<html><body><div style="color:#000; background-color:#fff; font-family:verdana, helvetica, sans-serif;font-size:10pt"><div style="" class=""><span style="" class="">Add the test certificate to the Trusted Root Certification Authorities and to the Trusted Publishers (certmgr.msc). You may also need to boot your OS with testsigning on (bcdedit), but I'm not sure. If VirtualBox successfully loaded unsigned PDM modules (in the past), you may find that the testsigning boot option is not required, since this new signing requirements are not enforced by the OS. For testing kernel drivers, you do need testsigning to be on. Using these methods, I play with custom builds of VirtualBox, on Windows 7 and 8.1 x64 hosts.<br></span></div><div class="yui_3_16_0_6_1407175019620_32" style="color: rgb(0, 0, 0); font-size: 13.3333px; font-family: verdana,helvetica,sans-serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0);
font-size: 13.3333px; font-family: verdana,helvetica,sans-serif; background-color: transparent; font-style: normal;">More on test-signing drivers:<br style="" class=""><span style="" class=""></span></div><div style="color: rgb(0, 0, 0); font-size: 13.3333px; font-family: verdana,helvetica,sans-serif; background-color: transparent; font-style: normal;"><span style="" class=""><a style="" class="" href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff546236%28v=vs.85%29.aspx">http://msdn.microsoft.com/en-us/library/windows/hardware/ff546236%28v=vs.85%29.aspx</a><br style="" class=""></span></div><div style="" class=""><br style="" class=""></div><blockquote class="" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: verdana, helvetica, sans-serif; font-size: 10pt;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;
font-size: 12pt;"> <div style="" class="" dir="ltr"> <hr style="" class="" size="1"> <font style="" class="" face="Arial" size="2"> <b style="" class=""><span class="" style="font-weight:bold;">From:</span></b> Ray Yang <rayyang@ybwork.com><br style="" class=""> <b style="" class=""><span class="" style="font-weight: bold;">To:</span></b> Klaus Espenlaub <klaus.espenlaub@oracle.com> <br style="" class=""><b style="" class=""><span class="" style="font-weight: bold;">Cc:</span></b> vbox-dev@virtualbox.org <br style="" class=""> <b style="" class=""><span class="" style="font-weight: bold;">Sent:</span></b> Monday, August 4, 2014 8:06 PM<br style="" class=""> <b style="" class=""><span class="" style="font-weight: bold;">Subject:</span></b> Re: [vbox-dev] Crash on Win 8 guest when kernel debugging is enabled via network<br style="" class=""> </font> </div> <div style="" class=""><br style="" class="">>From the security point of view, this
signature checking is reasonable.<br style="" class="">However, there are still some people who do not have certificates for<br style="" class="">various reasons. So if VBox can have an option to disable this by showing<br style="" class="">some GUI warnings, it would be much more convenient.<br style="" class=""><br style="" class="">And yes, the test sign does not work - VBox complains that there is no<br style="" class="">trusted root in the path, which is true since the test certificate is not<br style="" class="">issued by any trusted CA.<br style="" class=""><br style="" class="">> Ray,<br style="" class="">><br style="" class="">> On 02.08.2014 09:25, Ray Yang wrote:<br style="" class="">>> Thanks Michal.<br style="" class="">>><br style="" class="">>> I tried the test build VirtualBox-4.3.15-95286-Win.exe and it did not<br style="" class="">>> produce the issue any more.<br style="" class="">>><br style=""
class="">>> However, my custom virtual PCI device dll cannot be loaded by 4.3.15<br style="" class="">>> with<br style="" class="">>> error: Unable to load R3 module (VERR_LDRVI_NOT_SIGNED).<br style="" class="">><br style="" class="">> That's expected. All such DLLs must be signed now, using a valid kernel<br style="" class="">> driver signature.<br style="" class="">><br style="" class="">>> Does this mean from 4.3.15, VBox needs the device module to be signed?<br style="" class="">>> Is<br style="" class="">>> there any way to disable it?<br style="" class="">><br style="" class="">> From 4.3.14, yes, they all need to be signed (not by us, but by anyone<br style="" class="">> having the private key with a Windows kernel driver cert - the usual<br style="" class="">> Windows kernel signing stuff). There is no way to disable this, unless<br style="" class="">> you build your own
