Information
Switch
Switch
The topic you requested is included in another documentation set. For convenience, it's displayed below. Choose Switch to see the topic in its original location.
1 out of 4 rated this helpful - Rate this topic

How to Release-Sign File System Drivers

Updated: April 23, 2008

Kernel-mode driver binaries for 64-bit versions of Windows Server 2008 and Windows Vista must be signed, or Windows will not load the binary. This requirement applies to file system drivers, including minifilters, legacy filters, and redirectors. Some drivers can meet this requirement by including a signed catalog file for the driver package. However, all boot-start and system-start driver binaries must be embedded signed to improve system boot performance.

Because non-Plug and Play drivers such as file system drivers do not require a signed catalog file, the most generic approach to signing is to embedded-sign the driver binaries. This driver tip provides basic information on signing for file system drivers, including a detailed walkthrough of the embedded-release signing process.

The walkthrough is based on the Windows Driver Kit (WDK) Minispy sample, which is located in the WDK's minispy directory. For example, for the Windows Server 2008 version of the WDK, the sample is typically located at C:\WinDDK\6001\src\filesys\miniFilter\minispy.

For general background information regarding file system driver signing, see the IFS "File System Driver Signing" presentation.

Before You Start

To prepare your system:

The walkthrough uses the following terms:

Term Description
mySPCfile.spc Your public key certificate file.
myPVKfile.pvk Your private key certificate file.
myPVKpassword The password for the private key certificate file.
myCrossCert.cer The correct cross-certificate file for your SPC.
CN Value The CN value of the SPC (in the Personal certificate store).


Tip: Do not copy and paste command syntax from this content. This can result in incorrect characters in your command line.

The following procedures use the WDK's Minispy sample to demonstrate the process.

Sign the Minispy Driver

The signing operation has three basic phases:

  1. Prepare the driver and certificates.

  2. Sign the driver.

  3. Verify that the driver installs correctly.

To prepare the Minispy driver sample and the signing certificates

  1. Open a WDK build environment window with elevated privileges.

    Note: Because signing tools and signatures do not depend on the particular Windows version, you can use any WDK build environment window to sign your drivers.

  2. Use the WDK build utility to build the Minispy driver sample. For details, see "Minispy Minifilter Sample" in a local installation of the WDK documentation.

  3. Create a folder named C:\MinispyPkg and copy the driver package files—minispy.exe, minispy.sys, and minispy.inf—from the project’s target folders to MinispyPkg.

  4. Create a folder named C:\MyCerts and copy mySPCfile.spc and myPVKfile.pvk to that folder.

  5. Navigate to C:\myCerts and run the following command to convert the .pvk and .spc files to a system-usable .pfx file—myPFXfile.pfx:

                        pvk2pfx -pvk myPVKfile.pvk -pi myPVKpassword -spc mySPCfile.spc   -pfx myPFXfile.pfx -f

  6. Use Certutil to install myPFXfile.pfx into the current user's Personal certificate store by running the following command :

                        certutil -user -p myPVKpassword -importPFX IfsSPC.pfx

    Be sure to record the CN value returned by Certutil. You can also accomplish the preceding task by double-clicking the .pfx file to run the Certificate Wizard and using the wizard’s default values.

    Note: Certutil is included with Windows Vista and most Windows server operating systems, including Windows Server 2008. Certutil is not included with Windows XP, but you can copy the tool from another computer or install the Windows Server 2003 SP1 Administration Tools Pack. For more information on the Tools pack, see "Windows Server 2003 Administration Tools Pack."

To embedded-sign the Minispy driver’s binary file

  1. Navigate to c:\minispyPkg and run the following Inf2Cat command to validate the driver package’s INF file for the target Windows version:

                        inf2cat /driver:C:\minispyPkg /os:Vista_X6

  2. From c:\minispyPkg, run the following SignTool command to sign the driver binary file—minispy.sys:

                        signtool sign /v /ac c:\minispyPkg\myCrossCert.cer /s my /n "CN Value" /t http://timestamp.verisign.com/scripts/timestamp.dll minispy.sys

    Note: If you do not have the SPC’s CN value, you can obtain it from the Microsoft Management Console (MMC) Certificates plug-in. To open the plug-in, run the following command:

                        mmc certmgr.msc

  3. Validate the signature by running the following SignTool command:

                        Signtool verify /v /kp minispy.sys

    This command displays the certificate chain. The following example shows the certificate chain for a VeriSign code-signing certificate and the Microsoft/VeriSign cross-certificate:

    certificate chain

    Note that in this example, the top certificate is the one with the least indentation.

    Important: If the Microsoft Code Verification Root is not the top certificate, you have not successfully signed your binary with a cross-certificate.

To verify that the signed Minispy driver installs correctly

  1. Install the driver on a 64-bit Windows Server 2008 or Windows Vista system by right-clicking minispy.inf in Windows Explorer and then clicking Install.

  2. Load the signed driver by running the following fltmc command:

                        fltmc load minispy

    Note that the name used to load the driver ("minispy" for this example) is the ServiceName value from the driver’s INF file. You can also load the driver by running the 'net start minispy' or 'sc start minispy' commands.

  3. Verify that the signed driver has successfully loaded by running fltmc without arguments, to display the list of loaded filters:

                        fltmc

  4. Unload and uninstall the signed driver by running the following command:

                        rundll32 setupapi,InstallHinfSection DefaultUninstall 132 C:\minispyPkg\minispy.inf

    Note: To verify that the driver was successfully unloaded and uninstalled, run fltmc again.

How to Sign by Using a Hardware Security Module

Private keys are a valuable asset and should be carefully secured against compromise. A recommended practice is to keep private keys in a hardware security module (HSM). This reduces the risk of a private key becoming compromised, even if the computer on which the HSM is used becomes compromised. For details on how to manage public and private keys, see "Code-Signing Best Practices."

To sign minispy.sys when myPVKfile.pvk is stored in an HSM, run the following SignTool command:

Copy 
signtool sign /v /ac c:\minispyPkg\myCrossCert.cer /s my /n "CN Value" 



/csp "Cryptographic Service Provider Name" /kc "KeyContainerName" 



/t http://timestamp.verisign.com/scripts/timestamp.dll minispy.sys

Important: Any names that contain spaces must be in double quotes.

Note: The procedures for importing the private key to the HSM are vendor specific, as are the cryptographic service provider name and the key container name.

For more information:

Code-Signing Best Practices

How to Get the Windows Driver Kit and the Windows Logo Kit

Windows Server 2003 Administration Tools Pack

Microsoft Cross-Certificates for Windows Vista Kernel Mode Code Signing

For a video presentation of the above material (recorded January 2008 at IFS Plugfest 18), see "File System Driver Signing" (Discussion begins at time index 09:34). The slides from the presentation can be downloaded here.

For a general discussion of driver signing, see "Kernel-Mode Code Signing Walkthrough."
© 2013 Microsoft. All rights reserved.