Presentation is loading. Please wait.

Presentation is loading. Please wait.

FILE SYSTEM DRIVER SIGNING Karlito Bonnevie Technical Writer WDK IFS Documentation.

Published byRebecca Crawford Modified over 9 years ago

Similar presentations

Presentation on theme: "FILE SYSTEM DRIVER SIGNING Karlito Bonnevie Technical Writer WDK IFS Documentation."— Presentation transcript:

1 FILE SYSTEM DRIVER SIGNING Karlito Bonnevie Technical Writer WDK IFS Documentation

2 DRIVER SIGNING WHY SIGN DRIVERS RELEASE SIGNING PREREQUISITES CATALOG vs EMBEDDED SIGNING SIGNING TOOLS EMBEDDED RELEASE SIGNING TIPS ADDITIONAL RESOURCES QUESTIONS

3 WHY SIGN DRIVERS Signing is a good thing: – Signatures help users know whether a legitimate publisher has provided the software package (i.e., identifiability). – Signatures help limit the spread of malicious software. – In general, signatures help to ensure computer security and system stability.

4 WHY SIGN DRIVERS Currently, the following Microsoft operating systems require all kernel-mode components to be signed in order to load: – 64-bit Windows Vista – 64-bit Microsoft Windows Server 2008 (formally Windows Server “Longhorn”)

5 WHY SIGN DRIVERS Relevant kernel-mode components affected include: – File system drivers Minifilters Legacy filters Redirectors File systems – Custom kernel-mode tools and utilities.

6 RELEASE SIGNING PREREQUISITES A software publishing certificate (SPC), also known as a code-signing certificate, from a Microsoft trusted certification authority (CA). A Microsoft cross-certificate that corresponds to the authority that issued your company's SPC. For a list of trusted CAs that Microsoft supplies cross- certificates for, as well as the cross-certificate itself, see: www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx Be aware that a VeriSign SPC is required: – for Microsoft to sign your product, and/or – to obtain a Microsoft logo for your product.

7 CATALOG vs EMBEDDED SIGNING Catalog Signing – A catalog file (.cat) contains hashes of files – a signature on a catalog is like a signature on the hashed files. – inf2cat.exe (to be covered shortly) creates a catalog of files identified by the INF file (i.e., the files of the driver package). – Signing the catalog file implicitly signs all the files of the driver package for driver installation purposes. – Important. Bugs in INF files will result in “unsigned driver” error messages – creating a catalog file (via info2cat.exe) validates your INF file. Embedded Signing – Every loaded binary in the file system driver package is embedded signed (and only binary files can be embedded signed). – Embed signing boot start binaries improves boot loading performance. – For a PC to obtain a Windows logo, all loaded boot start drivers must be embedded signed. – Embed signing is generally the simplest way to sign file system drivers (i.e., non-PnP drivers).

8 CATALOG vs EMBEDDED SIGNING Catalog SigningEmbedded Signing WhatThe catalog (.cat) file.All binaries in the driver package. WhySeamless device installation. Improve boot performance (x86 too). WhoWindows Logo Program †. You. WhenWhen you pass the logo tests †. Before or after the catalog file is generated and signed. HowVia logo submission †.Code signing certificate + cross-certificate + signtool.exe.

9 SIGNING TOOLS Windows Driver Kit (WDK): – pvk2pfx.exe – inf2cat.exe – signtool.exe Microsoft OS: – certutil.exe – certmgr.msc – bcdedit.exe

10 SIGNING TOOLS pvk2pfx.exe – Ships with the WDK. – Used to create a system usable software publishing certificate file (.pfx) from a certificate authority’s public key file (.spc) and private key file (.pvk). – Example usage: pvk2pfx -pvk myPVKfile.pvk -pi myPVKpassword -spc mySPCfile.spc -pfx myPFXfile.pfx -po myPFXpassword -f

11 SIGNING TOOLS certutil.exe – Ships with most Microsoft server operating systems including Vista and Windows Server 2008. – Typically used to place a software publishing certificate (.pfx) into the current user’s personal certificate store. – Example usage: certutil -user -p myPFXpassword -importPFX myPFXfile.pfx – certutil.exe is useful for script based signing. For manual signing, you can just double-click the PFX file, which invokes a Wizard (use default values).

