Learning Center
Plans & pricing Sign in
Sign Out

Slide 1 Microsoft Kernel


									         Kernel Mode Code Signing
on Windows Vista and Windows Longhorn Server

               Ramesh Chinta
           Program Manager (STU)


• Motivation
• Kernel mode code signing policy means to you
• MSFT Programs for Code Signing
   – What they are
   – When to use them
• How to get a Software Publisher Certificate
• Development & Test with SPC
• Diagnostics and Troubleshooting


• Trustworthy computing built on a trusted kernel
   – Windows Vista has an identifiable kernel state
   – Reduce platform vulnerability from unknown
• Identifiable kernel enables new scenarios
   – Access next generation premium content
   – Address growing threat of malicious rootkit
   – Improve reliability by identifying and working with
     kernel mode software publishers
     Kernel Mode Code Signing policy

• Signature checks by OS loader and kernel
• On x64 64-bit platforms
   – Identity of all kernel mode binaries is verified
   – All kernel mode code must be signed in order to load
   – System audit events for integrity check failures
• On x86 32-bit platforms
   – Administrator prompted and accepts to install unsigned
     kernel mode code
   – Load-time checks done on all kernel mode binaries,
     unsigned code allowed to load
   – Next generation premium content may not be accessible,
     depending on content protection policy

      Which Kernel Mode Signature to use?

Signing Options       Functionality Identity   Intended
                      Verified to   Verified   Use
                      meet Logo
Windows Logo          Yes           Yes        Release
Kernel Mode Code      No            Yes        Release
Signing using a SPC
WHQL Test             No            Yes        Testing
Signature program
KMCS Test Signing     No            No         Testing
     Outline of Development Workflow

• Get Software Publisher Certificates (SPC)
• Develop and test your kmod
   – Use enforcement work around for early development
• Pre-release/testing
   – Use Makecert.exe or WHQL test signing
• Release
   – Sign kmods using SPC or use WHQL signing
• Installation

    Release signing

• How and when do I get one?
  – Get a SPC from a CA who issue certs required for kernel
    mode code signing
  – Get a corresponding cross cert
• Cross cert
  – System loader and kernel only trusts Microsoft root
  – Cross certs provide a flexible way to establish trust to
    Commercial CA roots that issue SPCs

Development Workflow

            Enforcement Work arounds

    • Enforcement work arounds for Vista RTM
         – Attach active kernel debugger and turn on debugging
              • Bcdedit –bootdebug ON
              • Bcdedit –debug ON
         – F8 one time option to disable enforcement for a boot
    • For Vista Beta2 builds only:
         – To disable integrity checks in ntoskrnl.exe
            • bcdedit.exe /set nointegritychecks on
         – Re-enable integrity checks
            • bcdedit.exe /set nointegritychecks off

                       *Other names and brands may be claimed as the property of others
    Signing Basics

• Applies to both release and pre-release signing
• Embedded signing
  – Signature contained in PE
  – Protects an individual file
• Catalog signing
  – Contains hashes of files
  – Signing a catalog protects integrity of all files in the
  – Better if you have to sign many files
Development Workflow

            What Do I Sign?

    • All boot start kmods must be embedded
      signed using a SPC
         – Significant performance gain at boot
         – Don’t forget to embedded sign export drivers
    • INF based installs
         – Sign the driver package catalog
    • Non INF installs
         – Sign the catalog or embed sign the kmod

     Signing Boot Start Drivers

• Boot start drivers are loaded by OS Loader
   – Start Type = 0, loaded by Winload
• Boot start driver files must be embedded signed
   – Signature contained in the binary file
   – Avoids boot time degradation locating catalog file
• Embedded sign before submitting to WHQL
   – Sign individual driver files, then submit package
   – This is a Logo requirement

Development Workflow

              Release Signing for INF Based Installs

   • Driver package contains .inf, .sys, .cat files

   • Sign .cat with Signtool
       SignTool sign /v /ac MSCV-VSClass3.cer /s my /n /t

   • If submitting to WHQL for Logo driver binaries
     signing program
        – WHQL will sign your catalog
        – Don’t forget to embedded sign boot start binaries with SPC
          before submitting to WHQL

      Release Signing for non-INF Installs

• Two options available
   – Embedded signing
      • Embedded sign binaries directly
      • Works with no changes to current install mechanisms
   SignTool sign /v /ac MSCV-VSClass3.cer /s my /n /t toaster.sys
   – Catalog signing
       • Create a catalog and sign catalog using SPC
       • Install package contains other binaries whose integrity you want
       • Must install catalog as part of install process

