FILE SYSTEM DRIVER SIGNING Karlito Bonnevie Technical Writer WDK IFS Documentation
DRIVER SIGNING WHY SIGN DRIVERS RELEASE SIGNING PREREQUISITES CATALOG vs EMBEDDED SIGNING SIGNING TOOLS EMBEDDED RELEASE SIGNING TIPS ADDITIONAL RESOURCES QUESTIONS
WHY SIGN DRIVERS Signing is a good thing: – Signatures help users know whether a legitimate publisher has provided the software package (i.e., identifiability). – Signatures help limit the spread of malicious software. – In general, signatures help to ensure computer security and system stability.
WHY SIGN DRIVERS Currently, the following Microsoft operating systems require all kernel-mode components to be signed in order to load: – 64-bit Windows Vista – 64-bit Microsoft Windows Server 2008 (formally Windows Server “Longhorn”)
WHY SIGN DRIVERS Relevant kernel-mode components affected include: – File system drivers Minifilters Legacy filters Redirectors File systems – Custom kernel-mode tools and utilities.
RELEASE SIGNING PREREQUISITES A software publishing certificate (SPC), also known as a code-signing certificate, from a Microsoft trusted certification authority (CA). A Microsoft cross-certificate that corresponds to the authority that issued your company's SPC. For a list of trusted CAs that Microsoft supplies cross- certificates for, as well as the cross-certificate itself, see: Be aware that a VeriSign SPC is required: – for Microsoft to sign your product, and/or – to obtain a Microsoft logo for your product.
CATALOG vs EMBEDDED SIGNING Catalog Signing – A catalog file (.cat) contains hashes of files – a signature on a catalog is like a signature on the hashed files. – inf2cat.exe (to be covered shortly) creates a catalog of files identified by the INF file (i.e., the files of the driver package). – Signing the catalog file implicitly signs all the files of the driver package for driver installation purposes. – Important. Bugs in INF files will result in “unsigned driver” error messages – creating a catalog file (via info2cat.exe) validates your INF file. Embedded Signing – Every loaded binary in the file system driver package is embedded signed (and only binary files can be embedded signed). – Embed signing boot start binaries improves boot loading performance. – For a PC to obtain a Windows logo, all loaded boot start drivers must be embedded signed. – Embed signing is generally the simplest way to sign file system drivers (i.e., non-PnP drivers).
CATALOG vs EMBEDDED SIGNING Catalog SigningEmbedded Signing WhatThe catalog (.cat) file.All binaries in the driver package. WhySeamless device installation. Improve boot performance (x86 too). WhoWindows Logo Program †. You. WhenWhen you pass the logo tests †. Before or after the catalog file is generated and signed. HowVia logo submission †.Code signing certificate + cross-certificate + signtool.exe.
SIGNING TOOLS Windows Driver Kit (WDK): – pvk2pfx.exe – inf2cat.exe – signtool.exe Microsoft OS: – certutil.exe – certmgr.msc – bcdedit.exe
SIGNING TOOLS pvk2pfx.exe – Ships with the WDK. – Used to create a system usable software publishing certificate file (.pfx) from a certificate authority’s public key file (.spc) and private key file (.pvk). – Example usage: pvk2pfx -pvk myPVKfile.pvk -pi myPVKpassword -spc mySPCfile.spc -pfx myPFXfile.pfx -po myPFXpassword -f
SIGNING TOOLS certutil.exe – Ships with most Microsoft server operating systems including Vista and Windows Server – Typically used to place a software publishing certificate (.pfx) into the current user’s personal certificate store. – Example usage: certutil -user -p myPFXpassword -importPFX myPFXfile.pfx – certutil.exe is useful for script based signing. For manual signing, you can just double-click the PFX file, which invokes a Wizard (use default values).
SIGNING TOOLS certmgr.msc – Ships with Windows 2000 and later. – Can be used to verify that a certificate was successfully imported into your personal store. – Can be used to determine the certificate’s CN value (needed for signtool.exe). – Example invocation: C:\>mmc certmgr.msc
SIGNING TOOLS inf2cat.exe – Ships with the WDK (previously available only as a download from Winqual).Winqual – Used to validate the driver package INF file, creating a catalog file (.cat) in the process (catalog files are not needed for file system driver embedded signing). – Example usage: inf2cat /driver:C:\myDriverPackage /os:Vista_X64
SIGNING TOOLS signtool.exe – Ships with the WDK. – Used to sign driver binary (.sys) files and driver package catalog (.cat) files. – Relevant tool arguments: A software publishing certificate (.pfx), previously imported to the current user’s personal certificate store and its associated CN value. The correct Microsoft cross-certificate (.cer) for your software publishing certificate (SPC). The file to sign (.cat or.sys). – Example usage: signtool sign /v /ac C:\myCerts\myCrossCert.cer /s my /n "CN Value" /t myDriver.sys
SIGNING TOOLS bcdedit.exe – Ships with Vista and later Microsoft operating systems. – Uses include placing Vista or Server 2008 into test-signing mode. – Prior to acquiring a trusted software publishing certificate, you can use a self- created certificate to test sign your drivers. See the WDK topic MakeCert Test Certificate for more information. – In order to install, load and exercise test signed file system drivers, you must place Vista and Server 2008 into test-signing mode. – Example usage: bcdedit /set testsigning on (reboot required) bcdedit /set testsigning off (reboot required)
EMBEDDED RELEASE SIGNING 1. Use pvk2pfx.exe to create a system usable SPC. 2. Use certutil.exe to add the SPC to the current user’s personal certificate store. 3. Use inf2cat.exe to validate the driver package INF file. 4. Download the Microsoft cross-certificate specifically for your SPC ( ) Use signtool.exe to sign the driver SYS file (binary image file). 6. Use signtool.exe to validate your signature. 7. Install and load the driver package. 8. Uninstall the driver package. See IFS Embedded Release Signing Steps.docx for details.IFS Embedded Release Signing Steps.docx
TIPS You can not see a cross-certificate in any GUI that displays a certificate chain (such as the File Properties dialog). You can (and should) validate your embedded signature using: signtool verify /v /kp myDriver.sys You can (and should) validate that a given binary is “signed” by a given.cat file using: signtool verify /v /kp /c myCatalogFile.cat myDriver.sys To significantly increase boot performance, embed sign all SERVICE_BOOT_START and SERVICE_SYSTEM_START drivers. This includes drivers for Vista, Server 2008, and x86-based architectures. Catalog sign and embedded sign your driver – eliminates the risk of not signing a driver targeted for embedded signing. Keep your private key(s) in a hardware security module (HSM). HSMs store private keys in hardware such that they becomes verify difficult to compromise, even if the Windows box on which they are utilized becomes compromised (see IFS Embedded Release Signing Steps.docx for an example).IFS Embedded Release Signing Steps.docx
FAQ How will a cross-certificate affect driver signing verification for earlier-than-Windows-Vista operating systems that do not require cross-certificates? Such operating systems are not affected because cross- certificates are ignored. Is the pop-up I’m receiving related to driver signing? No – the code integrity system does not generate pop- ups (see the event log for code integrity failures).
ADDITIONAL RESOURCES WDK Documentation Driver Signing Requirements for Windows (WHDC): Driver Signing Requirements for Windows – Kernel-Mode Code Signing Walkthrough (includes procedural test signing information) Kernel-Mode Code Signing Walkthrough – Code-Signing Best Practices (includes conceptual information on test signing and securing your release signing process) Code-Signing Best Practices