Digital Signatures For Digital Signatures For WindowsWindows®® Drivers Drivers

Scott M. JohnsonScott M. JohnsonProgram ManagerProgram ManagerWindows Hardware Quality LabsWindows Hardware Quality LabsMicrosoft CorporationMicrosoft Corporation

Digital Signature Agenda Digital Signature Agenda

Reviewing the ProblemReviewing the Problem Overview of Digital SignaturesOverview of Digital Signatures How Digital Signatures WorkHow Digital Signatures Work MicrosoftMicrosoft®® Operating System Policies Operating System Policies How to Get a Digital SignatureHow to Get a Digital Signature Call to ActionCall to Action

Digital Signatures Digital Signatures Reviewing the problemReviewing the problem

Untested drivers that leak memory and harm the Untested drivers that leak memory and harm the operating system are the #1 cause of system lockupsoperating system are the #1 cause of system lockups

Administrators, end users and technical support Administrators, end users and technical support personnel need to know if files they are installing personnel need to know if files they are installing on a system have passed compatibility testingon a system have passed compatibility testing

Users need a way of knowing if a driver package has Users need a way of knowing if a driver package has been tampered with since it was tested and approved been tampered with since it was tested and approved

““DLL Hell”: Users install various applications and DLL Hell”: Users install various applications and drivers on their system; file versions do not match drivers on their system; file versions do not match and system stability suffersand system stability suffers

Digital Signatures Digital Signatures Why get a digital signature?Why get a digital signature?

A digital signature gives your customers confidence A digital signature gives your customers confidence that the driver has been tested for stability, and that it that the driver has been tested for stability, and that it hasn’t been tampered with since it passed hasn’t been tampered with since it passed compatibility testingcompatibility testing

Windows will not overwrite drivers that shipped in the Windows will not overwrite drivers that shipped in the box with an unsigned version due to driver ranking, box with an unsigned version due to driver ranking, unless the unsigned driver has a better Plug and Play unless the unsigned driver has a better Plug and Play ID matchID match

Systems testing at WHQL requires that all drivers Systems testing at WHQL requires that all drivers installed into the system have passed WHQL testing installed into the system have passed WHQL testing and have a valid digital signatureand have a valid digital signature

Digital signatures promote driver quality, improve the Digital signatures promote driver quality, improve the end-user experience, reduce support costs and TCOend-user experience, reduce support costs and TCO

Digital Signatures Digital Signatures What are digital signatures?What are digital signatures?

Digital signatures for Windows drivers allow the Digital signatures for Windows drivers allow the operating system to verify the integrity of every file operating system to verify the integrity of every file in a driver packagein a driver package

This is accomplished through a Microsoft provided, This is accomplished through a Microsoft provided, digitally signed catalog file (.CAT) that contains a digitally signed catalog file (.CAT) that contains a record of each file that is copied to the system by record of each file that is copied to the system by the driver packagethe driver package

To receive a digitally signed catalog file, all drivers To receive a digitally signed catalog file, all drivers must pass the Microsoft defined testing criteria for that must pass the Microsoft defined testing criteria for that device via the Windows Hardware Quality Labs (WHQL) device via the Windows Hardware Quality Labs (WHQL)

Not all drivers have a corresponding test kit at WHQL Not all drivers have a corresponding test kit at WHQL and may not be able to receive a signature at this timeand may not be able to receive a signature at this time

Digital Signatures Digital Signatures What drivers need to be signed?What drivers need to be signed?

Device drivers from certain device classes Device drivers from certain device classes are set to warn end-users (discussed later)are set to warn end-users (discussed later)

Whenever files in a driver package change, Whenever files in a driver package change, the signature is brokenthe signature is broken New driver packagesNew driver packages Updates to existing driver packagesUpdates to existing driver packages Modifications to any file copied to the system Modifications to any file copied to the system

during driver installationduring driver installation All INFs and any files referenced in the INFsAll INFs and any files referenced in the INFs Any change to the files that are installed by the INFs Any change to the files that are installed by the INFs

breaks the signature, including help and text filesbreaks the signature, including help and text files

Digital Signatures Digital Signatures How do you get a digital signature?How do you get a digital signature?

