Digital Signatures For Windows Drivers Scott M. Johnson Program Manager Windows Hardware Quality Lab

1
Digital Signatures For Windows Drivers Scott
M. JohnsonProgram ManagerWindows Hardware
Quality LabsMicrosoft Corporation
2
(No Transcript)
3
Digital Signature Agenda

• Reviewing the Problem
• Overview of Digital Signatures
• How Digital Signatures Work
• Microsoft Operating System Policies
• How to Get a Digital Signature
• Call to Action

4
Digital Signatures Reviewing the problem

• Untested drivers that leak memory and harm the
  operating system are the 1 cause of system
  lockups
• Administrators, end users and technical support
  personnel need to know if files they are
  installing on a system have passed compatibility
  testing
• Users need a way of knowing if a driver package
  has been tampered with since it was tested and
  approved
• DLL Hell Users install various applications
  and drivers on their system file versions do not
  match and system stability suffers

5
Digital Signatures Why get a digital signature?

• A digital signature gives your customers
  confidence that the driver has been tested for
  stability, and that it hasnt been tampered with
  since it passed compatibility testing
• Windows will not overwrite drivers that shipped
  in the box with an unsigned version due to driver
  ranking, unless the unsigned driver has a better
  Plug and Play ID match
• Systems testing at WHQL requires that all drivers
  installed into the system have passed WHQL
  testing and have a valid digital signature
• Digital signatures promote driver quality,
  improve the end-user experience, reduce support
  costs and TCO

6
Digital Signatures What are digital signatures?

• Digital signatures for Windows drivers allow the
  operating system to verify the integrity of every
  file in a driver package
• This is accomplished through a Microsoft
  provided, digitally signed catalog file (.CAT)
  that contains a record of each file that is
  copied to the system by the driver package
• To receive a digitally signed catalog file, all
  drivers must pass the Microsoft defined testing
  criteria for that device via the Windows Hardware
  Quality Labs (WHQL)
• Not all drivers have a corresponding test kit at
  WHQL and may not be able to receive a signature
  at this time

7
Digital Signatures What drivers need to be
signed?

• Device drivers from certain device classes are
  set to warn end-users (discussed later)
• Whenever files in a driver package change, the
  signature is broken
• New driver packages
• Updates to existing driver packages
• Modifications to any file copied to the system
  during driver installation
• All INFs and any files referenced in the INFs
• Any change to the files that are installed by the
  INFs breaks the signature, including help and
  text files

8
Digital Signatures How do you get a digital
signature?

• The driver must be installed via an INF
• A WHQL test program must be available for the
  product
• The driver must pass the Windows Logo Program
  testing and be sent to WHQL to get a digital
  signature
• The INF must not contain signability errors
• The driver must not include Microsoft-originated
  files or runtimes

9
Digital Signatures How digital signatures work

• All of these parts work together
• The INF(s) and driver file(s) being installed
• The catalog file(s) Microsoft creates and signs
• The Windows digital signature engine which is
  invoked during
• A Plug and Play event
• The Add New Hardware Wizard
• When the user selects Update Driver
• The UpdateDriverForPlugAndPlayDevices API

10
Digital Signatures How digital signatures work

• Each time a driver is installed, Windows
• Looks in the INF for Catalogfilefilename.Cat
  finds the specified .CAT file and verifiesthe
  signature
• Verifies each file that is installed against the
  cryptographic checksum value that is recorded in
  the signed catalog file (including .INF only
  installations)
• If a signature isnt right or a files
  cryptographic checksum is not the same as the
  original, the user will be warned or blocked
  (depending on operating system policy) when
  installing the driver

11
Digital SignaturesMicrosoft Policies

• Only signed drivers will be distributedby
  Microsoft
• No re-distribution of Microsoft-originated files
• Currently it is a common third-party INF practice
  tore-distribute core Microsoft drivers, DLLs,
  etc.
• Microsoft files can only be replaced by licensing
  approved distribution packages (DirectX, Service
  Packs, QFEs, etc)
• WHQL legally cannot modify INF files
• We see problems with INFs on regular basis
• INFs that contain signability errors will not
  receive a logo

12
Digital Signatures The Catalog file

• The .CAT file is a collection of tags that
  correspond to each file installed by the driver
  package
• Microsoft creates the .CAT file by walking
  through the driver package, identifying each INF
  and the files installed. A tag is created in
  the catalog for each file
• The tag is either a cryptographic checksum value
  (Windows 2000 and Windows ME) or a text filename
  (Windows 98)
• WHQL digitally signs the catalog file using
  cryptographic technology. The catalogs and files
  cannot be modified without breaking the signature

