file system driver signing
Download
Report
Transcript file system driver signing
FILE SYSTEM DRIVER SIGNING
Karlito Bonnevie
Technical Writer
WDK IFS Documentation
DRIVER SIGNING
WHY SIGN DRIVERS
RELEASE SIGNING PREREQUISITES
CATALOG vs EMBEDDED SIGNING
SIGNING TOOLS
EMBEDDED RELEASE SIGNING
TIPS
ADDITIONAL RESOURCES
QUESTIONS
WHY SIGN DRIVERS
Signing is a good thing:
–
Signatures help users know whether a legitimate publisher
has provided the software package (i.e., identifiability).
–
Signatures help limit the spread of malicious software.
–
In general, signatures help to ensure computer security and
system stability.
WHY SIGN DRIVERS
Currently, the following Microsoft operating
systems require all kernel-mode components
to be signed in order to load:
–
64-bit Windows Vista
–
64-bit Microsoft Windows Server 2008
(formally Windows Server “Longhorn”)
WHY SIGN DRIVERS
Relevant kernel-mode components affected include:
–
File system drivers
–
Minifilters
Legacy filters
Redirectors
File systems
Custom kernel-mode tools and utilities.
RELEASE SIGNING
PREREQUISITES
A software publishing certificate (SPC), also known as a
code-signing certificate, from a Microsoft trusted
certification authority (CA).
A Microsoft cross-certificate that corresponds to the
authority that issued your company's SPC.
For a list of trusted CAs that Microsoft supplies crosscertificates for, as well as the cross-certificate itself, see:
www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx
Be aware that a VeriSign SPC is required:
–
–
for Microsoft to sign your product, and/or
to obtain a Microsoft logo for your product.
CATALOG vs EMBEDDED
SIGNING
Catalog Signing
–
–
–
–
A catalog file (.cat) contains hashes of files – a signature on a catalog is like a signature on
the hashed files.
inf2cat.exe (to be covered shortly) creates a catalog of files identified by the INF file (i.e., the
files of the driver package).
Signing the catalog file implicitly signs all the files of the driver package for driver installation
purposes.
Important. Bugs in INF files will result in “unsigned driver” error messages – creating a
catalog file (via info2cat.exe) validates your INF file.
Embedded Signing
–
–
–
–
Every loaded binary in the file system driver package is embedded signed (and only binary
files can be embedded signed).
Embed signing boot start binaries improves boot loading performance.
For a PC to obtain a Windows logo, all loaded boot start drivers must be embedded signed.
Embed signing is generally the simplest way to sign file system drivers (i.e., non-PnP
drivers).
CATALOG vs EMBEDDED
SIGNING
Catalog Signing
Embedded Signing
What
The catalog (.cat) file.
All binaries in the driver
package.
Why
Seamless device
installation.
Improve boot
performance (x86 too).
Who
Windows Logo
Program†.
You.
When
When you pass the
logo tests†.
Before or after the
catalog file is
generated and signed.
How
Via logo submission†.
Code signing certificate
+ cross-certificate +
signtool.exe.
SIGNING TOOLS
Windows Driver Kit (WDK):
–
–
–
pvk2pfx.exe
inf2cat.exe
signtool.exe
Microsoft OS:
–
–
–
certutil.exe
certmgr.msc
bcdedit.exe
SIGNING TOOLS
pvk2pfx.exe
–
Ships with the WDK.
–
Used to create a system usable software publishing certificate
file (.pfx) from a certificate authority’s public key file (.spc) and
private key file (.pvk).
–
Example usage:
pvk2pfx -pvk myPVKfile.pvk -pi myPVKpassword
-spc mySPCfile.spc -pfx myPFXfile.pfx
-po myPFXpassword -f
SIGNING TOOLS
certutil.exe
–
Ships with most Microsoft server operating systems including Vista
and Windows Server 2008.
–
Typically used to place a software publishing certificate (.pfx) into the
current user’s personal certificate store.
