Re: [Xen-users] Disabling driver signature enforcement for Windows DomUs

["Fajar A. Nugraha" <fajar@xxxxxxxxx>]

On Thu, May 7, 2009 at 12:37 AM, Adam Wead <awead@xxxxxxxxxxx> wrote:
>  Here's a breakdown of what I did:
>
> - started with clean install of Windows Server 2008 Enterprise (64-bit)
> - installed latest GplPV drivers, verified everything was working with the
> driver enforcement enabled at each boot

Which version did you use?
I tried 0.10.0.47, then upgrading to 0.10.0.55 (which SHOULD be safe),
but ended up destroying my Windows installation :P
Good thing it was a test instance. That's part of the reason why most
of my Windows deployment still use 0.9.12-pre13 (at least until I can
test a safe way to upgrade them).

> - as per DSEO instructions, disabled all User Account Controls via windows
> secpol.msc snap-in
> - installed DSEO and enabled test mode
> - reboot
> - GplPV drivers came up disabled, so I reinstalled the GplPV drivers, then

That's the weird part. GPLPV should already be signed with James
Harper's certificate (and looking at file properties tells me that).
But as it is, on my last test xen-vbd works but xen-net does not.

> ran DSEO and test singed each xen file under C:\Windows\system32\drivers
> which was about 4 files total

I wonder what they use for testsign. AFAIK Windows 2008 SDK's file
(which is the "official" way to do testsigning) can't be partially
redistibuted. Did they use openssl?

> - reboot
> - OS booted up without prompting for driver enforcement override
> - re-enabled the User Account Controls, and rebooted to verify that
> everything was still working
>
> I'd be curious to know if this works or not for anyone else.  For now, I'm
> moving on to do more tests on my windows DomU, and hoping that I can put the
> driver enforcement issue behind me.

Thanks for the info.

Regards,

Fajar

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users