13
Digital SignaturesThe Catalog file
14
Digital SignaturesThe types of signatures

• There are many different certificates used to
  sign catalog files, all of which descend from the
  main Microsoft root certificate
• Microsoft Windows 2000 Publisher signature is
  distributed for Windows 2000 in-box drivers
• Consumer Windows Publisher signature is written
  to all in-box Windows ME drivers that pass WHQL
  testing
• Microsoft Windows Hardware Compatibility
  Publisher signature identifies drivers that went
  through the regular WHQL process
• Windows will recognize all of these signatures
  and work appropriately

15
Digital SignaturesThe Catalog file
WHQL Labs Signature
16
Digital SignaturesThe Catalog file
cryptographic checksums aka Hash Tags
Filename and OS versionof the tag
17
Digital SignaturesThe Catalog file
This example catalog issigned for bothWindows
98 andWindows 2000 Filename tags for Windows 98
Hash tags for Windows 2000
Filename and attributes of the tag selected above
18
Digital SignaturesThe Catalog file
19
Digital SignaturesThe Catalog file
20
Digital SignaturesThe Catalog file
Shows when the signature certificate was valid
Signed Catalogs are valid for 20 years
21
Digital SignaturesDriver Signing Policy

• Driver Signing enforcement behavioris controlled
  by Driver SigningPolicy Settings
• Warn - checks signatures on drivers before
  installation and displays warnings if signature
  verification fails
• Block - checks signatures on drivers before
  installation and blocks the installation if
  signature verification fails
• Ignore - bypass signature checking when
  installing drivers

22
Digital SignaturesWindows 2000 Driver Signing
Dialog Box
23
Digital Signatures Windows 2000 implementation

• Warning is the default setting in Windows 2000
  for 14 device classes
• During setup, all files are verified for
  signature
• During device installation, the system policy
  determines if drivers can be installed based on
  the selected driver-signing policy
• Only an administrator of the machine can lower
  the policy
• Accessible under System Properties, choose
  Hardware, then click on Driver Signing button

24
Digital Signatures Windows 2000 implementation
WARN set for these device classes

• Multiport Serial Adapter
• Multimedia
• Audio
• DVD
• Video Capture
• Gameport
• Printer
• SCSI Adapter
• Smart Card Reader

• Display Adapter
• Hard Drive Controller
• HID
• Image
• Keyboard
• Media
• Modem
• Monitor
• Mouse
• Net Adapter

25
Digital SignaturesThe Warning Dialog Box
26
Digital Signatures Windows ME implementation

• Windows ME will block install of unsigned drivers
  for the following driver classes (ONLY if a
  signed driver already exists on the system)
• CLASSMEDIA and CLASSDISPLAY
• Media
• WDM/VXD audio
• HID devices
• Joystick
• Some imaging devices
• USB Media devices
• Display

27
Digital Signatures Windows ME user experience

• The goal of driver signing in Windows ME is
  geared toward simplifying the user experience
• This is achieved by
• Blocking based on Plug and Play ID once a signed
  driver is on the system (for consumers, a
  matching driver is generally better than no
  driver, even if not signed)
• Searching an offline cache of drivers on Windows
  Update before sending them to the Web site
• Improving driver searches by automatically
  scanning all removable media and installing
  drivers with minimal user input
• Hiding unsigned drivers if signed drivers are
  installed for the device, rather than adding
  dialogs that confuse the end-user

28
Digital Signatures Windows ME implementation

• When a driver gets installed Windows ME will look
  at the device class in the INF and at the Plug
  and Play ID
• If there is a signed driver from the Media or
  Display classes in-the-box that matches the Plug
  and Play ID of the device then Windows will use
  the driver package with the most specific match
• If the Plug and Play ID isnt found, Windows ME
  will look for the best matching INF. If the Plug
  and Play ID is found it checks for the catalog
  file and signature for the drivers in the given
  search path

29
Digital Signatures Windows ME implementation

• Windows ME will block unsigned drivers for Audio
  (Media) or Display only after a signed version
  has been installed on the system
• During an upgrade Windows ME will not replace a
  working driver on a system in the Media or
  Display classes, unless known problems exist
  with a specific driver
• Windows ME will always trust the DriverVer field
  in the INF. Windows 2000 will only trust
  DriverVer if the package is signed
• OEMs will be shipping signed drivers from the
  factory and therefore these will be protected
  automatically

30
Digital Signatures Windows ME Update Driver
Wizard
31
Digital Signatures Windows ME new Plug and
Play device detection
32
Digital Signatures Windows ME blocking dialog
33
Digital Signatures Windows ME advanced
settings
34
Digital Signatures Windows ME warning dialog
35
Digital Signatures What is Windows File
Protection (WFP)?