package from sources with hardening disabled (not<br style="" class="">> recommended for anything but development use).<br style="" class="">><br style="" class="">> In principle test signing should work, but there's already a report that<br style="" class="">> it's at least not obvious how to get this working:<br style="" class="">> <a style="" class="" href="http://thread.gmane.org/gmane.comp.emulators.virtualbox.devel/6955" target="_blank">http://thread.gmane.org/gmane.comp.emulators.virtualbox.devel/6955</a><br style="" class="">><br style="" class="">> Klaus<br style="" class="">><br style="" class="">>><br style="" class="">>> Thanks.<br style="" class="">>><br style="" class="">>> -Ray<br style="" class="">>><br style="" class="">>>><br style="" class="">>>><br style="" class="">>>> See <a style="" class="" href="https://www.virtualbox.org/ticket/10097"
target="_blank">https://www.virtualbox.org/ticket/10097 </a>. This problem was fixed<br style="" class="">>>> in<br style="" class="">>>> 4.3.14 for Windows 7 guests and I have currently no reason to think<br style="" class="">>>> Windows 8 is different.<br style="" class="">>>><br style="" class="">>>> And yes, it's entirely normal that all local APICs in a system are<br style="" class="">>>> mapped<br style="" class="">>>> at the same address. And those IPIs with vector zero are in fact NMIs<br style="" class="">>>> (the delivery mode says it's NMI, hence the vector is meaningless and<br style="" class="">>>> it<br style="" class="">>>> will be delivered through IDT vector 2 as an NMI, not a maskable<br style="" class="">>>> interrupt).<br style="" class="">>>><br style="" class="">>>><br style="" class="">>>>
Regards,<br style="" class="">>>><br style="" class="">>>> Michal<br style="" class="">>>><br style="" class="">>>> ----- Original Message -----<br style="" class="">>>> From: <a style="" class="" ymailto="mailto:rayyang@ybwork.com" href="mailto:rayyang@ybwork.com">rayyang@ybwork.com</a><br style="" class="">>>> To: <a style="" class="" ymailto="mailto:vbox-dev@virtualbox.org" href="mailto:vbox-dev@virtualbox.org">vbox-dev@virtualbox.org</a><br style="" class="">>>> Sent: Friday, August 1, 2014 7:06:38 AM GMT +01:00 Amsterdam / Berlin /<br style="" class="">>>> Bern / Rome / Stockholm / Vienna<br style="" class="">>>> Subject: [vbox-dev] Crash on Win 8 guest when kernel debugging is<br style="" class="">>>> enabled<br style="" class="">>>> via network<br style="" class="">>>><br style=""
class="">>>> Hi guys,<br style="" class="">>>><br style="" class="">>>> I have been fighting with this issue for quite a while but still do not<br style="" class="">>>> have any clue about how to solve it.<br style="" class="">>>><br style="" class="">>>> Basically, I have a Win 8 64bit guest OS running on VBox 4.3.12 (both<br style="" class="">>>> official release and my private build versions) on Win 7 64bit host. If<br style="" class="">>>> I<br style="" class="">>>> do not enable kernel debugging via network on the guest Win 8 with<br style="" class="">>>> multi-core, it boots up without problem. But if the kernel debugging<br style="" class="">>>> and<br style="" class="">>>> multi-core are enabled, guest OS just bug-checks at very early stage<br style="" class="">>>> during the boot, with the following bug-check codes:<br style=""
class="">>>><br style="" class="">>>> BugCheck 124, {3, 0, 0, 0}<br style="" class="">>>> BugCheck 80, {4f4454, 0, 0, 0}<br style="" class="">>>><br style="" class="">>>> Every time when it bug-checks, it always does not stop on core 0. Since<br style="" class="">>>> they are NMI related, I dump the apic info in the guest with WinDbg, as<br style="" class="">>>> the following:<br style="" class="">>>><br style="" class="">>>> 1: kd> !apic<br style="" class="">>>> Apic @ ffdab000 ID:1 (50014) LogDesc:02000000 DestFmt:ffffffff TPR<br style="" class="">>>> F0<br style="" class="">>>> TimeCnt: 00000000clk SpurVec:3f FaultVec:e2 error:0<br style="" class="">>>> Ipi Cmd: 01000000`00000c00 Vec:00 NMI Lg:01000000 edg high<br style=""
