Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

X64 driver signing

1 view
Skip to first unread message

Vikram

unread,
Aug 4, 2008, 5:30:02 AM8/4/08
to
Hi,

I have an application which accesses the PCI bus temperature sensors through
Kernel Mode Driver.

I recently ported this application and driver to x64 platform.
I was able to test sign the Driver and now want to run the application on
the target machine; I have some queries regarding the same,Can you please
answer them?

1.Can only checked built drivers be test signed? Can we test sign free built
drivers as well?
2.To run the test signed driver on target testing machine, is WDK
compulsorily required on the testing machine?
3.If WDK is not present on the testing machine and I want to run my
application on it, is there some way other then “Disable Driver Signature
Enforcement” and “Attach a kernel debugger” method?
4.If I embed the signature in the driver, is there some standard Windows API
which takes care of adding the signature file to the certificate manager of
testing machine?

Regards,
Vikram

Gianluca Varenni

unread,
Aug 4, 2008, 12:02:17 PM8/4/08
to

"Vikram" <Vik...@discussions.microsoft.com> wrote in message
news:2206AA1F-2ABC-44D5...@microsoft.com...

> Hi,
>
> I have an application which accesses the PCI bus temperature sensors
> through
> Kernel Mode Driver.
>
> I recently ported this application and driver to x64 platform.
> I was able to test sign the Driver and now want to run the application on

I suppose the target machine is running Vista/Srv08, right?

> the target machine; I have some queries regarding the same,Can you please
> answer them?
>
> 1.Can only checked built drivers be test signed? Can we test sign free
> built
> drivers as well?

Yes.

> 2.To run the test signed driver on target testing machine, is WDK
> compulsorily required on the testing machine?

No. You need to have the machine booted in test signing mode and have the
test certificate installed on your machine among the trusted root
certification authorities of the machine.

> 3.If WDK is not present on the testing machine and I want to run my
> application on it, is there some way other then "Disable Driver Signature
> Enforcement" and "Attach a kernel debugger" method?

Set the machine to boot in test signing mode, test sign the driver, install
the test certificate.

> 4.If I embed the signature in the driver, is there some standard Windows
> API
> which takes care of adding the signature file to the certificate manager
> of
> testing machine?

You need to use certmgr.exe to do that.

In practice, follow the instructions in the white paper Kernel Mode Code
Signing Walkthrough available here

http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx

Have a nice day
GV


--
Gianluca Varenni, Windows DDK MVP

CACE Technologies
http://www.cacetech.com


>
> Regards,
> Vikram


Maxim S. Shatskih

unread,
Aug 4, 2008, 2:21:28 PM8/4/08
to
> 1.Can only checked built drivers be test signed? Can we test sign free built
> drivers as well?

Yes.

> 2.To run the test signed driver on target testing machine, is WDK
> compulsorily required on the testing machine?

No, you only need to install the test certificate to the store.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
ma...@storagecraft.com
http://www.storagecraft.com

Vikram

unread,
Aug 5, 2008, 10:17:01 AM8/5/08
to
Dear Gianluca,

Thanks for the prompt reply.
Yes the target machine is a X64 Vista machine.
To confirm
1. Test signing can be done only for debug built drivers?
2. To run test signed drivers, bcdedit must be compulsarily run once on the
machine to turn on TESTSIGNING?
3. If the certificate is embedded in the binary then there is no need to
keep one more certificate on the machine, certmgr would pickup the embedded
certificate?
4. If I want to get rid of test signing, how do I do it?

Regards,
Vikram

Gianluca Varenni

unread,
Aug 5, 2008, 11:32:08 AM8/5/08
to

"Vikram" <Vik...@discussions.microsoft.com> wrote in message
news:B67044F4-F47F-404C...@microsoft.com...

> Dear Gianluca,
>
> Thanks for the prompt reply.
> Yes the target machine is a X64 Vista machine.
> To confirm
> 1. Test signing can be done only for debug built drivers?

It can be done for both release and debug drivers. Release/debug is just
related to how you compile the driver binary.

> 2. To run test signed drivers, bcdedit must be compulsarily run once on
> the
> machine to turn on TESTSIGNING?

Yes.

> 3. If the certificate is embedded in the binary then there is no need to
> keep one more certificate on the machine, certmgr would pickup the
> embedded
> certificate?

The (test) certificate should be installed on the machine anyways, it
doesn't matter if you signed the binary or the CAT file. You need to install
the test certificate on the machine because you need to inform the OS that
you trust that (test) root certification authority.


> 4. If I want to get rid of test signing, how do I do it?
>

Sign+cross-sign the binary (follow the directions in that whitepaper I
pointed out) or get the driver WHQL-certified by Microsoft.

0 new messages