin with, then every upgrade will also be a new install”. Let’s
hope that’s NOT what they really did.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Hello. I’m currently working on dual signing installers and binaries and found a warning from Microsoft regarding the dual signed drivers and Windows 10:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff544865(v=vs.85).aspx
“Kernel-mode driver binaries embed signed with dual (SHA1 and SHA2) certificates from a third party certificate vendor for operating systems earlier than Windows 10 may not load, or may cause a system crash on Windows 10. To fix this problem, install KB 3081436.”
Hi Tim,
One clarification needed regarding this point here, will the driver signed
with SHA1 work on Redstone if we have cert issued before 29th 2015 or we
need SHA256 which was issued before July 29th, 2015 ??
==>If the Win10 RS1 target is an upgrade, it will accept any driver that
already installs and loads correctly. ONLY if the RS1 installation is a
new installation will non-Microsoft drivers be blocked if they were signed
with a cert issued after July 29th, 2015.
On Tue, Feb 23, 2016 at 10:10 PM, wrote:
> FYI, just heard from a support person at Microsoft. It seems likely that
> Microsoft has selected Windows 10 Redstone 1 release as the vehicle where
> they will begin enforcement of the previously announced Attestation policy,
> with a slight twist.
>
> If the Win10 RS1 target is an upgrade, it will accept any driver that
> already installs and loads correctly. ONLY if the RS1 installation is a
> new installation will non-Microsoft drivers be blocked if they were signed
> with a cert issued after July 29th, 2015.
>
> Apparently Redstone 1 is due to make its first appearance on the Fast Ring
> sometime in March, with actual release sometime around summer (maybe).
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
Ravish Yadav wrote:
One clarification needed regarding this point here, will the driver
signed with SHA1 work on Redstone if we have cert issued before 29th
2015 or we need SHA256 which was issued before July 29th, 2015 ??
Either one. So far, Microsoft is not enforcing an SHA2 requirement at
the kernel level.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
but sha256 signed with cert issued after 29 July 2015 will not work as you
have mentioned in this post
On Mar 17, 2016 00:50, “Tim Roberts” wrote:
> Ravish Yadav wrote:
> >
> > One clarification needed regarding this point here, will the driver
> > signed with SHA1 work on Redstone if we have cert issued before 29th
> > 2015 or we need SHA256 which was issued before July 29th, 2015 ??
>
> Either one. So far, Microsoft is not enforcing an SHA2 requirement at
> the kernel level.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
Ravish Yadav wrote:
but sha256 signed with cert issued after 29 July 2015 will not work as
you have mentioned in this post
Yes; the point is that the SHA1 vs SHA256 vs EV SHA256 distinction is
irrelevant to this discussion.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.