xxxxx@mail.ru wrote:
Undoubtedly the driver must be signed and it is signed.
The problem arose when the sign is not enough in Win10 >1607 and SecureBoot (UEFI BIOS).
The recommended way is submitting the driver for MS attestation and resigning (cross signing) by MS (via sysdev portal). After resigning the problem will be solved.
Just for accuracy’s sake, the attestation process is not “cross
signing”. Microsoft is appending their own certificate chain to your
binaries in addition to yours. In “cross signing,” you still have a
single certificate chain, but it gets extended to “cross over” from your
certificate authority to Microsoft’s.
When you sign a driver, the certificate chain essentially looks like:
I am Joe
Digicert’s code-signing vouches for Joe
Digicert’s master authority trusts Digicert’s code-signing
authority
After cross-signing, that becomes:
I am Joe
Digicert’s code-signing vouches for Joe
Digicert’s master authority trusts Digicert’s code-signing
authority
Microsoft’s code verification root trusts Digicert’s
master authority
Microsoft’s code verification root trusts
Microsoft’s code verification root
and the kernel looks for that last one.
But with attestation, that becomes:
I am Joe
Digicert’s code-signing vouches for Joe
Digicert’s master authority trusts Digicert’s code-signing
authority
Microsoft’s code verification root trusts Digicert’s
master authority
I am also Microsoft
Microsoft’s code verification root vouches for Microsoft
Microsoft’s code verification root trusts Microsoft’s code
verification root
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.