none
Security Configurations on WEC7? RRS feed

  • Question

  • I want to ensure that only binaries signed with a CA-issued certificate can be executed. Unsigned binaries should never be executed. With Windows Mobile 6 devices, one could use the Visual Studio Device Security Manager to deploy a security configuration that does exactly this.

    This doesn't seem to work with my WEC7 device (I tried a home-built Virtual PC image) and I don't see any setting in Platform Builder that would allow me to enable support for Windows-Mobile-6-style security configurations.

    Are security configurations even supported at all on WEC 7? If yes, how do I build a Virtual PC image that supports them? If no, how can I achieve that unsigned binaries are rejected?

    Thanks!

    Wednesday, March 16, 2011 3:26 PM

All replies

  • Is Security Loader (SYSGEN_LVMOD) the one you need? http://msdn.microsoft.com/en-us/library/gg155695(WinEmbedded.70).aspx
    Wednesday, March 16, 2011 8:45 PM
  • Hi

    Thanks for your answer!

    Is Security Loader (SYSGEN_LVMOD) the one you need? http://msdn.microsoft.com/en-us/library/gg155695(WinEmbedded.70).aspx


    Unfortunately SYSGEN_LVMOD is way too restrictive, because it requires that the certificate is installed on the device. For me it would be sufficient if binaries are signed with any CA-issued certificate.

    Regards,

    Andreas

    Thursday, March 17, 2011 9:02 AM
  • In WM6, you still need to enroll the cert. Note for WM6 devices, many certs are already installed by default.
    Thursday, March 17, 2011 5:36 PM
  • Hi Andreas

    The Windows Mobile security model works basically  the same way as the Compact 7 Security Loader. They both require certs to be installed on the device. The big difference is that WM 6.x has a number of certs included in the OS (See "Certificate Management" Tab in the Device Security Manager).

    In Compact 7, the Security Loader is the only option we have "out of the box".

    An other way would be to write a filesystem filter driver that performs the validation when OS tries to load the execuable from the file system. Eg. fail "CreateFile" if the binary is not properly signed.

    Michael


    MVP Windows Embedded
    Thursday, March 17, 2011 10:28 PM