file system driver signing karlito bonnevie technical writer wdk ifs documentation
TRANSCRIPT
FILE SYSTEM DRIVER SIGNING
Karlito BonnevieTechnical Writer
WDK IFS Documentation
DRIVER SIGNING
WHY SIGN DRIVERS RELEASE SIGNING PREREQUISITES CATALOG vs EMBEDDED SIGNING SIGNING TOOLS EMBEDDED RELEASE SIGNING TIPS ADDITIONAL RESOURCES QUESTIONS
WHY SIGN DRIVERS
Signing is a good thing:
– Signatures help users know whether a legitimate publisher has provided the software package (i.e., identifiability).
– Signatures help limit the spread of malicious software.
– In general, signatures help to ensure computer security and system stability.
WHY SIGN DRIVERS
Currently, the following Microsoft operating systems require all kernel-mode components to be signed in order to load:
– 64-bit Windows Vista
– 64-bit Microsoft Windows Server 2008(formally Windows Server “Longhorn”)
WHY SIGN DRIVERS
Relevant kernel-mode components affected include:
– File system drivers Minifilters Legacy filters Redirectors File systems
– Custom kernel-mode tools and utilities.
RELEASE SIGNING PREREQUISITES
A software publishing certificate (SPC), also known as a code-signing certificate, from a Microsoft trusted certification authority (CA).
A Microsoft cross-certificate that corresponds to the authority that issued your company's SPC.
For a list of trusted CAs that Microsoft supplies cross-certificates for, as well as the cross-certificate itself, see:www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
Be aware that a VeriSign SPC is required:– for Microsoft to sign your product, and/or– to obtain a Microsoft logo for your product.
CATALOG vs EMBEDDED SIGNING
Catalog Signing– A catalog file (.cat) contains hashes of files – a signature on a catalog is like a signature on
the hashed files.– inf2cat.exe (to be covered shortly) creates a catalog of files identified by the INF file (i.e., the
files of the driver package). – Signing the catalog file implicitly signs all the files of the driver package for driver installation
purposes.– Important. Bugs in INF files will result in “unsigned driver” error messages – creating a
catalog file (via info2cat.exe) validates your INF file.
Embedded Signing– Every loaded binary in the file system driver package is embedded signed (and only binary
files can be embedded signed). – Embed signing boot start binaries improves boot loading performance.– For a PC to obtain a Windows logo, all loaded boot start drivers must be embedded signed.– Embed signing is generally the simplest way to sign file system drivers (i.e., non-PnP
drivers).
CATALOG vs EMBEDDED SIGNING
Catalog Signing Embedded Signing
What The catalog (.cat) file. All binaries in the driver package.
Why Seamless device installation.
Improve boot performance (x86 too).
Who Windows Logo Program†.
You.
When When you pass the logo tests†.
Before or after the catalog file is generated and signed.
How Via logo submission†. Code signing certificate + cross-certificate + signtool.exe.
SIGNING TOOLS
Windows Driver Kit (WDK):– pvk2pfx.exe– inf2cat.exe– signtool.exe
Microsoft OS:– certutil.exe– certmgr.msc– bcdedit.exe
SIGNING TOOLS
pvk2pfx.exe
– Ships with the WDK.
– Used to create a system usable software publishing certificate file (.pfx) from a certificate authority’s public key file (.spc) and private key file (.pvk).
– Example usage:
pvk2pfx -pvk myPVKfile.pvk -pi myPVKpassword -spc mySPCfile.spc -pfx myPFXfile.pfx -po myPFXpassword -f
SIGNING TOOLS
certutil.exe
– Ships with most Microsoft server operating systems including Vista and Windows Server 2008.
– Typically used to place a software publishing certificate (.pfx) into the current user’s personal certificate store.
– Example usage:
certutil -user -p myPFXpassword -importPFX myPFXfile.pfx
– certutil.exe is useful for script based signing. For manual signing, you can just double-click the PFX file, which invokes a Wizard (use default values).
SIGNING TOOLS
certmgr.msc
– Ships with Windows 2000 and later.
– Can be used to verify that a certificate was successfully imported into your personal store.
– Can be used to determine the certificate’s CN value (needed for signtool.exe).
– Example invocation: C:\>mmc certmgr.msc
SIGNING TOOLS
inf2cat.exe
– Ships with the WDK (previously available only as a download from Winqual).
– Used to validate the driver package INF file, creating a catalog file (.cat) in the process (catalog files are not needed for file system driver embedded signing).
– Example usage:
inf2cat /driver:C:\myDriverPackage /os:Vista_X64
SIGNING TOOLS
signtool.exe
– Ships with the WDK.
– Used to sign driver binary (.sys) files and driver package catalog (.cat) files.
– Relevant tool arguments: A software publishing certificate (.pfx), previously imported to the current user’s personal
certificate store and its associated CN value.
The correct Microsoft cross-certificate (.cer) for your software publishing certificate (SPC).
The file to sign (.cat or .sys).
– Example usage:
signtool sign /v /ac C:\myCerts\myCrossCert.cer /s my /n "CN Value" /t http://timestamp.verisign.com/scripts/timestamp.dll myDriver.sys
SIGNING TOOLS
bcdedit.exe
– Ships with Vista and later Microsoft operating systems.
– Uses include placing Vista or Server 2008 into test-signing mode.
– Prior to acquiring a trusted software publishing certificate, you can use a self-created certificate to test sign your drivers. See the WDK topic MakeCert Test Certificate for more information.
– In order to install, load and exercise test signed file system drivers, you must place Vista and Server 2008 into test-signing mode.
– Example usage:
bcdedit /set testsigning on (reboot required)
bcdedit /set testsigning off (reboot required)
EMBEDDED RELEASE SIGNING
1. Use pvk2pfx.exe to create a system usable SPC.2. Use certutil.exe to add the SPC to the current user’s personal
certificate store.3. Use inf2cat.exe to validate the driver package INF file.4. Download the Microsoft cross-certificate specifically for your
SPC (www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx).5. Use signtool.exe to sign the driver SYS file (binary image file).6. Use signtool.exe to validate your signature.7. Install and load the driver package.8. Uninstall the driver package.
See IFS Embedded Release Signing Steps.docx for details.
TIPS
You can not see a cross-certificate in any GUI that displays a certificate chain (such as the File Properties dialog).
You can (and should) validate your embedded signature using:
signtool verify /v /kp myDriver.sys
You can (and should) validate that a given binary is “signed” by a given .cat file using:
signtool verify /v /kp /c myCatalogFile.cat myDriver.sys
To significantly increase boot performance, embed sign all SERVICE_BOOT_START and SERVICE_SYSTEM_START drivers. This includes drivers for Vista, Server 2008, and x86-based architectures.
Catalog sign and embedded sign your driver – eliminates the risk of not signing a driver targeted for embedded signing.
Keep your private key(s) in a hardware security module (HSM). HSMs store private keys in hardware such that they becomes verify difficult to compromise, even if the Windows box on which they are utilized becomes compromised (see IFS Embedded Release Signing Steps.docx for an example).
FAQ
How will a cross-certificate affect driver signing verification for earlier-than-Windows-Vista operating systems that do not require cross-certificates?
Such operating systems are not affected because cross-certificates are ignored.
Is the pop-up I’m receiving related to driver signing?
No – the code integrity system does not generate pop-ups (see the event log for code integrity failures).
ADDITIONAL RESOURCES
WDK Documentation
Driver Signing Requirements for Windows (WHDC):
– Kernel-Mode Code Signing Walkthrough (includes procedural test signing information)
– Code-Signing Best Practices (includes conceptual information on test
signing and securing your release signing process)