Title: Digital Signatures For Windows Drivers Scott M. Johnson Program Manager Windows Hardware Quality Lab
1Digital Signatures For Windows Drivers Scott
M. JohnsonProgram ManagerWindows Hardware
Quality LabsMicrosoft Corporation
2(No Transcript)
3Digital Signature Agenda
- Reviewing the Problem
- Overview of Digital Signatures
- How Digital Signatures Work
- Microsoft Operating System Policies
- How to Get a Digital Signature
- Call to Action
4Digital Signatures Reviewing the problem
- Untested drivers that leak memory and harm the
operating system are the 1 cause of system
lockups - Administrators, end users and technical support
personnel need to know if files they are
installing on a system have passed compatibility
testing - Users need a way of knowing if a driver package
has been tampered with since it was tested and
approved - DLL Hell Users install various applications
and drivers on their system file versions do not
match and system stability suffers
5Digital Signatures Why get a digital signature?
- A digital signature gives your customers
confidence that the driver has been tested for
stability, and that it hasnt been tampered with
since it passed compatibility testing - Windows will not overwrite drivers that shipped
in the box with an unsigned version due to driver
ranking, unless the unsigned driver has a better
Plug and Play ID match - Systems testing at WHQL requires that all drivers
installed into the system have passed WHQL
testing and have a valid digital signature - Digital signatures promote driver quality,
improve the end-user experience, reduce support
costs and TCO
6Digital Signatures What are digital signatures?
- Digital signatures for Windows drivers allow the
operating system to verify the integrity of every
file in a driver package - This is accomplished through a Microsoft
provided, digitally signed catalog file (.CAT)
that contains a record of each file that is
copied to the system by the driver package - To receive a digitally signed catalog file, all
drivers must pass the Microsoft defined testing
criteria for that device via the Windows Hardware
Quality Labs (WHQL) - Not all drivers have a corresponding test kit at
WHQL and may not be able to receive a signature
at this time
7Digital Signatures What drivers need to be
signed?
- Device drivers from certain device classes are
set to warn end-users (discussed later) - Whenever files in a driver package change, the
signature is broken - New driver packages
- Updates to existing driver packages
- Modifications to any file copied to the system
during driver installation - All INFs and any files referenced in the INFs
- Any change to the files that are installed by the
INFs breaks the signature, including help and
text files
8Digital Signatures How do you get a digital
signature?
- The driver must be installed via an INF
- A WHQL test program must be available for the
product - The driver must pass the Windows Logo Program
testing and be sent to WHQL to get a digital
signature - The INF must not contain signability errors
- The driver must not include Microsoft-originated
files or runtimes
9Digital Signatures How digital signatures work
- All of these parts work together
- The INF(s) and driver file(s) being installed
- The catalog file(s) Microsoft creates and signs
- The Windows digital signature engine which is
invoked during - A Plug and Play event
- The Add New Hardware Wizard
- When the user selects Update Driver
- The UpdateDriverForPlugAndPlayDevices API
10Digital Signatures How digital signatures work
- Each time a driver is installed, Windows
- Looks in the INF for Catalogfilefilename.Cat
finds the specified .CAT file and verifiesthe
signature - Verifies each file that is installed against the
cryptographic checksum value that is recorded in
the signed catalog file (including .INF only
installations) - If a signature isnt right or a files
cryptographic checksum is not the same as the
original, the user will be warned or blocked
(depending on operating system policy) when
installing the driver
11Digital SignaturesMicrosoft Policies
- Only signed drivers will be distributedby
Microsoft - No re-distribution of Microsoft-originated files
- Currently it is a common third-party INF practice
tore-distribute core Microsoft drivers, DLLs,
etc. - Microsoft files can only be replaced by licensing
approved distribution packages (DirectX, Service
Packs, QFEs, etc) - WHQL legally cannot modify INF files
- We see problems with INFs on regular basis
- INFs that contain signability errors will not
receive a logo
12Digital Signatures The Catalog file
- The .CAT file is a collection of tags that
correspond to each file installed by the driver
package - Microsoft creates the .CAT file by walking
through the driver package, identifying each INF
and the files installed. A tag is created in
the catalog for each file - The tag is either a cryptographic checksum value
(Windows 2000 and Windows ME) or a text filename
(Windows 98) - WHQL digitally signs the catalog file using
