Archives

• September 2008
• April 2008
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005

Categories

• AI (1)
• authentication (4)
• Blogging (38)
• Culture (27)
• DDK (89)
• General nonsense (29)
• Intellectual Property (9)
• Microsoft (52)
• Networking (23)
• PhoneFactor (5)
• Positive Networks (8)
• Programming (115)
• Security (46)
• two-factor (4)
• Uncategorized (38)
• Vista (34)
• WDK (26)
• Windows (56)

Links

• A Hole In My Head
• Alex Ionescu's Blog
• Antimail
• Buggin' My Life Away
• craigrow: blogging about developing, testing and getting a logo for your drivers using the Windows Driver Kit and the Driver Test Manager
• Dana Epp's ramblings at the Sanctuary
• DebugInfo.com - Oleg Starodumov
• Fabulous Adventures In Coding
• Joel on Software
• Larry Osterman's WebLog
• Lori Pearce's WebLog
• Mark's Sysinternals Blog
• Metasploit
• Michael Howard's Web Log
• Nynaeve
• Pointless Blathering
• Positive Networks
• Positive Networks Blog
• Q & Stuff
• Schneier on Security
• Schwieb
• Sorting It All Out
• The Old New Thing
• Under The Hood - Matt Pietrek

Meta

• Register
• Login
• Valid XHTML
• XFN
• WordPress
• Domain
• Website Design
• Web Hosting

Driver signing whiteboarding

Jennifer Stepler spent some time whiteboarding at the MVP summit about signing. She was explaining that there are two different kinds of signing in the Windows world: Device Installer signing and Code Security Signing. Here are her notes:

In search-engine-findable text:

• DMI [device management & installation] -> .cat file
• Install Time
• 32 & 64-bit
• Unsigned Driver pop-up
  • Unsigned
  • Signed by untrusted cert
• Signed-by pop-up - signed by trusted cert
• Just [silently] install
  • Built in Windows build lab
  • WHQL logo signature
  • Trusted cert from trusted publisher

Example of trusted cert path: MS root -> Verisign -> ATI

Kernel Mode Security Signing

• 64-bit
• Untrusted binary will not load
• Signed with cert that roots to MS root authority
• MS signs:
  • Windows build lab
  • WHQL
  • MS products
• Cross-sign with trusted cert & MS cross-cert
• CAT file (signed & loaded in CatDB) or the binaries

These notes resulted from about an hour of discussion, so they’re missing a lot of detail.

This entry was posted on Monday, March 26th, 2007 at 11:48 am and is filed under WDK. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No Responses to “Driver signing whiteboarding”

No comments yet

Leave a Reply

Name

Mail (will not be published)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Recent Posts

• Windows 7 Server == Windows Server 2008 R2
• Bad Idea: Making assumptions about CPU number
• At Driver DevCon
• Free advice (being worth what you pay for it, of course)
• PhoneFactor video
• Interesting peek at Win7
• No more single-core chips
• I guess it depends on what you’re hex editing
• Metasploit as the security Mendoza line
• The return of err.exe

Recent Comments

• Manny
• dispensa
• doug
• dispensa
• Yossi