The driver must be installed via an INFThe driver must be installed via an INF A WHQL test program must be available A WHQL test program must be available

for the productfor the product The driver must pass the Windows Logo The driver must pass the Windows Logo

Program testing and be sent to WHQL Program testing and be sent to WHQL to get a digital signatureto get a digital signature

The INF must not contain signability errorsThe INF must not contain signability errors The driver must not include Microsoft-The driver must not include Microsoft-

originated files or runtimesoriginated files or runtimes

Digital Signatures Digital Signatures How digital signatures workHow digital signatures work

All of these parts work together All of these parts work together

1.1. The INF(s) and driver file(s) being installedThe INF(s) and driver file(s) being installed

2.2. The catalog file(s) Microsoft creates and signsThe catalog file(s) Microsoft creates and signs

3.3. The Windows digital signature engine which The Windows digital signature engine which is invoked during:is invoked during: A Plug and Play eventA Plug and Play event The Add New Hardware WizardThe Add New Hardware Wizard When the user selects “Update Driver”When the user selects “Update Driver” The “UpdateDriverForPlugAndPlayDevices” APIThe “UpdateDriverForPlugAndPlayDevices” API

Digital Signatures Digital Signatures How digital signatures workHow digital signatures work

Each time a driver is installed, Windows:Each time a driver is installed, Windows: Looks in the INF for Looks in the INF for ‘Catalogfile=filename.Cat’‘Catalogfile=filename.Cat’

finds the specified .CAT file and verifiesfinds the specified .CAT file and verifiesthe signaturethe signature

Verifies each file that is installed against the Verifies each file that is installed against the cryptographic checksum value that is recorded cryptographic checksum value that is recorded in the signed catalog file in the signed catalog file (including .INF only installations)(including .INF only installations)

If a signature isn’t right or a file’s cryptographic If a signature isn’t right or a file’s cryptographic checksum is not the same as the original, the user checksum is not the same as the original, the user will be warned or blocked (depending on operating will be warned or blocked (depending on operating system policy) when installing the driversystem policy) when installing the driver

Digital SignaturesDigital SignaturesMicrosoft PoliciesMicrosoft Policies

Only signed drivers will be distributedOnly signed drivers will be distributedby Microsoftby Microsoft

No re-distribution of Microsoft-originated filesNo re-distribution of Microsoft-originated files Currently it is a common third-party INF practice toCurrently it is a common third-party INF practice to

re-distribute core Microsoft drivers, DLLs, etc.re-distribute core Microsoft drivers, DLLs, etc. Microsoft files can only be replaced by licensing Microsoft files can only be replaced by licensing

approved distribution packages (DirectX, Service approved distribution packages (DirectX, Service Packs, QFEs, etc)Packs, QFEs, etc)

WHQL legally cannot modify INF filesWHQL legally cannot modify INF files We see problems with INFs on regular basis We see problems with INFs on regular basis INFs that contain signability errors will not INFs that contain signability errors will not

receive a logoreceive a logo

Digital Signatures Digital Signatures The Catalog fileThe Catalog file

The .CAT file is a collection of tags that correspond The .CAT file is a collection of tags that correspond to each file installed by the driver packageto each file installed by the driver package

Microsoft creates the .CAT file by walking through the Microsoft creates the .CAT file by walking through the driver package, identifying each INF and the files driver package, identifying each INF and the files installed. A “tag” is created in the catalog for each fileinstalled. A “tag” is created in the catalog for each file

The tag is either a cryptographic checksum value The tag is either a cryptographic checksum value (Windows 2000 and Windows ME) or a text filename (Windows 2000 and Windows ME) or a text filename (Windows 98) (Windows 98)

