440 likes | 731 Views
Digital Signatures For Windows ® Drivers Scott M. Johnson Program Manager Windows Hardware Quality Labs Microsoft Corporation. Digital Signature Agenda . Reviewing the Problem Overview of Digital Signatures How Digital Signatures Work Microsoft ® Operating System Policies
E N D
Digital Signatures For Windows® Drivers Scott M. JohnsonProgram ManagerWindows Hardware Quality LabsMicrosoft Corporation
Digital Signature Agenda • Reviewing the Problem • Overview of Digital Signatures • How Digital Signatures Work • Microsoft® Operating System Policies • How to Get a Digital Signature • Call to Action
Digital Signatures Reviewing the problem • Untested drivers that leak memory and harm the operating system are the #1 cause of system lockups • Administrators, end users and technical support personnel need to know if files they are installing on a system have passed compatibility testing • Users need a way of knowing if a driver package has been tampered with since it was tested and approved • “DLL Hell”: Users install various applications and drivers on their system; file versions do not match and system stability suffers
Digital Signatures Why get a digital signature? • A digital signature gives your customers confidence that the driver has been tested for stability, and that it hasn’t been tampered with since it passed compatibility testing • Windows will not overwrite drivers that shipped in the box with an unsigned version due to driver ranking, unless the unsigned driver has a better Plug and Play ID match • Systems testing at WHQL requires that all drivers installed into the system have passed WHQL testing and have a valid digital signature • Digital signatures promote driver quality, improve the end-user experience, reduce support costs and TCO
Digital Signatures What are digital signatures? • Digital signatures for Windows drivers allow the operating system to verify the integrity of every file in a driver package • This is accomplished through a Microsoft provided, digitally signed catalog file (.CAT) that contains a record of each file that is copied to the system by the driver package • To receive a digitally signed catalog file, all drivers must pass the Microsoft defined testing criteria for that device via the Windows Hardware Quality Labs (WHQL) • Not all drivers have a corresponding test kit at WHQL and may not be able to receive a signature at this time
Digital Signatures What drivers need to be signed? • Device drivers from certain device classes are set to warn end-users (discussed later) • Whenever files in a driver package change, the signature is broken • New driver packages • Updates to existing driver packages • Modifications to any file copied to the system during driver installation • All INFs and any files referenced in the INFs • Any change to the files that are installed by the INFs breaks the signature, including help and text files
Digital Signatures How do you get a digital signature? • The driver must be installed via an INF • A WHQL test program must be available for the product • The driver must pass the Windows Logo Program testing and be sent to WHQL to get a digital signature • The INF must not contain signability errors • The driver must not include Microsoft-originated files or runtimes
Digital Signatures How digital signatures work All of these parts work together • The INF(s) and driver file(s) being installed • The catalog file(s) Microsoft creates and signs • The Windows digital signature engine which is invoked during: • A Plug and Play event • The Add New Hardware Wizard • When the user selects “Update Driver” • The “UpdateDriverForPlugAndPlayDevices” API
Digital Signatures How digital signatures work • Each time a driver is installed, Windows: • Looks in the INF for ‘Catalogfile=filename.Cat’finds the specified .CAT file and verifiesthe signature • Verifies each file that is installed against the cryptographic checksum value that is recorded in the signed catalog file (including .INF only installations) • If a signature isn’t right or a file’s cryptographic checksum is not the same as the original, the user will be warned or blocked (depending on operating system policy) when installing the driver
Digital SignaturesMicrosoft Policies • Only signed drivers will be distributedby Microsoft • No re-distribution of Microsoft-originated files • Currently it is a common third-party INF practice tore-distribute core Microsoft drivers, DLLs, etc. • Microsoft files can only be replaced by licensing approved distribution packages (DirectX, Service Packs, QFEs, etc) • WHQL legally cannot modify INF files • We see problems with INFs on regular basis • INFs that contain signability errors will not receive a logo
