Deploy an Application on an OS with Security Loader (Compact 2013)


The Security Loader, also known as the Loader Verifier Module (LVMOD), is an authentication mechanism in Windows Embedded Compact that helps protect the integrity of the device by making sure that portable executable (PE) and cabinet files are fully trusted before it enables these files to run. If the OEM has enabled the Security Loader on the OS for which you are writing applications, you must sign the applications before they can run on the OS. You can run applications that are not included in a Security Loader-enabled OS run-time image on a device by following the process described in this topic.

Any device-side application that you deploy on a device that is not included in the Security Loader-enabled OS run-time image must be accompanied by a signed digital authentication certificate. Otherwise, Security Loader will not permit the application to run on the device. For more information about certificates, see Digital Certificates.

Code signing enforcement is implemented by a component known as Code Integrity. The certificate that is used to sign the binary must be included in the Code Integrity certificate store of the device to be trusted by Security Loader. You add certificates to the Code Integrity store by exporting certificates to a Public Key Cryptography Standards (PKCS) #7 file and then adding the PKCS #7 file to your OS image build.

PKCS #7 is the Cryptographic Message Syntax Standard that provides syntax for distributing certificates or certificate revocation lists and other messages at a root certificate.

This section describes how to sign application binary files by using certificates and how to add the certificates to the Code Integrity certificate store of a device.

Sign the Binary Files

Shows how to sign your binary files with a security certificate.

Create a PKCS #7 File

Shows how to create a PKCS #7 file that allows your signed binaries to run on your secure OS.

Build an OS Image that Includes the PKCS #7 File

Shows how to include your PKCS #7 file in an OS build.