Hi, Gentlemen.
When I try to start my device driver (control device + WFP callouts), I get an error from Windows: A digitally signed driver is required.
I’m aware of the Windows 10 Anniversary Update with Secure Boot enabled. Fine, I need a HCK signature or remove timestamp during sign process. Why does my PNP driver installs and works as expected? Shouldn’t it suffer from the same restrictions (it’s signed by the same certificate, not HCK approved).
Thank you.
Is your non pnp driver embed signed?
Bent from my phone
From: xxxxx@lists.osr.com on behalf of xxxxx@gmail.com
Sent: Friday, March 10, 2017 11:17:02 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Secure Boot vs non-PnP driver
Hi, Gentlemen.
When I try to start my device driver (control device + WFP callouts), I get an error from Windows: A digitally signed driver is required.
I’m aware of the Windows 10 Anniversary Update with Secure Boot enabled. Fine, I need a HCK signature or remove timestamp during sign process. Why does my PNP driver installs and works as expected? Shouldn’t it suffer from the same restrictions (it’s signed by the same certificate, not HCK approved).
Thank you.
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
Hi Doron,
sys and cat files are both signed. So, yes, it is embed signed.
I was under the impression that Win10 AU (and WinServer16) drivers only needed to be attestation signed unless the WHQL device guard code policy is enforced? (https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules)
It’s a common that when you go for a higher version of developing drivers
for Windows flavours, it’s required to get a sign for cat and sys file
using sign tool and certification from vendor where you can generate the
signature for a driver and after your driver were works fine after passing
the hlk test cases and need to certified from msdn or else it look like a
false driver.
If you required to load the driver please select the disable driver
signature enforcement in advanced system settings .
Regards,
Prabhakar
On 11 Mar 2017 5:49 p.m., wrote:
> I was under the impression that Win10 AU (and WinServer16) drivers only
> needed to be attestation signed unless the WHQL device guard code policy is
> enforced? (https://technet.microsoft.com/en-us/itpro/windows/keep-
> secure/deploy-code-integrity-policies-policy-rules-and-file-rules)
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
Guys, I can load the driver on MY machine :).
I want to load it on ANY machine. I thought that if there is a Secure Boot policy - all drivers should not load (if they fail to qualify). And I got surprised by my PNP driver actually loaded and working just fine whereas my non-PNP driver is not allowed to load/start.
There are several aspects of this:
To test your driver on Windows 10 AU with secure boot, be sure that you installed from a Windows 10 AU installer. Installing WIndows 10 RTM and then upgrading to AU will not enforce the
requirement to be either Attestation or HLK signed by Microsoft.
Note that Windows 10 does not require HLK signing for Windows 10, just Windows Server 2016.
You mention HCK above but that only refers to pre-Windows 10 systems, so I believe you meant
HLK in this case. The requirement is for Attestation or HLK signing.
(An interesting fact about Server 2016 is that Attestation signed drivers work under Secure
Boot on Server 2016 but Microsoft, in my experience, has refused to admit this. This leads me
to the conclusion that to protect yourself you want to get to HLK signing before Microsoft releases
a new version of Server 2016 that drops the support for Attestation signed drivers.)
The above said, I do find it confusing that your non-PNP driver fails to load whereas the PNP
driver loads successfully. My experience is limited to working with non-PNP drivers and based
on following other’s experience here my expectation is that PNP drivers have to
pass more stringent conditions to load (perhaps in validation of the platforms supported in
the cat file during load?) but, again, since I don’t work with PNP drivers others can give better
specifics on this than I can.
Guys, I can load the driver on MY machine :).
I want to load it on ANY machine. I thought that if there is a Secure Boot policy - all drivers should not load (if they fail to qualify). And I got surprised by my PNP driver actually loaded and working just fine whereas my non-PNP driver is not allowed to load/start.
A few things to check:
* Is your PNP driver signed with a certificate that predates Win10 RTM, whereas the non-PNP driver is signed with a newer cert?
* Is your PNP driver a boot start driver, while your non-PNP driver is not?
* Have you checked the Code Integrity event logs for anything interesting? (From Event Viewer: Applications and Services Logs->Microsoft->Windows->CodeIntegrity)
They are both signed with the same certificate.
My PNP driver is SERVICE_DEMAND_START
CodeIntegrity error record says
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\ProductName\bin\DriverName.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Wild guess is that it requires inf/cat files to be installed into the store.
Update: certificates are different, my bad, as always. PNP driver is signed with an old (something like Mar-2015) certificate. That’s why it loads…
Have the same problem here. Newer cert and non-PNP driver not loading on a secure boot windows 10 x64, with or without timestamp in the signature.
I am having a hard time finding info on what the correct procedure is to get this driver working without removing secure boot etc.