[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [win-pv-devel] On the state of non-test-signed WinPV drivers



Hi,

 

  I was holding out for the possibility of the Linux Foundation agreeing to Microsoft’s attestation signing agreement, which would have allowed us to get Microsoft signatures on the drivers for Windows 10 onwards. It has become apparent that that is not going to happen so I do have a plan to cross sign drivers using the Linux Foundation EV cert, and I believe such drivers will install even on Windows 10 provided that secure boot is not enabled.

 

  Paul

 

From: win-pv-devel [mailto:win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On Behalf Of Ben Chalmers
Sent: 04 July 2016 09:36
To: Stephen Oberholtzer; win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [win-pv-devel] On the state of non-test-signed WinPV drivers

 

At present only test drivers are being posted.  These are signed with a certificate that has been generated by us and isn’t (and really shouldn’t be) trusted by anyone.  You can install these on windows by turning test-signing on and installing the public test certificate on the VM... of course since the private key is being shipped in our repositories anyone could sign anything with this key... so you don’t want systems you care about even slightly using this.

 

Cross signed drivers are signed by a certificate which have a chain of trust back to a trusted certification authority, and where that certificate is cross-signed onto Microsoft’s chain of trust for drivers. These tools will (I think) install on any current version of windows if you have installed the public certificate on those versions of windows.  However, I also believe this may not be the case in the future for windows 10 and 2k16

 

If you want PV drivers which can be installed on any version of windows without installing certificates, they have to be release signed (what used to be called ‘logo-signed’, MS seem to keep changing the name of this... it was originally called logo signing because it allowed you to put a windows logo on your product’s box.).  Foe this you need to pass a number of tests from the HCK and also sign the test results with an EV certificate.  Running these tests is not a trivial process – it takes a decent chunk of time, effort and experience to get through them.

 

Generally speaking, the following is true:

 

Test signed drivers are good enough for day to day development and testing purposes.

 

Many people (who are in full control of the VMs in their network) will be happy with cross-signed drivers (and installing the certs on a golden image – or somesuch) themselves.

 

Getting release-signed drivers is a big overhead – and expensive both in terms of time and money.  You would only ever expect it to be done for fully tested release quality drivers.  At the moment, Citrix release (very slightly modified) logo-signed drivers with XenServer (including in the open source version)  These are currently 8.1 drivers – and so are up to date with the latest release-quality PV Tools.

 

The biggest bang for buck we could get at the moment would be for someone trustworthy to produced cross-signed drivers from our automated builds – that would allow you to take a build and begin using it securely.

 

Ben Chalmers

 

From: Stephen Oberholtzer
Sent: 02 July 2016 00:36
To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx
Subject: [win-pv-devel] On the state of non-test-signed WinPV drivers

 

All,

I have some questions about the whole signed-drivers thing, so I hope you'll indulge me.

(1) As best as I can tell, only test-signed drivers are currently being posted. Is that correct?

(2) Test-signed is pretty clear to me, but what is the difference between release-signed and logo-signed?

(3) If I want PV drivers that can be installed on a standard Windows installation without any hassle, do they need to be release-signed or logo-signed?

(4)  What do you guys need in order to be able to distribute #3?   What can I do to help?

I searched around, and it looks like the following are needed:

* Windows Hardware Developer Center Dashboard portal account (no idea how much this costs)

* An appropriate EV certificate

** GlobalSign - $410/yr, $760 for 2 years, or $950 for 3 years

** DigiCert - $449/yr, $798 for 2 years, or $993 for 3 years

** Entrust - $399/yr, no multiyear discount (so best value for 1 year but that's it)

* To get an EV certificate, you need a legally-recognized entity (which can be a full-blown corporation or an LLC)

* Then you need to run some tests and submit them to Microsoft and their system signs the drivers on your behalf.

 

 

--

-- Stevie-O
Real programmers use COPY CON PROGRAM.EXE

_______________________________________________
win-pv-devel mailing list
win-pv-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.