Digital Signatures The Catalog file • The .CAT file is a collection of tags that correspond to each file installed by the driver package • Microsoft creates the .CAT file by walking through the driver package, identifying each INF and the files installed. A “tag” is created in the catalog for each file • The tag is either a cryptographic checksum value (Windows 2000 and Windows ME) or a text filename (Windows 98) • WHQL digitally signs the catalog file using cryptographic technology. The catalogs and files cannot be modified without breaking the signature
Digital SignaturesThe types of signatures • There are many different certificates used to sign catalog files, all of which descend from the main Microsoft root certificate • “Microsoft Windows 2000 Publisher” signature is distributed for Windows 2000 in-box drivers • “Consumer Windows Publisher” signature is written to all in-box Windows ME drivers that pass WHQL testing • “Microsoft Windows Hardware Compatibility Publisher” signature identifies drivers that went through the regular WHQL process • Windows will recognize all of these signatures and work appropriately
Digital SignaturesThe Catalog file WHQL Labs Signature
Digital SignaturesThe Catalog file cryptographic checksums aka ‘Hash’ Tags Filename and OS versionof the tag
Digital SignaturesThe Catalog file This example catalog issigned for bothWindows 98 andWindows 2000 Filename tags for Windows 98 “Hash” tags for Windows 2000 Filename and attributes of the tag selected above
Digital SignaturesThe Catalog file Shows when the signature certificate was valid Signed Catalogs are valid for 20 years
Digital SignaturesDriver Signing Policy • Driver Signing enforcement behavioris controlled by Driver SigningPolicy Settings: • Warn - checks signatures on drivers before installation and displays warnings if signature verification fails • Block - checks signatures on drivers before installation and blocks the installation if signature verification fails • Ignore - bypass signature checking when installing drivers
Digital Signatures Windows 2000 implementation • Warning is the default setting in Windows 2000 for 14 device classes • During setup, all files are verified for signature • During device installation, the system policy determines if drivers can be installed based on the selected driver-signing policy • Only an administrator of the machine can lower the policy • Accessible under “System Properties”, choose “Hardware”, then click on “Driver Signing…” button
Multiport Serial Adapter Multimedia Audio DVD Video Capture Gameport Printer SCSI Adapter Smart Card Reader Display Adapter Hard Drive Controller HID Image Keyboard Media Modem Monitor Mouse Net Adapter Digital Signatures Windows 2000 implementation WARN set for these device classes:
Digital Signatures Windows ME implementation • Windows ME will block install of unsigned drivers for the following driver classes (ONLY if a signed driver already exists on the system) • CLASS=MEDIA and CLASS=DISPLAY • Media • WDM/VXD audio • HID devices • Joystick • Some imaging devices • USB Media devices • Display
Digital Signatures Windows ME – user experience • The goal of driver signing in Windows ME is geared toward simplifying the user experience • This is achieved by: • Blocking based on Plug and Play ID once a signed driver is on the system (for consumers, a matching driver is generally better than no driver, even if not signed) • Searching an offline cache of drivers on Windows Update before sending them to the Web site • Improving driver searches by automatically scanning all removable media and installing drivers with minimal user input • Hiding unsigned drivers if signed drivers are installed for the device, rather than adding dialogs that confuse the end-user
Digital Signatures Windows ME implementation • When a driver gets installed Windows ME will look at the device class in the INF and at the Plug and Play ID • If there is a signed driver from the Media or Display classes in-the-box that matches the Plug and Play ID of the device then Windows will use the driver package with the most specific match • If the Plug and Play ID isn’t found, Windows ME will look for the best matching INF. If the Plug and Play ID is found it checks for the catalog file and signature for the drivers in the given search path
Digital Signatures Windows ME implementation • Windows ME will block unsigned drivers for Audio (Media) or Display only after a signed version has been installed on the system • During an upgrade Windows ME will not replace a working driver on a system in the Media or Display classes, unless known problems exist with a specific driver • Windows ME will always trust the DriverVer field in the INF. Windows 2000 will only trust DriverVer if the package is signed • OEMs will be shipping signed drivers from the factory and therefore these will be protected automatically