WHQL digitally signs the catalog file using WHQL digitally signs the catalog file using cryptographic technology. The catalogs and files cryptographic technology. The catalogs and files cannot be modified without breaking the signaturecannot be modified without breaking the signature

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

Digital SignaturesDigital SignaturesThe types of signaturesThe types of signatures

There are many different certificates used to sign There are many different certificates used to sign catalog files, all of which descend from the main catalog files, all of which descend from the main Microsoft root certificateMicrosoft root certificate ““Microsoft Windows 2000 Publisher” signature is Microsoft Windows 2000 Publisher” signature is

distributed for Windows 2000 in-box driversdistributed for Windows 2000 in-box drivers ““Consumer Windows Publisher” signature is written to all Consumer Windows Publisher” signature is written to all

in-box Windows ME drivers that pass WHQL testingin-box Windows ME drivers that pass WHQL testing ““Microsoft Windows Hardware Compatibility Publisher” Microsoft Windows Hardware Compatibility Publisher”

signature identifies drivers that went through the regular signature identifies drivers that went through the regular WHQL processWHQL process

Windows will recognize all of these signatures and Windows will recognize all of these signatures and work appropriatelywork appropriately

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

WHQL Labs WHQL Labs SignatureSignature

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

cryptographic cryptographic checksums aka checksums aka

‘Hash’ Tags‘Hash’ Tags

Filename and Filename and OS versionOS versionof the tagof the tag

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

This example This example catalog iscatalog is

signed for bothsigned for bothWindows 98 andWindows 98 andWindows 2000Windows 2000

Filename tags for Filename tags for Windows 98Windows 98

Filename and Filename and attributes of the attributes of the

tag selected tag selected aboveabove

““Hash” Hash” tags for tags for

Windows 2000Windows 2000

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

Digital SignaturesDigital SignaturesThe Catalog fileThe Catalog file

Shows when the Shows when the signature certificate signature certificate

was validwas valid

Signed Catalogs are Signed Catalogs are valid for 20 yearsvalid for 20 years

Digital SignaturesDigital SignaturesDriver Signing PolicyDriver Signing Policy

Driver Signing enforcement behaviorDriver Signing enforcement behavioris controlled by Driver Signingis controlled by Driver SigningPolicy Settings:Policy Settings:1.1. Warn - checks signatures on drivers Warn - checks signatures on drivers

before installation and displays warnings before installation and displays warnings if signature verification failsif signature verification fails

2.2. Block - checks signatures on drivers Block - checks signatures on drivers before installation and blocks the before installation and blocks the installation if signature verification failsinstallation if signature verification fails

3.3. Ignore - bypass signature checking when Ignore - bypass signature checking when installing driversinstalling drivers

Digital SignaturesDigital SignaturesWindows 2000 Driver Signing Dialog BoxWindows 2000 Driver Signing Dialog Box

Digital Signatures Digital Signatures Windows 2000 implementationWindows 2000 implementation

Warning is the default setting in Windows 2000 Warning is the default setting in Windows 2000 for 14 device classesfor 14 device classes

During setup, all files are verified for signatureDuring setup, all files are verified for signature During device installation, the system policy During device installation, the system policy

determines if drivers can be installed based determines if drivers can be installed based on the selected driver-signing policyon the selected driver-signing policy

Only an administrator of the machine can Only an administrator of the machine can lower the policylower the policy Accessible under “System Properties”, choose Accessible under “System Properties”, choose

“Hardware”, then click on “Driver Signing…” button“Hardware”, then click on “Driver Signing…” button

Digital Signatures Digital Signatures Windows 2000 implementationWindows 2000 implementation

Multiport Serial AdapterMultiport Serial Adapter MultimediaMultimedia

AudioAudio DVDDVD Video CaptureVideo Capture GameportGameport PrinterPrinter SCSI AdapterSCSI Adapter Smart Card ReaderSmart Card Reader

Display AdapterDisplay Adapter Hard Drive ControllerHard Drive Controller HIDHID ImageImage KeyboardKeyboard MediaMedia ModemModem MonitorMonitor MouseMouse Net AdapterNet Adapter

