The MSDN doc at https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- (Driver Signing Policy) says:
“Starting with new installations of Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Dev Portal.”
but with the exception that:
“Cross-signed drivers are still permitted if any of the following are true:
– …
– Secure Boot is off.”
Later in the page, there’s a table that seems to be in a section titled “Signing a driver for earlier versions of Windows” that says when Secure Boot is enabled, a 64-bit driver must have a WHQL signature.
So to install a 64-bit driver on Windows 10 with Secure Boot enabled, is cross-signing sufficient … or must it pass HLK tests and get a WHQL signature?
Fran Litterio
Based on my testing, it has to be portal signed. WHQL is not required.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com
On Behalf Of xxxxx@gmail.com
Sent: Monday, April 23, 2018 2:51 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Installing 64-bit driver on Windows 10 w/ Secure Boot
enabled
The MSDN doc at
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mod
e-code-signing-policy–windows-vista-and-later- (Driver Signing Policy)
says:
“Starting with new installations of Windows 10, version 1607, Windows will
not load any new kernel mode drivers which are not signed by the Dev
Portal.”
but with the exception that:
“Cross-signed drivers are still permitted if any of the following are true:
– …
– Secure Boot is off.”
Later in the page, there’s a table that seems to be in a section titled
“Signing a driver for earlier versions of Windows” that says when Secure
Boot is enabled, a 64-bit driver must have a WHQL signature.
So to install a 64-bit driver on Windows 10 with Secure Boot enabled, is
cross-signing sufficient … or must it pass HLK tests and get a WHQL
signature?
–
Fran Litterio
—
NTDEV is sponsored by OSR
Visit the list online at:
http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>
Yes, exactly. Attestation Signing or WHQL. It’s your choice, but it has to be one of those.
Peter
OSR
@OSRDrivers
Not in my experience, no. Windows 8.1 allows “cross-signing”… and I’m *pretty* certain that works even when Secure Boot is enabled. I’m not aware of any other mechanism, other than WHQL, for signing drivers that 8.1 supports. So, Cross Signing (by itself) “must” work.
Peter
OSR
@OSRDrivers
xxxxx@gmail.com wrote:
Thanks, Peter. To extend the question to a 64-bit driver on Windows 8.1 with Secure Boot … would that require a WHQL signature, since attestion-signing is only for Windows 10?
No. Cross-signing works on:
* All systems prior to Windows 10
* Windows 10 1507 and 1511 releases
* Later Windows 10 releases when “secure boot” is off
WHQL is only required for Windows Server 2016.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thanks Tim and Peter. That means the table at the bottom of https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-cod e-signing-policy–windows-vista-and-later- (Driver Signing Policy) is wrong to say a WHQL signature is required for a 64-bit driver on Windows 8.1 with Secure Boot enabled. I’ve filed this bug against the doc: https://github.com/MicrosoftDocs/windows-driver-docs/issues/445
xxxxx@gmail.com wrote:
Thanks Tim and Peter. That means the table at the bottom of https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-cod e-signing-policy–windows-vista-and-later- (Driver Signing Policy) is wrong to say a WHQL signature is required for a 64-bit driver on Windows 8.1 with Secure Boot enabled. I’ve filed this bug against the doc: https://github.com/MicrosoftDocs/windows-driver-docs/issues/445
Correct, the article is wrong. That’s not the only problem with that page:
   “Starting in Windows 8, Secure Boot is on by default.”
That’s both false and misleading.  “Secure boot” is a BIOS setting.Â
It’s not under operating system control at all.
The driver docs are now a “git” repository. They accept pull requests
from outside contributors, and the process actually works – I’ve
submitted two modifications that both went live within 24 hours. I’ll
take a stab at rewriting this page.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> The driver docs are now a “git” repository.
They accept pull requests from outside contributors, and the process actually works – I’ve submitted two modifications that both went live within 24 hours.
I’ll take a stab at rewriting this page.
Thanks, Tim. Looking forward to the Issue or PR!
Eliot Graff
Lead, Bring Up and Driver doc team, Windows
On Apr 24, 2018, at 7:18 AM, xxxxx@gmail.com wrote:
>
> Thanks Tim and Peter. That means the table at the bottom of https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-cod e-signing-policy–windows-vista-and-later- (Driver Signing Policy) is wrong to say a WHQL signature is required for a 64-bit driver on Windows 8.1 with Secure Boot enabled. I’ve filed this bug against the doc: https://github.com/MicrosoftDocs/windows-driver-docs/issues/445
The driver doc team took my proposed changes, cleaned them up, and posted the replacement today. I think the page now reflects reality.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- https:
I don’t know why I should be surprised, but the whole doc update process works quite well now. And look – I even get credit as a contributor! 
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.</https:>