Prev: The Spectrum is a computer for GIRLS !!!
Next: More recommended FD drives for the 1581 Kit?
From: Wolfgang Moser on 16 Dec 2006 16:12
Payton Byrd schrieb:
> Spiro Trikaliotis wrote:
>> Hello,
>>
>> Payton Byrd wrote:
>>
>>> Groepaz wrote:
>>>> Wolfgang Moser wrote:
>>>>
>>>>> I always thought that Vista won't accepts uncertified
>>>>> to better say unsigned drivers.
>>>> afaik they only did that for the 64bit version
>>>>
>>> That's correct, however, you can sign the driver yourself.
>>
>> Yes, if you spend $500 p.a. for the needed VeriSign certificate, you can
>> sign your driver yourself.
>>
>> BTW: VeriSign would not give some certificates in some countries. Thus,
>> if you live in such a country, you're out of the game.
>>
>> You can use other signed certificates if you run user-mode drivers, but
>> for kernel-mode drivers, you need a certificate which is allowed by MS.
>>
>> Regards,
>> Spiro.
>>
>
> Did the Daemon Tools guys pay for their cert? I don't think so because
> Vista warned me that it was a self-generated certificate. I think they
> just made a new certificate using Microsoft's tools and signed the driver.

so this results in an uncertified driver since the
drover certifier cannot be considered to be an
authoritative issuer, because of a broken or not
given certificate chain up to an authroitative
certificates issuer.

So how is it with Vista? Does it let the user (the
one installing a new driver) decide to install a
driver with a broken certificate chain? Does it not
stumble about the broken certificate chain on every
reboot?

Whatever it comes to in the end, if we manage to
find a way to make self-written drivers work and
install under Vista fine, the users get lucky.
Of course, this is needed for 64-bit Vista only and
may end up in patching in another root certificate
authority into Vista so that [..., I told about
that already].


Womo

Some references (not ordered):
http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#E4C
http://www.daemon-tools.cc/dtcc/showthread.php?t=9298
http://forums.guru3d.com/showthread.php?t=204533
http://www.daemon-tools.cc/dtcc/archive/windows-vista-x64-require-signed-t9357.html
From: Spiro Trikaliotis on 17 Dec 2006 07:28
Hello,

Payton Byrd wrote:

> Spiro Trikaliotis wrote:

>> You can use other signed certificates if you run user-mode drivers, but
>> for kernel-mode drivers, you need a certificate which is allowed by MS.

> Did the Daemon Tools guys pay for their cert?

I don't know the Deamon Tools (never used them), but from what I
understand, these are hardware-less drivers. Such drivers are perfecty
suited for user-mode drivers, thus, I expect this to be the reason why
it worked out.

Deciding from all information I have (but not first-hard experience), it
is not possible to use a non-MSFT-"allowed" signature to install
kernel-mode drivers. If anyone has a definitive source for some contrary
opinion, please let me now.

BTW: With Vista before RTM, it was possible to do this (for debugging
purposes). I only speak about RTM.

Oh, and I totally forgot: I am ONLY speaking about Vista 64bit! With
Vista 32bit, this reasoning does NOT apply! It seems I confused this
again.

Regards,
Spiro.