      Test signing
• Signing machine
   – Create a cert with makecert.exe
        • makecert -sr localMachine -ss PrivateCertStore -n
   – Signing a catalog with the test certificate
        • SignTool sign /v /s PrivateCertStore /n /t

   – Embedded signing with the test certificate
        • SignTool sign /v /s PrivateCertStore /n /t
• Test machine
   – Adding the test certficicate to the trusted publisher store and root store
        • certmgr /add /c /s /r localMachine CA /n “Root Agency” /s /r localMachine root
        • certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher
   – Enable test signed code to load using the bcd option
        • bcdedit.exe /set TestSigning on

     Verifying the Signature

• Is the kmod signed to the right root?
   – Catalog signing
      • SignTool verify /kp /v /c toaster.sys
   – Embedded signing
      • SignTool verify /kp /v toaster.sys


• PnP Install
  – Install is the same – use the INF to install
• Non-PnP Install
  – Embedded signature for the kernel module
     • No change to the installation process
  – Catalog signature
     • Catalogs must be installed

    Diagnosis Steps

• Common symptom
  – Installed the driver through PnP
  – Driver will not load – error code 39
• Diagnosis steps
  – Is it mandatory signing that is causing the
  – Is the kmod signed correctly?

    Is it mandatory signing that is causing the problem?

• Check the audit log and event log for image
  verification failures
• Run eventvwr.exe
  – Audit log
     • Event Viewer -> Global Logs -> Security
        – Event ID = 5038
  – Event log
     • Event Viewer -> Application Logs -> Microsoft ->
       Windows -> CodeIntegrity
        – Event ID = 3004

Sample event log entry


• Windows Logo Program
• WHQL Test Signature Program
• Windows Platform SDK download site
• Windows Quality Online Services (Winqual)
• Code Signing Best Practices
• Driver Package Integrity during Plug and Play Device Installations in
  Windows Vista

       Additional Resources

• Code-signing for Protected Media Components in Windows Vista
• “Microsoft Cross-certificates for Windows Vista Kernel Mode Code
• “Boot Configuration Data Editor Frequently Asked Questions”
• “CryptCATAdminAddCatalog in the SDK documentation on MSDN”
• “Deploying Authenticode with Cryptographic Hardware for Secure
  Software Publishing”

      Additional Resources

• Certmgr
• MakeCat
• Makecert
• SignTool
• Windows Driver Kit (WDK)
• Debugging Tools for Windows

        Code Signing Glossary

•   Code Signing - Digitally signing software to ensure its integrity and provide
    assurance of its origin
•   Code Sign with cross-certificate – Digitally sign software and include a cross-
    certificate issued by Microsoft for the issuing CA in the signature
•   Signed by Microsoft – The certificate used to code sign the product is issued to
    Microsoft. Products signed by Microsoft can include:
      – Windows Vista Inbox drivers, Drivers approved by WHQL
      – Premium logo program, Basic logo program, Unclassified products
•   Self-signed – The certificate used to sign the cod e is generated by makecert.exe
    and not thru a commercial CA
•   Catalog signed - Code signing method which applies the certificate to a catalog
    file, rather than directly to the binary
•   Embedded signed - Code signing method which applies the certificate directly to a
    binary file
•   Certificate - A digitally signed statement, typically an X.509 format, that contains
    information about an entity and the entity's public key, thus binding these two
    pieces of information together. A certificate is issued by a trusted organization (or
    entity) called a certification authority (CA).

Signing Infrastructure

              General Principles (part 1)

    • Secure Private Key
          – Smart Card or Hardware Security Module (HSM)
          – Floppy / USB storage is not recommended
    • Physical Security for signing environment
          – Security cameras, vault / safe, etc…
          – Limit access to small set of trusted employees
    • Accountability in code signing approval process
          – Need a quorum (>2) before signing code
    • Maintain audit trail for 3 years
          – Log Date, Binaries, Signer, Approver(s), etc…

Signing Infrastructure

              General Principles (part 2)

    • Release SPC for public releases only
          – For Kernel mode drivers only
    • Test signing during development phase
          – Test certificates available to project team
          – Allows testing of private binaries
          – Exercises relevant code paths
    • Automated processes must be secured
          – Access to automation = ability to sign code
          – Requires Authentication, Access control, Auditing

                         *Other names and brands may be claimed as the property of others

To top