cryptographic technology. The catalogs and files
cannot be modified without breaking the signature
13Digital SignaturesThe Catalog file
14Digital SignaturesThe types of signatures
- There are many different certificates used to
sign catalog files, all of which descend from the
main Microsoft root certificate - Microsoft Windows 2000 Publisher signature is
distributed for Windows 2000 in-box drivers - Consumer Windows Publisher signature is written
to all in-box Windows ME drivers that pass WHQL
testing - Microsoft Windows Hardware Compatibility
Publisher signature identifies drivers that went
through the regular WHQL process - Windows will recognize all of these signatures
and work appropriately
15Digital SignaturesThe Catalog file
WHQL Labs Signature
16Digital SignaturesThe Catalog file
cryptographic checksums aka Hash Tags
Filename and OS versionof the tag
17Digital SignaturesThe Catalog file
This example catalog issigned for bothWindows
98 andWindows 2000 Filename tags for Windows 98
Hash tags for Windows 2000
Filename and attributes of the tag selected above
18Digital SignaturesThe Catalog file
19Digital SignaturesThe Catalog file
20Digital SignaturesThe Catalog file
Shows when the signature certificate was valid
Signed Catalogs are valid for 20 years
21Digital SignaturesDriver Signing Policy
- Driver Signing enforcement behavioris controlled
by Driver SigningPolicy Settings - Warn - checks signatures on drivers before
installation and displays warnings if signature
verification fails - Block - checks signatures on drivers before
installation and blocks the installation if
signature verification fails - Ignore - bypass signature checking when
installing drivers
22Digital SignaturesWindows 2000 Driver Signing
Dialog Box
23Digital Signatures Windows 2000 implementation
- Warning is the default setting in Windows 2000
for 14 device classes - During setup, all files are verified for
signature - During device installation, the system policy
determines if drivers can be installed based on
the selected driver-signing policy - Only an administrator of the machine can lower
the policy - Accessible under System Properties, choose
Hardware, then click on Driver Signing button
24Digital Signatures Windows 2000 implementation
WARN set for these device classes
- Multiport Serial Adapter
- Multimedia
- Audio
- DVD
- Video Capture
- Gameport
- Printer
- SCSI Adapter
- Smart Card Reader
- Display Adapter
- Hard Drive Controller
- HID
- Image
- Keyboard
- Media
- Modem
- Monitor
- Mouse
- Net Adapter
25Digital SignaturesThe Warning Dialog Box
26Digital Signatures Windows ME implementation
- Windows ME will block install of unsigned drivers
for the following driver classes (ONLY if a
signed driver already exists on the system) - CLASSMEDIA and CLASSDISPLAY
- Media
- WDM/VXD audio
- HID devices
- Joystick
- Some imaging devices
- USB Media devices
- Display
27Digital Signatures Windows ME user experience
- The goal of driver signing in Windows ME is
geared toward simplifying the user experience - This is achieved by
- Blocking based on Plug and Play ID once a signed
driver is on the system (for consumers, a
matching driver is generally better than no
driver, even if not signed) - Searching an offline cache of drivers on Windows
Update before sending them to the Web site - Improving driver searches by automatically
scanning all removable media and installing
drivers with minimal user input - Hiding unsigned drivers if signed drivers are
installed for the device, rather than adding
dialogs that confuse the end-user
28Digital Signatures Windows ME implementation
- When a driver gets installed Windows ME will look
at the device class in the INF and at the Plug
and Play ID - If there is a signed driver from the Media or
Display classes in-the-box that matches the Plug
and Play ID of the device then Windows will use
the driver package with the most specific match - If the Plug and Play ID isnt found, Windows ME
will look for the best matching INF. If the Plug
and Play ID is found it checks for the catalog
file and signature for the drivers in the given
search path
29Digital Signatures Windows ME implementation
- Windows ME will block unsigned drivers for Audio
(Media) or Display only after a signed version
has been installed on the system - During an upgrade Windows ME will not replace a
working driver on a system in the Media or
Display classes, unless known problems exist
with a specific driver - Windows ME will always trust the DriverVer field
in the INF. Windows 2000 will only trust
DriverVer if the package is signed - OEMs will be shipping signed drivers from the
factory and therefore these will be protected
automatically
30Digital Signatures Windows ME Update Driver
Wizard
31Digital Signatures Windows ME new Plug and
Play device detection
32Digital Signatures Windows ME blocking dialog
33Digital Signatures Windows ME advanced
settings
34Digital Signatures Windows ME warning dialog
35Digital Signatures What is Windows File
Protection (WFP)?