WARN set for these device classes:WARN set for these device classes:

Digital SignaturesDigital SignaturesThe Warning Dialog BoxThe Warning Dialog Box

Digital Signatures Digital Signatures Windows ME implementationWindows ME implementation

Windows ME will block install of unsigned Windows ME will block install of unsigned drivers for the following driver classes (ONLY drivers for the following driver classes (ONLY if a signed driver already exists on the system)if a signed driver already exists on the system)

CLASS=MEDIA and CLASS=DISPLAYCLASS=MEDIA and CLASS=DISPLAY MediaMedia

WDM/VXD audioWDM/VXD audio HID devicesHID devices JoystickJoystick Some imaging devicesSome imaging devices USB Media devicesUSB Media devices

DisplayDisplay

Digital Signatures Digital Signatures Windows ME – user experienceWindows ME – user experience

The goal of driver signing in Windows ME is geared The goal of driver signing in Windows ME is geared toward simplifying the user experiencetoward simplifying the user experience

This is achieved by:This is achieved by: Blocking based on Plug and Play ID once a signed driver is on Blocking based on Plug and Play ID once a signed driver is on

the system (for consumers, a matching driver is generally better the system (for consumers, a matching driver is generally better than no driver, even if not signed)than no driver, even if not signed)

Searching an offline cache of drivers on Windows Update before Searching an offline cache of drivers on Windows Update before sending them to the Web sitesending them to the Web site

Improving driver searches by automatically scanning all Improving driver searches by automatically scanning all removable media and installing drivers with minimal user inputremovable media and installing drivers with minimal user input

Hiding unsigned drivers if signed drivers are installed for the Hiding unsigned drivers if signed drivers are installed for the device, rather than adding dialogs that confuse the end-userdevice, rather than adding dialogs that confuse the end-user

Digital Signatures Digital Signatures Windows ME implementationWindows ME implementation

When a driver gets installed Windows ME will look at When a driver gets installed Windows ME will look at the device class in the INF and at the Plug and Play IDthe device class in the INF and at the Plug and Play ID

If there is a signed driver from the Media or Display If there is a signed driver from the Media or Display classes in-the-box that matches the Plug and Play ID classes in-the-box that matches the Plug and Play ID of the device then Windows will use the driver of the device then Windows will use the driver package with the most specific matchpackage with the most specific match

If the Plug and Play ID isn’t found, Windows ME will If the Plug and Play ID isn’t found, Windows ME will look for the best matching INF. If the Plug and Play ID look for the best matching INF. If the Plug and Play ID is found it checks for the catalog file and signature for is found it checks for the catalog file and signature for the drivers in the given search paththe drivers in the given search path

Digital Signatures Digital Signatures Windows ME implementationWindows ME implementation

Windows ME will block unsigned drivers for Audio Windows ME will block unsigned drivers for Audio (Media) or Display only after a signed version has (Media) or Display only after a signed version has been installed on the systembeen installed on the system

During an upgrade Windows ME will not replace During an upgrade Windows ME will not replace a working driver on a system in the Media or a working driver on a system in the Media or Display classes, unless known problems exist Display classes, unless known problems exist with a specific driverwith a specific driver

Windows ME will always trust the DriverVer field in Windows ME will always trust the DriverVer field in the INF. Windows 2000 will only trust DriverVer if the the INF. Windows 2000 will only trust DriverVer if the package is signedpackage is signed

OEMs will be shipping signed drivers from the OEMs will be shipping signed drivers from the factory and therefore these will be protected factory and therefore these will be protected automaticallyautomatically

Digital Signatures Digital Signatures Windows ME – Update Driver WizardWindows ME – Update Driver Wizard

Digital Signatures Digital Signatures Windows ME – new Plug and Play Windows ME – new Plug and Play device detectiondevice detection

Digital Signatures Digital Signatures Windows ME – blocking dialogWindows ME – blocking dialog

Digital Signatures Digital Signatures Windows ME – advanced settingsWindows ME – advanced settings

Digital Signatures Digital Signatures Windows ME – warning dialogWindows ME – warning dialog

Digital Signatures Digital Signatures What is Windows File Protection (WFP)?What is Windows File Protection (WFP)?