–
Example usage:
certutil -user -p myPFXpassword -importPFX
myPFXfile.pfx
–
certutil.exe is useful for script based signing. For manual signing, you
can just double-click the PFX file, which invokes a Wizard (use default
values).
SIGNING TOOLS
certmgr.msc
–
Ships with Windows 2000 and later.
–
Can be used to verify that a certificate was
successfully imported into your personal store.
–
Can be used to determine the certificate’s CN value
(needed for signtool.exe).
–
Example invocation: C:\>mmc certmgr.msc
SIGNING TOOLS
inf2cat.exe
–
Ships with the WDK (previously available only as a download
from Winqual).
–
Used to validate the driver package INF file, creating a catalog
file (.cat) in the process (catalog files are not needed for file
system driver embedded signing).
–
Example usage:
inf2cat /driver:C:\myDriverPackage
/os:Vista_X64
SIGNING TOOLS
signtool.exe
–
Ships with the WDK.
–
Used to sign driver binary (.sys) files and driver package catalog (.cat) files.
–
Relevant tool arguments:
–
A software publishing certificate (.pfx), previously imported to the current user’s
personal certificate store and its associated CN value.
The correct Microsoft cross-certificate (.cer) for your software publishing certificate
(SPC).
The file to sign (.cat or .sys).
Example usage:
signtool sign /v /ac C:\myCerts\myCrossCert.cer
/s my /n "CN Value"
/t http://timestamp.verisign.com/scripts/timestamp.dll
myDriver.sys
SIGNING TOOLS
bcdedit.exe
–
Ships with Vista and later Microsoft operating systems.
–
Uses include placing Vista or Server 2008 into test-signing mode.
–
Prior to acquiring a trusted software publishing certificate, you can use a selfcreated certificate to test sign your drivers. See the WDK topic MakeCert Test
Certificate for more information.
–
In order to install, load and exercise test signed file system drivers, you must
place Vista and Server 2008 into test-signing mode.
–
Example usage:
bcdedit /set testsigning on
bcdedit /set testsigning off
(reboot required)
(reboot required)
EMBEDDED RELEASE SIGNING
1.
2.
3.
4.
5.
6.
7.
8.
Use pvk2pfx.exe to create a system usable SPC.
Use certutil.exe to add the SPC to the current user’s personal
certificate store.
Use inf2cat.exe to validate the driver package INF file.
Download the Microsoft cross-certificate specifically for your SPC
(www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx).
Use signtool.exe to sign the driver SYS file (binary image file).
Use signtool.exe to validate your signature.
Install and load the driver package.
Uninstall the driver package.
See IFS Embedded Release Signing Steps.docx for details.
TIPS
You can not see a cross-certificate in any GUI that displays a certificate chain (such as the File Properties
dialog).
You can (and should) validate your embedded signature using:
signtool verify /v /kp myDriver.sys
You can (and should) validate that a given binary is “signed” by a given .cat file using:
signtool verify /v /kp /c myCatalogFile.cat myDriver.sys
To significantly increase boot performance, embed sign all SERVICE_BOOT_START and
SERVICE_SYSTEM_START drivers. This includes drivers for Vista, Server 2008, and x86-based
architectures.
Catalog sign and embedded sign your driver – eliminates the risk of not signing a driver targeted for
embedded signing.
Keep your private key(s) in a hardware security module (HSM). HSMs store private keys in hardware such
that they becomes verify difficult to compromise, even if the Windows box on which they are utilized
becomes compromised (see IFS Embedded Release Signing Steps.docx for an example).
FAQ
How will a cross-certificate affect driver signing
verification for earlier-than-Windows-Vista operating
systems that do not require cross-certificates?
Such operating systems are not affected because crosscertificates are ignored.
Is the pop-up I’m receiving related to driver signing?
No – the code integrity system does not generate popups (see the event log for code integrity failures).
ADDITIONAL RESOURCES
WDK Documentation
Driver Signing Requirements for Windows (WHDC):
–
Kernel-Mode Code Signing Walkthrough (includes procedural test signing
information)
–
Code-Signing Best Practices (includes conceptual information on test
signing and securing your release signing process)