- WFP is a Windows feature that uses cryptographic
signatures to prevent Microsoft operating system
files from being replaced by unknown or
incompatible versions - WFP is known as SFP (System File Protection) in
Windows ME - WFP automatically detects changes to system
files and restores them to the original version
36Digital Signatures Windows File Protection
Windows 2000
- All critical files for ensuring Windows
functionality are digitally signed and protected
by WFP including SYS, DLL, and OCXs, including
the third-party drivers that shipped on the
Windows 2000 CD - If a WFP file is being replaced by an unsigned
driver the system will raise the warning dialog,
even if the driver signing policy is set to
ignore - If an application tries to replace one of these
protected files with an unsigned file, the file
will automatically be replaced with the original - If a driver tries to replace one of these
protected files the user would be faced with the
unsigned driver dialog and can choose whether or
not to install the file
37Digital Signatures System File Protection (SFP)
Windows ME
- All critical files for ensuring windows
functionality are protected by SFP (Example
Wsock32.dll) - Main differences from Windows 2000
- Only Microsoft Files are protected, no
third-party drivers - SFP does not have a connection to driver signing
- Windows ME only allows updates to system files
from approved Microsoft redistribution packages - Driver packages are not allowed to replace files
that are protected by SFP regardless of a digital
signature - If an application tried to replace a SFP
protected file, the file will automatically be
replaced with the original
38Digital Signatures Windows File Protection
WHQL policies
- WHQL will verify that the driver is not
installing protected files prior to issuing a
logo - The WHQL signability test (InfCatR.exe ) will
check the WFP/SFP database to see that the driver
is not replacing operating system files that
originated at Microsoft - INFs may not list these files in their
copyfiles sections and these files cannot be
installed on the users system - It is acceptable to replace your Windows 2000
drivers if the file originated from your company
39Digital Signatures How to disable WFP
- Disabling WFP is for driver testing purposes only
- Set the value SFCDisable (REG_DWORD) in
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Cu
rrentVersion\Winlogon. - SFCDisable is set to 0, which means WFP is
active. (default) - Setting SFCDisable to 1 will disable WFP.
- Setting SFCDisable to 2 will disable WFP for the
next system restart only - You must have a kernel debugger attached to the
system via a null modem cable (I386kd.exe or
Windbg.exe) to use SFCDisable1 or SFCDisable2 - SFP cannot be disabled in Windows ME
- http//www.microsoft.com/hwdev/sfp/wfp.htm
40Digital SignaturesSignability errors
- INF files must be correctly structured in order
for the driver to install without errors - In order for WHQL to sign the driver it must pass
though 2 tools that identify INF errors - CHKINF tool provided in the DDK and in current
WHQL test kits, catches most INF problems, but
not all - WHQL signability test (InfCatR.exe ) is a
newtool currently posted that catches INF
problems that would cause a signed driver to
failsignature verification - http//www.microsoft.com/hwtest/testkits
41Digital SignaturesDebugging Windows 98 and 2000
- Test the signature by installing thedriver in
every supported installation path (Plug and Play,
DeviceManager, etc.) - Make sure driver installs without any warning
messages - Most signature warnings are due to incorrect or
modified INF files inserted after the driver is
signed
42Digital SignaturesDebugging Windows 2000 with
Setupapi.log
- Setupapi.log lives in the systemroot directory
and can be used to determine points of failure in
the signature verification - Delete before installing a driver for a clean
record of the code Windows uses to install the
driver and verify the signature - Turn on verbose setupapi logging by adding the
registry value - HKEY_Local_Machine Software Microsoft
Windows CurrentVersion Setup - Loglevel (reg_dword) Data FFFF
43Call To Action
- Visit the digital signature Web sites
athttp//www.microsoft.com/hwtest/signatures
http//www.microsoft.com/hwdev/supportability - Use the Windows 2000 Device Driver Kit (DDK) to
develop your drivers - Check your drivers with WHQL signability test
(InfCatR.exe) to verify that you are free of
signability errors and are not installing
Microsoft-originated files - Join the Quick-Sign program at WHQL and submit
your driver updates on the Internet
44(No Transcript)