WFP is a Windows feature that uses WFP is a Windows feature that uses cryptographic signatures to prevent cryptographic signatures to prevent Microsoft operating system files from Microsoft operating system files from being replaced by unknown or being replaced by unknown or incompatible versionsincompatible versions

WFP is known as SFP (System File WFP is known as SFP (System File Protection) in Windows MEProtection) in Windows ME

WFP automatically detects changes WFP automatically detects changes to system files and restores them to system files and restores them to the original versionto the original version

Digital Signatures Digital Signatures Windows File Protection – Windows 2000Windows File Protection – Windows 2000

All critical files for ensuring Windows functionality are All critical files for ensuring Windows functionality are digitally signed and protected by WFP including SYS, digitally signed and protected by WFP including SYS, DLL, and OCXs, including the third-party drivers that DLL, and OCXs, including the third-party drivers that shipped on the Windows 2000 CDshipped on the Windows 2000 CD

If a WFP file is being replaced by an unsigned driver If a WFP file is being replaced by an unsigned driver the system will raise the warning dialog, even if the the system will raise the warning dialog, even if the driver signing policy is set to “ignore”driver signing policy is set to “ignore”

If an application tries to replace one of these protected files If an application tries to replace one of these protected files with an unsigned file, the file will automatically be replaced with an unsigned file, the file will automatically be replaced with the originalwith the original

If a driver tries to replace one of these protected files the user If a driver tries to replace one of these protected files the user would be faced with the unsigned driver dialog and can would be faced with the unsigned driver dialog and can choose whether or not to install the file choose whether or not to install the file

Digital Signatures Digital Signatures System File Protection (SFP) – Windows MESystem File Protection (SFP) – Windows ME

All critical files for ensuring windows functionality are All critical files for ensuring windows functionality are protected by SFP (Example: Wsock32.dll)protected by SFP (Example: Wsock32.dll)

Main differences from Windows 2000:Main differences from Windows 2000: Only Microsoft Files are protected, no third-party driversOnly Microsoft Files are protected, no third-party drivers SFP does not have a connection to driver signingSFP does not have a connection to driver signing Windows ME only allows updates to system files from Windows ME only allows updates to system files from

approved Microsoft redistribution packages approved Microsoft redistribution packages Driver packages are not allowed to replace files that are Driver packages are not allowed to replace files that are

protected by SFP regardless of a digital signatureprotected by SFP regardless of a digital signature

If an application tried to replace a SFP protected file, If an application tried to replace a SFP protected file, the file will automatically be replaced with the originalthe file will automatically be replaced with the original

Digital Signatures Digital Signatures Windows File Protection – WHQL policiesWindows File Protection – WHQL policies

WHQL will verify that the driver is not installing WHQL will verify that the driver is not installing protected files prior to issuing a logoprotected files prior to issuing a logo

The WHQL signability test (InfCatR.exe ) will The WHQL signability test (InfCatR.exe ) will check the WFP/SFP database to see that the check the WFP/SFP database to see that the driver is not replacing operating system files driver is not replacing operating system files that originated at Microsoftthat originated at Microsoft

INFs may not list these files in their [copyfiles] INFs may not list these files in their [copyfiles] sections and these files cannot be installed on sections and these files cannot be installed on the users systemthe users system

It is acceptable to replace your Windows 2000 It is acceptable to replace your Windows 2000 drivers if the file originated from your companydrivers if the file originated from your company

Digital Signatures Digital Signatures How to disable WFPHow to disable WFP

Disabling WFP is for driver testing purposes onlyDisabling WFP is for driver testing purposes only Set the value :SFCDisable (REG_DWORD) in Set the value :SFCDisable (REG_DWORD) in

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. CurrentVersion\Winlogon.

