Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 5  
31 Aug 17 08:55
Jason Stephenson
xxxxxx@live.co.uk
Join Date: 13 Jul 2015
Posts To This List: 49
Device guard policy for only WHQL signed drivers

I have two identical builds of a driver that is capable of passing HLK tests. One is signed with only our code sign cert, the other is signed with our code sign cert + WHQL cert. I have built a Server2016 machine and used device guard code integrity policy to audit (a precursor to deny) drivers that are not WHQL signed. I would have expected my WHQL signed driver to load without audit, however it doesn't. The event log entry contains: "Code Integrity determined kernel module \path\mydriver.sys that did not meet the WHQL requirements is loaded into the system. However, due to a code integrity auditing policy, the image was allowed to load." The code integrity policy was created from the following script: $CIPolicyPath="C:\\jstshare\\1" $InitialCIPolicy=$CIPolicyPath+".xml" $CIPolicyBin=$CIPolicyPath+".bin" $DriverFiles=Get-SystemDriver -ScanPath "C:\\jstshare\\drivers" New-CIPolicy -FilePath $InitialCIPolicy -DriverFiles $DriverFiles -Level WHQL - Audit ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin Should I expect my WHQL signed driver to load correctly? Assuming it should, and that my issue lies in how I created the code integrity policy, has anyone had success creating one of these to enforce WHQL signatures? Thanks, J
  Message 2 of 5  
31 Aug 17 17:22
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 5934
List Moderator
Device guard policy for only WHQL signed drivers

Sooooo... more details, please. Your "WHQL Signed" driver is ATTESTATION SIGNED or WLK Signed? Is it signed specifically for S16? There's "WHQL signed" and then there's "WHQL signed"... it's never simple. Peter OSR @OSRDrivers
  Message 3 of 5  
04 Sep 17 08:42
Jason Stephenson
xxxxxx@live.co.uk
Join Date: 13 Jul 2015
Posts To This List: 49
Device guard policy for only WHQL signed drivers

Hi Peter, sorry for the slow reply. The build of my driver that I said is WHQL signed has been submitted as part of a HLK report to sysdev with Server2016 selected after successfully passing the HLK tests. the build is both attestation signed and whql signed (more below). For completeness I should have also mentioned other signatures on the driver builds. Build 1: SHA1 from our SHA1 code signing cert SHA256 from our SHA256 code signing cert ATTESTATION signature from attestation process Build 2: SHA1 from our SHA1 code signing cert SHA256 from our SHA256 code signing cert ATTESTATION signature from attestation process *WHQL signature from HLK submission process* My expectation is that since Build 2 is WHQL signed, it should not being causing Audit events with my aforementioned CI policy. J
  Message 4 of 5  
05 Sep 17 16:51
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 5934
List Moderator
Device guard policy for only WHQL signed drivers

For the further avoidance of doubt: Your Build 2 is signed FOUR DIFFERENT TIMES? And ALL FOUR of those signatures are evident when you test the signatures for the driver? Wow. I wasn't aware you COULD sign the same exe/package FOUR TIMES. Shows you what I know. I should be asking YOU for help, Mr. Stephenson ;-) Peter OSR @OSRDrivers
  Message 5 of 5  
06 Sep 17 09:35
Gabe Jones
xxxxxx@ni.com
Join Date: 19 Mar 2012
Posts To This List: 42
Device guard policy for only WHQL signed drivers

> SHA1 from our SHA1 code signing cert > SHA256 from our SHA256 code signing cert > ATTESTATION signature from attestation process > *WHQL signature from HLK submission process* Is it possible that Windows finds the first Microsoft signature, sees that it is attested, and just stops there, not expecting an additional MS signature? Have you tried a build that just has your signatures and the WHQL signature?
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 13:31.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license