Xen project Mailing List

Re: [win-pv-devel] Windows 2008 boot problems with signed pv drivers 8.2

To: 'Peter Milesson' <miles@xxxxxxxx>, "win-pv-devel@xxxxxxxxxxxxxxxxxxxx" <win-pv-devel@xxxxxxxxxxxxxxxxxxxx>

From: Paul Durrant <Paul.Durrant@xxxxxxxxxx>

Date: Tue, 27 Jun 2017 10:14:29 +0000

Accept-language: en-GB, en-US

Delivery-date: Tue, 27 Jun 2017 10:14:35 +0000

List-id: Developer list for the Windows PV Drivers subproject <win-pv-devel.lists.xenproject.org>

Thread-index: AQHS7q/bvLDNhCTcQ0Ol8v+02uappKI4faew

Thread-topic: [win-pv-devel] Windows 2008 boot problems with signed pv drivers 8.2

> -----Original Message----- > From: win-pv-devel [mailto:win-pv-devel-bounces@xxxxxxxxxxxxxxxxxxxx] On > Behalf Of Peter Milesson > Sent: 26 June 2017 20:10 > To: win-pv-devel@xxxxxxxxxxxxxxxxxxxx > Subject: [win-pv-devel] Windows 2008 boot problems with signed pv drivers > 8.2 > > Hi folks, > > I had to install a DomU Windows 2008 server x64 SP2, to replace parts of > the functionality of a physical server that suddenly died. I know it's > old stuff, but this is needed in the meantime, until I get new servers. > > After installing all the Windows updates (around 230), I downloaded and > installed the signed Windows PV drivers ver. 8.2, starting with xenbus, > and following up with xenif, xenvbd, xenvif, and xennet. After reboot of > the DomU, Windows Boot Manager window popped up after a while, saying: > > Windows failed to start. A recent hardware or software change blah, > blah, blah... > > In the lower part of the screen it says: > > File: \Windows\system32\DRIVERS\xenbus.sys > > Status: 0xc0000428 > > Info: Windows cannot verify the digital signature for this file. > > Pressing Enter and booting with advanced options, I choose Disable > Driver Signature Enforcement, and the OS boots normally. > > I've tried to use the common tricks for unsigned, or test signed > drivers, but that has got no effect whatsoever. I use the same signed > drivers successfully with Windows 7, and Windows 10. > > Anybody got an idea, how I can get it to boot without manual > intervention each time? Peter, Unfortunately this is because Windows Server 2008 does not support anything other than SHA-1 code signing, and the 8.2 drivers are SHA-256 signed. (There are various web pages with information about this... https://www.globalsign.com/en/blog/microsoft-announces-updates-sha-1-code-signing-policy/ seems like a good example). To work around the problem you could try enabling test-signing... that should stop windows requiring a chain of trust for boot-start drivers without you needing to manually intervene on each boot. Cheers, Paul > > Best regards, > > Peter > > > > _______________________________________________ > win-pv-devel mailing list > win-pv-devel@xxxxxxxxxxxxxxxxxxxx > https://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel _______________________________________________ win-pv-devel mailing list win-pv-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/cgi-bin/mailman/listinfo/win-pv-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.