Kernel-Mode Code Signing Requirements

Starting with Windows Vista, the kernel-mode code signing policy controls whether a kernel-mode driver will be loaded. The signing requirements depend on the version of the Windows operating system and on whether the driver is being signed for public release or by a development team during the development and test of a driver. There are also signing requirements that pertain to the installation of a PnP device and driver.

Kernel-Mode Code Signing Requirements for Public Release of a Driver

64-bit versions of Windows starting with Windows Vista

The kernel-mode code signing policy requires that a kernel-mode driver be signed as follows:

  • A kernel-mode boot-start driver must have an embedded Software Publisher Certificate (SPC) signature. This applies to any type of PnP or non-PnP kernel-mode boot-start driver.

  • A non-PnP kernel-mode driver that is not a boot-start driver must have either a catalog file with an SPC signature or the driver file must include an embedded SPC signature.

  • A PnP kernel-mode driver that is not a boot-start driver must have either an embedded SPC signature, a catalog file with a WHQL release signature, or a catalog file with an SPC signature. Although the kernel-mode code signing policy does not require that the catalog file of a PnP driver be signed, PnP device installation treats a driver as signed only if the catalog file of the driver is also signed.

32-bit versions of Windows

Windows Vista and later versions of Windows enforce the kernel-mode driver signing policy only for the following drivers:

Kernel-Mode Code Signing Requirements during Development and Test

64-bit versions of Windows starting with Windows Vista

The kernel-mode code signing policy requires that a kernel-mode driver be test-signed and that test-signing is enabled. A test signature can be a WHQL test signature or generated in-house by a test certificate. Drivers must be test-signed as follows:

  • A kernel-mode boot-start driver must have an embedded test signature. This applies to any type of PnP or non-PnP kernel-mode driver.

  • A kernel-mode driver that is not a boot-start driver must have either a test-signed catalog file or the driver file must include an embedded test signature. This applies to any type of PnP or non-PnP kernel-mode driver.

32-bit versions of Windows

Windows Vista and later versions of Windows enforce the kernel-mode driver signing policy only for the following drivers:

 

 

Send comments about this topic to Microsoft

表示:
© 2014 Microsoft