Copyright © 2010, Steven E. Houchin
In Parts I and II of this article, I discussed the requirement for driver signing, digital signatures, and how to go about testing signed drivers.
The last step is the actual signing of the binaries that you integrate into the customer product. In order to do this, you must first purchase a digital certificate from a reputable certificate authority (CA). In fact, for kernel mode drivers, you must purchase your digital certificate from Verisign. Certificates from other vendors can be used to sign the binaries, and Windows installs them, but it refuses to execute those binaries (as of Windows 7).
As I've mentioned in the earlier parts of this article, the step-by-step procedures for driver signing are contained in a document at the Windows WHDC site, and need not be repeated here. It contains a section titled "The Kernel-Mode Code-Signing Process." The important decision to make is whether to set up the digital signature via a catalog file (specified in the INF file), or to sign the binaries directly. A cartalog is preferable, especially if you are signing multiple files; but that won't work if your binaries start at boot time (see StartType in your INF fle). In that case, signing the binarys themselves is required. Microsoft has another site, titled "Signing Drivers for Public Release", that gives more details about the files you may receive from your CA.
When you distribute your product for the customer to install, the installer package must include, in addition to the binaries, the INF file, signed catalog files (if any), and the public key portion of your digital certificate. The public key digital certificate (.spc or .cer file) must be installed on your customer's system. Your original private key digital certificate (.pvk file) should be locked away, because it is used in the signing process.
Showing posts with label catalog file. Show all posts
Showing posts with label catalog file. Show all posts
Wednesday, September 22, 2010
Monday, August 9, 2010
Kernel Driver Signing - Part II
Copyright © 2010, Steven E. Houchin
In Part I of this article, I explained that all kernel drivers on 64-bit Windows systems must be digitally signed.
There are two ways of signing kernel drivers: embed the signature in the driver binaries themselves, or use a signed catalog file. To peform driver signing, you really must have the latest Microsoft WDK installed on your signing system.
For drivers that start at boot time (see StartType in your INF fle), the binary itself must be signed. Use of a catalog file is not enough, though is also required if installing the driver package via INF file. For other types of drivers - especially those that contain multiple files - a signed catalog file can be used to identify all the files in a driver package.
Use of a catalog file requires that the driver package be installed via an INF file, because that is where the catalog file is specified. For example, ADriver.inf will have the following line included in its [Version] section:
Once the catalog files are created, they must be signed using WDK's SignTool utility and your digital certificate information. The details for catalog file creation and signing, and driver binary signing, are at the Windows WHDC site, which contains white paper that has decent step-by-step procedures.
The catalog file and INF file go together as a pair wherever the signed driver package is to be installed. If your INF file is also used for 32-bit drivers, then your 32-bit installer should comment out the "CatalogFile" line in the [Version] section so that a signing certificate isn't needed on those systems.
In Part I of this article, I explained that all kernel drivers on 64-bit Windows systems must be digitally signed.
There are two ways of signing kernel drivers: embed the signature in the driver binaries themselves, or use a signed catalog file. To peform driver signing, you really must have the latest Microsoft WDK installed on your signing system.
For drivers that start at boot time (see StartType in your INF fle), the binary itself must be signed. Use of a catalog file is not enough, though is also required if installing the driver package via INF file. For other types of drivers - especially those that contain multiple files - a signed catalog file can be used to identify all the files in a driver package.
Use of a catalog file requires that the driver package be installed via an INF file, because that is where the catalog file is specified. For example, ADriver.inf will have the following line included in its [Version] section:
CatalogFile=ADriver.catAfter your driver binaries are all built and copied to a "package" directory (which includes the INF file), a catalog file is created using the WDK's Inf2Cat utility. For example, if your package files are in C:\MyDriverPackage, the catalog file (in this case for Win2K and Win64 systems) is created via:
Inf2Cat /driver:C:\MyDriverPackage\ /os:2000,Server2003_X64This utility will scan all INF files in the given directory and create catalog files for each one using the "CatalogFile" line.
Once the catalog files are created, they must be signed using WDK's SignTool utility and your digital certificate information. The details for catalog file creation and signing, and driver binary signing, are at the Windows WHDC site, which contains white paper that has decent step-by-step procedures.
The catalog file and INF file go together as a pair wherever the signed driver package is to be installed. If your INF file is also used for 32-bit drivers, then your 32-bit installer should comment out the "CatalogFile" line in the [Version] section so that a signing certificate isn't needed on those systems.
Subscribe to:
Posts (Atom)