SFCDisable is set to 0, which means WFP is active. (default)SFCDisable is set to 0, which means WFP is active. (default) Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system Setting SFCDisable to 2 will disable WFP for the next system

restart only restart only

You must have a kernel debugger attached to the You must have a kernel debugger attached to the system via a null modem cable (I386kd.exe or system via a null modem cable (I386kd.exe or Windbg.exe) to use SFCDisable=1 or SFCDisable=2Windbg.exe) to use SFCDisable=1 or SFCDisable=2

SFP cannot be disabled in Windows MESFP cannot be disabled in Windows ME http://www.microsoft.com/hwdev/sfp/wfp.htmhttp://www.microsoft.com/hwdev/sfp/wfp.htm

Digital SignaturesDigital SignaturesSignability errorsSignability errors

INF files must be correctly structured in order INF files must be correctly structured in order for the driver to install without errorsfor the driver to install without errors

In order for WHQL to sign the driver it must In order for WHQL to sign the driver it must pass though 2 tools that identify INF errorspass though 2 tools that identify INF errors ““CHKINF” tool provided in the DDK and in current CHKINF” tool provided in the DDK and in current

WHQL test kits, catches most INF problems, WHQL test kits, catches most INF problems, but not allbut not all

WHQL signability test WHQL signability test (InfCatR.exe )(InfCatR.exe ) is a new is a newtool currently posted that catches INF problems tool currently posted that catches INF problems that would cause a signed driver to failthat would cause a signed driver to failsignature verificationsignature verification

http://www.http://www.microsoftmicrosoft.com/.com/hwtesthwtest//testkitstestkits

Digital SignaturesDigital SignaturesDebugging Windows 98 and 2000Debugging Windows 98 and 2000

Test the signature by installing theTest the signature by installing thedriver in every supported installation driver in every supported installation path (Plug and Play, Devicepath (Plug and Play, DeviceManager, etc.)Manager, etc.)

Make sure driver installs without any Make sure driver installs without any warning messageswarning messages

Most signature warnings are due to Most signature warnings are due to incorrect or modified INF files inserted incorrect or modified INF files inserted after the driver is signedafter the driver is signed

Digital SignaturesDigital SignaturesDebugging Windows 2000 with Debugging Windows 2000 with Setupapi.logSetupapi.log

Setupapi.logSetupapi.log lives in the %systemroot% lives in the %systemroot% directory and can be used to determine points directory and can be used to determine points of failure in the signature verificationof failure in the signature verification

Delete before installing a driver for a clean Delete before installing a driver for a clean record of the code Windows uses to install the record of the code Windows uses to install the driver and verify the signaturedriver and verify the signature

Turn on verbose setupapi logging by adding Turn on verbose setupapi logging by adding the registry value:the registry value: HKEY_Local_Machine: Software: Microsoft : HKEY_Local_Machine: Software: Microsoft :

Windows: CurrentVersion: SetupWindows: CurrentVersion: Setup Loglevel (reg_dword) Loglevel (reg_dword) Data = FFFF Data = FFFF

Call To ActionCall To Action

Visit the digital signature Web sites at:Visit the digital signature Web sites at:http://www.microsoft.com/hwtest/signatureshttp://www.microsoft.com/hwtest/signatures http://www.microsoft.com/hwdev/supportabilityhttp://www.microsoft.com/hwdev/supportability

Use the Windows 2000 Device Driver Kit (DDK) Use the Windows 2000 Device Driver Kit (DDK) to develop your driversto develop your drivers

Check your drivers with WHQL signability test Check your drivers with WHQL signability test ((InfCatR.exeInfCatR.exe) to verify that you are free of ) to verify that you are free of signability errors and are not installing signability errors and are not installing Microsoft-originated filesMicrosoft-originated files

Join the Quick-Sign program at WHQL and Join the Quick-Sign program at WHQL and submit your driver updates on the Internetsubmit your driver updates on the Internet