• WFP is a Windows feature that uses cryptographic
  signatures to prevent Microsoft operating system
  files from being replaced by unknown or
  incompatible versions
• WFP is known as SFP (System File Protection) in
  Windows ME
• WFP automatically detects changes to system
  files and restores them to the original version

36
Digital Signatures Windows File Protection
Windows 2000

• All critical files for ensuring Windows
  functionality are digitally signed and protected
  by WFP including SYS, DLL, and OCXs, including
  the third-party drivers that shipped on the
  Windows 2000 CD
• If a WFP file is being replaced by an unsigned
  driver the system will raise the warning dialog,
  even if the driver signing policy is set to
  ignore
• If an application tries to replace one of these
  protected files with an unsigned file, the file
  will automatically be replaced with the original
• If a driver tries to replace one of these
  protected files the user would be faced with the
  unsigned driver dialog and can choose whether or
  not to install the file

37
Digital Signatures System File Protection (SFP)
Windows ME

• All critical files for ensuring windows
  functionality are protected by SFP (Example
  Wsock32.dll)
• Main differences from Windows 2000
• Only Microsoft Files are protected, no
  third-party drivers
• SFP does not have a connection to driver signing
• Windows ME only allows updates to system files
  from approved Microsoft redistribution packages
• Driver packages are not allowed to replace files
  that are protected by SFP regardless of a digital
  signature
• If an application tried to replace a SFP
  protected file, the file will automatically be
  replaced with the original

38
Digital Signatures Windows File Protection
WHQL policies

• WHQL will verify that the driver is not
  installing protected files prior to issuing a
  logo
• The WHQL signability test (InfCatR.exe ) will
  check the WFP/SFP database to see that the driver
  is not replacing operating system files that
  originated at Microsoft
• INFs may not list these files in their
  copyfiles sections and these files cannot be
  installed on the users system
• It is acceptable to replace your Windows 2000
  drivers if the file originated from your company

39
Digital Signatures How to disable WFP

• Disabling WFP is for driver testing purposes only
• Set the value SFCDisable (REG_DWORD) in
  KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu
  rrentVersion\Winlogon.
• SFCDisable is set to 0, which means WFP is
  active. (default)
• Setting SFCDisable to 1 will disable WFP.
• Setting SFCDisable to 2 will disable WFP for the
  next system restart only
• You must have a kernel debugger attached to the
  system via a null modem cable (I386kd.exe or
  Windbg.exe) to use SFCDisable1 or SFCDisable2
• SFP cannot be disabled in Windows ME
• http//www.microsoft.com/hwdev/sfp/wfp.htm

40
Digital SignaturesSignability errors

• INF files must be correctly structured in order
  for the driver to install without errors
• In order for WHQL to sign the driver it must pass
  though 2 tools that identify INF errors
• CHKINF tool provided in the DDK and in current
  WHQL test kits, catches most INF problems, but
  not all
• WHQL signability test (InfCatR.exe ) is a
  newtool currently posted that catches INF
  problems that would cause a signed driver to
  failsignature verification
• http//www.microsoft.com/hwtest/testkits

41
Digital SignaturesDebugging Windows 98 and 2000

• Test the signature by installing thedriver in
  every supported installation path (Plug and Play,
  DeviceManager, etc.)
• Make sure driver installs without any warning
  messages
• Most signature warnings are due to incorrect or
  modified INF files inserted after the driver is
  signed

42
Digital SignaturesDebugging Windows 2000 with
Setupapi.log

• Setupapi.log lives in the systemroot directory
  and can be used to determine points of failure in
  the signature verification
• Delete before installing a driver for a clean
  record of the code Windows uses to install the
  driver and verify the signature
• Turn on verbose setupapi logging by adding the
  registry value
• HKEY_Local_Machine Software Microsoft
  Windows CurrentVersion Setup
• Loglevel (reg_dword) Data FFFF

43
Call To Action

• Visit the digital signature Web sites
  athttp//www.microsoft.com/hwtest/signatures
  http//www.microsoft.com/hwdev/supportability
• Use the Windows 2000 Device Driver Kit (DDK) to
  develop your drivers
• Check your drivers with WHQL signability test
  (InfCatR.exe) to verify that you are free of
  signability errors and are not installing
  Microsoft-originated files
• Join the Quick-Sign program at WHQL and submit
  your driver updates on the Internet

44
(No Transcript)