12 SIGNING TOOLS certmgr.msc – Ships with Windows 2000 and later. – Can be used to verify that a certificate was successfully imported into your personal store. – Can be used to determine the certificate’s CN value (needed for signtool.exe). – Example invocation: C:\>mmc certmgr.msc

13

14 SIGNING TOOLS inf2cat.exe – Ships with the WDK (previously available only as a download from Winqual).Winqual – Used to validate the driver package INF file, creating a catalog file (.cat) in the process (catalog files are not needed for file system driver embedded signing). – Example usage: inf2cat /driver:C:\myDriverPackage /os:Vista_X64

15 SIGNING TOOLS signtool.exe – Ships with the WDK. – Used to sign driver binary (.sys) files and driver package catalog (.cat) files. – Relevant tool arguments: A software publishing certificate (.pfx), previously imported to the current user’s personal certificate store and its associated CN value. The correct Microsoft cross-certificate (.cer) for your software publishing certificate (SPC). The file to sign (.cat or.sys). – Example usage: signtool sign /v /ac C:\myCerts\myCrossCert.cer /s my /n "CN Value" /t http://timestamp.verisign.com/scripts/timestamp.dll myDriver.sys

16 SIGNING TOOLS bcdedit.exe – Ships with Vista and later Microsoft operating systems. – Uses include placing Vista or Server 2008 into test-signing mode. – Prior to acquiring a trusted software publishing certificate, you can use a self- created certificate to test sign your drivers. See the WDK topic MakeCert Test Certificate for more information. – In order to install, load and exercise test signed file system drivers, you must place Vista and Server 2008 into test-signing mode. – Example usage: bcdedit /set testsigning on (reboot required) bcdedit /set testsigning off (reboot required)

17 EMBEDDED RELEASE SIGNING 1. Use pvk2pfx.exe to create a system usable SPC. 2. Use certutil.exe to add the SPC to the current user’s personal certificate store. 3. Use inf2cat.exe to validate the driver package INF file. 4. Download the Microsoft cross-certificate specifically for your SPC ( www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx ). www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx 5. Use signtool.exe to sign the driver SYS file (binary image file). 6. Use signtool.exe to validate your signature. 7. Install and load the driver package. 8. Uninstall the driver package. See IFS Embedded Release Signing Steps.docx for details.IFS Embedded Release Signing Steps.docx

18 TIPS You can not see a cross-certificate in any GUI that displays a certificate chain (such as the File Properties dialog). You can (and should) validate your embedded signature using: signtool verify /v /kp myDriver.sys You can (and should) validate that a given binary is “signed” by a given.cat file using: signtool verify /v /kp /c myCatalogFile.cat myDriver.sys To significantly increase boot performance, embed sign all SERVICE_BOOT_START and SERVICE_SYSTEM_START drivers. This includes drivers for Vista, Server 2008, and x86-based architectures. Catalog sign and embedded sign your driver – eliminates the risk of not signing a driver targeted for embedded signing. Keep your private key(s) in a hardware security module (HSM). HSMs store private keys in hardware such that they becomes verify difficult to compromise, even if the Windows box on which they are utilized becomes compromised (see IFS Embedded Release Signing Steps.docx for an example).IFS Embedded Release Signing Steps.docx

19 FAQ How will a cross-certificate affect driver signing verification for earlier-than-Windows-Vista operating systems that do not require cross-certificates? Such operating systems are not affected because cross- certificates are ignored. Is the pop-up I’m receiving related to driver signing? No – the code integrity system does not generate pop- ups (see the event log for code integrity failures).

20 ADDITIONAL RESOURCES WDK Documentation Driver Signing Requirements for Windows (WHDC): Driver Signing Requirements for Windows – Kernel-Mode Code Signing Walkthrough (includes procedural test signing information) Kernel-Mode Code Signing Walkthrough – Code-Signing Best Practices (includes conceptual information on test signing and securing your release signing process) Code-Signing Best Practices

Download ppt "FILE SYSTEM DRIVER SIGNING Karlito Bonnevie Technical Writer WDK IFS Documentation."

Similar presentations

Installation & User Guide

Installation & User Guide
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Vpn-info.com.

Vpn-info.com.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Niket Sanghvi Program Manager. Prerequisites Device metadata submission demo Winqual device experience overview Business rule deep dive Device metadata.

Niket Sanghvi Program Manager. Prerequisites Device metadata submission demo Winqual device experience overview Business rule deep dive Device metadata.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
2.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.

2.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 2: Installing Windows Server.
Mike Azocar Sr. Developer Technical Specialist Microsoft Corporation

Mike Azocar Sr. Developer Technical Specialist Microsoft Corporation
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.
Kalpesh Patel Ramprabhu Rathnam

Kalpesh Patel Ramprabhu Rathnam
Certified for Windows Vista. Introducing the Windows Vista Logo Programs.

Certified for Windows Vista. Introducing the Windows Vista Logo Programs.
McGraw-Hill/Irwin© 2006 The McGraw-Hill Companies, Inc. All rights reserved. 5-1.

McGraw-Hill/Irwin© 2006 The McGraw-Hill Companies, Inc. All rights reserved. 5-1.
Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.

Installation Requirements. Agenda Installation requirements Installation options Installing to correct folder locations Installing Windows resources Creating.
Distributing Drivers on Windows Update

Distributing Drivers on Windows Update
Windows Phone 8 Windows Embedded 8 Handeld.

Windows Phone 8 Windows Embedded 8 Handeld.

Similar presentations

Ads by Google