Digital Signatures Windows ME – new Plug and Play device detection
Digital Signatures What is Windows File Protection (WFP)? • WFP is a Windows feature that uses cryptographic signatures to prevent Microsoft operating system files from being replaced by unknown or incompatible versions • WFP is known as SFP (System File Protection) in Windows ME • WFP automatically detects changes to system files and restores them to the original version
Digital Signatures Windows File Protection – Windows 2000 • All critical files for ensuring Windows functionality are digitally signed and protected by WFP including SYS, DLL, and OCXs, including the third-party drivers that shipped on the Windows 2000 CD • If a WFP file is being replaced by an unsigned driver the system will raise the warning dialog, even if the driver signing policy is set to “ignore” • If an application tries to replace one of these protected files with an unsigned file, the file will automatically be replaced with the original • If a driver tries to replace one of these protected files the user would be faced with the unsigned driver dialog and can choose whether or not to install the file
Digital Signatures System File Protection (SFP) – Windows ME • All critical files for ensuring windows functionality are protected by SFP (Example: Wsock32.dll) • Main differences from Windows 2000: • Only Microsoft Files are protected, no third-party drivers • SFP does not have a connection to driver signing • Windows ME only allows updates to system files from approved Microsoft redistribution packages • Driver packages are not allowed to replace files that are protected by SFP regardless of a digital signature • If an application tried to replace a SFP protected file, the file will automatically be replaced with the original
Digital Signatures Windows File Protection – WHQL policies • WHQL will verify that the driver is not installing protected files prior to issuing a logo • The WHQL signability test (InfCatR.exe ) will check the WFP/SFP database to see that the driver is not replacing operating system files that originated at Microsoft • INFs may not list these files in their [copyfiles] sections and these files cannot be installed on the users system • It is acceptable to replace your Windows 2000 drivers if the file originated from your company
Digital Signatures How to disable WFP • Disabling WFP is for driver testing purposes only • Set the value :SFCDisable (REG_DWORD) in KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. • SFCDisable is set to 0, which means WFP is active. (default) • Setting SFCDisable to 1 will disable WFP. • Setting SFCDisable to 2 will disable WFP for the next system restart only • You must have a kernel debugger attached to the system via a null modem cable (I386kd.exe or Windbg.exe) to use SFCDisable=1 or SFCDisable=2 • SFP cannot be disabled in Windows ME • http://www.microsoft.com/hwdev/sfp/wfp.htm
Digital SignaturesSignability errors • INF files must be correctly structured in order for the driver to install without errors • In order for WHQL to sign the driver it must pass though 2 tools that identify INF errors • “CHKINF” tool provided in the DDK and in current WHQL test kits, catches most INF problems, but not all • WHQL signability test (InfCatR.exe ) is a newtool currently posted that catches INF problems that would cause a signed driver to failsignature verification • http://www.microsoft.com/hwtest/testkits
Digital SignaturesDebugging Windows 98 and 2000 • Test the signature by installing thedriver in every supported installation path (Plug and Play, DeviceManager, etc.) • Make sure driver installs without any warning messages • Most signature warnings are due to incorrect or modified INF files inserted after the driver is signed
Digital SignaturesDebugging Windows 2000 with Setupapi.log • Setupapi.log lives in the %systemroot% directory and can be used to determine points of failure in the signature verification • Delete before installing a driver for a clean record of the code Windows uses to install the driver and verify the signature • Turn on verbose setupapi logging by adding the registry value: • HKEY_Local_Machine: Software: Microsoft : Windows: CurrentVersion: Setup • Loglevel (reg_dword) Data = FFFF
Call To Action • Visit the digital signature Web sites at:http://www.microsoft.com/hwtest/signatureshttp://www.microsoft.com/hwdev/supportability • Use the Windows 2000 Device Driver Kit (DDK) to develop your drivers • Check your drivers with WHQL signability test (InfCatR.exe) to verify that you are free of signability errors and are not installing Microsoft-originated files • Join the Quick-Sign program at WHQL and submit your driver updates on the Internet