--
Spiro R. Trikaliotis http://opencbm.sf.net/
http://www.trikaliotis.net/ http://www.viceteam.org/
From: Payton Byrd on 18 Dec 2006 15:58
Wolfgang Moser wrote:
> Payton Byrd schrieb:
>> Spiro Trikaliotis wrote:
>>> Hello,
>>>
>>> Payton Byrd wrote:
>>>
>>>> Groepaz wrote:
>>>>> Wolfgang Moser wrote:
>>>>>
>>>>>> I always thought that Vista won't accepts uncertified
>>>>>> to better say unsigned drivers.
>>>>> afaik they only did that for the 64bit version
>>>>>
>>>> That's correct, however, you can sign the driver yourself.
>>>
>>> Yes, if you spend $500 p.a. for the needed VeriSign certificate, you can
>>> sign your driver yourself.
>>>
>>> BTW: VeriSign would not give some certificates in some countries. Thus,
>>> if you live in such a country, you're out of the game.
>>>
>>> You can use other signed certificates if you run user-mode drivers, but
>>> for kernel-mode drivers, you need a certificate which is allowed by MS.
>>>
>>> Regards,
>>> Spiro.
>>>
>>
>> Did the Daemon Tools guys pay for their cert? I don't think so
>> because Vista warned me that it was a self-generated certificate. I
>> think they just made a new certificate using Microsoft's tools and
>> signed the driver.
>
> so this results in an uncertified driver since the
> drover certifier cannot be considered to be an
> authoritative issuer, because of a broken or not
> given certificate chain up to an authroitative
> certificates issuer.
>
> So how is it with Vista? Does it let the user (the
> one installing a new driver) decide to install a
> driver with a broken certificate chain? Does it not
> stumble about the broken certificate chain on every
> reboot?
>
> Whatever it comes to in the end, if we manage to
> find a way to make self-written drivers work and
> install under Vista fine, the users get lucky.
> Of course, this is needed for 64-bit Vista only and
> may end up in patching in another root certificate
> authority into Vista so that [..., I told about
> that already].
>

I get the sense from the forum that the Daemon Tools guys probably
bought a certificate.

I have a Vista x64 installation here if you want to run any experiments.

>
> Womo
>
> Some references (not ordered):
> http://www.microsoft.com/whdc/winlogo/drvsign/crosscert.mspx#E4C
> http://www.daemon-tools.cc/dtcc/showthread.php?t=9298
> http://forums.guru3d.com/showthread.php?t=204533
> http://www.daemon-tools.cc/dtcc/archive/windows-vista-x64-require-signed-t9357.html
>
From: Payton Byrd on 18 Dec 2006 16:20
Spiro Trikaliotis wrote:
> Hello,
>
> Payton Byrd wrote:
>
>> Spiro Trikaliotis wrote:
>
>>> You can use other signed certificates if you run user-mode drivers, but
>>> for kernel-mode drivers, you need a certificate which is allowed by MS.
>
>> Did the Daemon Tools guys pay for their cert?
>
> I don't know the Deamon Tools (never used them), but from what I
> understand, these are hardware-less drivers. Such drivers are perfecty
> suited for user-mode drivers, thus, I expect this to be the reason why
> it worked out.

They definitely use Kernel Mode drivers. Daemon Tools tries to
perfectly emulate a drive so that commercial anti-copy programs don't
detect it.

>
> Deciding from all information I have (but not first-hard experience), it
> is not possible to use a non-MSFT-"allowed" signature to install
> kernel-mode drivers. If anyone has a definitive source for some contrary
> opinion, please let me now.

Vista x64 allows you to boot with into a "testing" mode as Microsoft
calls it. This is done by hitting F8 during startup and selecting the
option to disable the enforcement of signed kernel mode drivers. Even
though this would not be the preferred way to run Vista, if you have a
short period of time you wanted to use an unsigned driver that this
could be an option. It's definitely better than booting up in DOS.

One thing that intrigues me is that you can get a certificate from
several companies that are trusted by Microsoft and to deploy drivers
that are not completely Windows Logo compliant (ie, they are untested
for functionality). The certificate is just means of validating the
publisher of the driver. It's feasible to think that one might be able
to put together an LLC and act as a publisher for projects like this
that need to publish low-volume special interest drivers. I'm sure
there's enough benefactors in the Open Source community to fund such a
clearing house.

>
> BTW: With Vista before RTM, it was possible to do this (for debugging
> purposes). I only speak about RTM.
>
> Oh, and I totally forgot: I am ONLY speaking about Vista 64bit! With
> Vista 32bit, this reasoning does NOT apply! It seems I confused this
> again.
>
> Regards,
> Spiro.
>
First  |  Prev  | 
Pages: 1 2 3 4 5
Prev: The Spectrum is a computer for GIRLS !!!
Next: More recommended FD drives for the 1581 Kit?