none
Win 10/2016 Driver Signing of non-pnp software only drivers RRS feed

  • Question

  • Hi,

    I am looking for a page or explanation of how one is able to get a non-pnp software only driver signed for use on Windows 10 / 2016 Secure Boot. Attestation will not support Windows 2016 from what I have read and it does not seem like WHQL supports software only drivers. How do I get a software only driver to run on Windows 2016 / 10 with secure boot? 

    I did see this post from 3 years ago but what I have asked above did not seem to be answered.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/5c53dd30-5d09-4c6f-8f59-bb4357060d7a/windows-10-driver-signing-for-nonpnp-softwareonly-drivers?forum=wdk

    Thursday, May 31, 2018 10:01 PM

Answers

  • There is an interesting "back door" situation to this.

    The only reason that "attestation signing" only supports Windows 10 is that it marks the CAT file that way.  The signatures themselves are identical to WHQL.  With a non-PnP driver, you won't be using the CAT file.  If you submit your non-PnP driver through attestation using a fake INF file, the SYS file will be Microsoft-signed, indistinguishable from a SYS file that passed through the WHQL process.

    Whether this back door is intentional or accidental, I believe this is the right solution for Server 2016.


    Tim Roberts, Driver MVP Providenza & Boekelheide, Inc.

    Friday, June 1, 2018 12:50 AM

All replies

  • There is an interesting "back door" situation to this.

    The only reason that "attestation signing" only supports Windows 10 is that it marks the CAT file that way.  The signatures themselves are identical to WHQL.  With a non-PnP driver, you won't be using the CAT file.  If you submit your non-PnP driver through attestation using a fake INF file, the SYS file will be Microsoft-signed, indistinguishable from a SYS file that passed through the WHQL process.

    Whether this back door is intentional or accidental, I believe this is the right solution for Server 2016.


    Tim Roberts, Driver MVP Providenza & Boekelheide, Inc.

    Friday, June 1, 2018 12:50 AM
  • Tim,

    I had essentially the same problem but specific to Windows 10. I tried as you suggested submitting for Attested signing with a fake INF file, and that worked (thanks very much for the suggestion). When I tried to install the signed driver with the real .inf, it failed saying the driver was not signed.  I put the signed .cat file in the same directory as the signed driver and real INF file, and then the driver did install, but with a dialog box indicating the driver was not signed, and that it could not determine the origin, but allowing the user to override.

    There is an error and a warning message in the setupapi.dev.log file.
    Error: "Driver packate INF file hash is not present in catalog file. Filename = XXX.inf, Error = 0xE000024B"
    Warning: "Driver package appears to be tampered, but user wants to install it anyway"

    Any suggestions on how to get a less intimidating warning message during install (it does not even provide the name of the file signer) or to get rid of the error reported in the log would be greatly appreciated.

    Thanks,

    Harry

    Wednesday, June 27, 2018 5:28 PM
  • Tim,

    It took me some time to get back to this as we needed to obtain an EV certificate, dev portal changed, etc. Thanks for your earlier reply.

    Can you describe or give an example of what sections and values are needed within the fake INF file? I tried submitting one INF and it complained about a missing CLASS within the Version section. I would just like to know what pieces are required to submit a non-PnP for attestation signing.


    • Edited by JDMach Thursday, March 14, 2019 5:22 PM
    Thursday, March 14, 2019 5:21 PM