class="">>>> Timer..: 00000000`000300fd Vec:FD FixedDel Dest=Self edg high<br style="" class="">>>> m<br style="" class="">>>> Linti0.: 00000000`000100c0 Vec:C0 FixedDel Dest=Self edg high<br style="" class="">>>> m<br style="" class="">>>> Linti1.: 00000000`000184c0 Vec:C0 NMI Dest=Self lvl high<br style="" class="">>>> m<br style="" class="">>>> TMR:<br style="" class="">>>> IRR:<br style="" class="">>>> ISR: D1<br style="" class="">>>> 1: kd> ~0s<br style="" class="">>>> 0: kd> !apic<br style="" class="">>>> Apic @ ffdab000 ID:0 (50014) LogDesc:01000000 DestFmt:ffffffff TPR<br style="" class="">>>> F0<br style=""
class="">>>> TimeCnt: 00000000clk SpurVec:3f FaultVec:e2 error:0<br style="" class="">>>> Ipi Cmd: 02000000`000c00d1 Vec:D1 FixedDel Dest=Othrs edg high<br style="" class="">>>> Timer..: 00000000`000300ff Vec:FF FixedDel Dest=Self edg high<br style="" class="">>>> m<br style="" class="">>>> Linti0.: 00000000`000100c0 Vec:C0 FixedDel Dest=Self edg high<br style="" class="">>>> m<br style="" class="">>>> Linti1.: 00000000`000184c0 Vec:C0 NMI Dest=Self lvl high<br style="" class="">>>> m<br style="" class="">>>> TMR: B1<br style="" class="">>>> IRR: D1<br style="" class="">>>> ISR:<br style="" class="">>>><br
style="" class="">>>> Then notice IPI has an interrupt to vector zero. This is confirmed<br style="" class="">>>> after<br style="" class="">>>> apic log is enabled in VBox as well:<br style="" class="">>>><br style="" class="">>>> 04:27:44.429801 0000000000001e80 EMT-0 apic_deliver dest=1<br style="" class="">>>> dest_mode=0<br style="" class="">>>> dest_shorthand=0 delivery_mode=5 vector_num=0 polarity=1 trigger_mode=1<br style="" class="">>>> 04:27:44.429801 0000000000001e80 EMT-0 apic_deliver dest=1<br style="" class="">>>> dest_mode=0<br style="" class="">>>> dest_shorthand=0 delivery_mode=5 vector_num=0 polarity=0 trigger_mode=1<br style="" class="">>>> 04:33:41.362210 00000000000018ec EMT-0 apic_deliver dest=2<br style="" class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0
delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>> 04:33:49.438736 00000000000018ec EMT-0 apic_deliver dest=1<br style="" class="">>>> dest_mode=0<br style="" class="">>>> dest_shorthand=0 delivery_mode=5 vector_num=0 polarity=1 trigger_mode=1<br style="" class="">>>> 04:33:49.439236 00000000000018ec EMT-0 apic_deliver dest=1<br style="" class="">>>> dest_mode=0<br style="" class="">>>> dest_shorthand=0 delivery_mode=5 vector_num=0 polarity=0 trigger_mode=1<br style="" class="">>>> 04:33:49.743774 0000000000001114 EMT-1 apic_deliver dest=1<br style="" class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0 delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>> 04:33:50.489369 0000000000001114 EMT-1 apic_deliver dest=1<br style=""
class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0 delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>> 04:33:50.856916 0000000000001114 EMT-1 apic_deliver dest=1<br style="" class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0 delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>> 04:33:51.685521 00000000000018ec EMT-0 apic_deliver dest=2<br style="" class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0 delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>> 04:33:51.878045 0000000000001114 EMT-1 apic_deliver dest=1<br style="" class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0 delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>> 04:33:51.894047
00000000000018ec EMT-0 apic_deliver dest=2<br style="" class="">>>> dest_mode=1<br style="" class="">>>> dest_shorthand=0 delivery_mode=4 vector_num=0 polarity=0 trigger_mode=0<br style="" class="">>>><br style="" class="">>>><br style="" class="">>>> Note that the initial two interrupts to vector 0 are also seen with<br style="" class="">>>> successful guest boot. But the problematic one has more interrupts to<br style="" class="">>>> vector 0. After check more logs, I found the following two:<br style="" class="">>>><br style="" class="">>>> 04:33:51.878045 0000000000001114 EMT-1 CPU1: apicMMIOWrite at<br style="" class="">>>> 00000000fee00300<br style="" class="">>>> 04:33:51.894047 00000000000018ec EMT-0 CPU0: apicMMIOWrite at<br style="" class="">>>> 00000000fee00300<br style="" class="">>>><br
style="" class="">>>><br style="" class="">>>> It seems that both core have the same local APIC address. Is this<br style="" class="">>>> correct?<br style="" class="">>>><br style="" class="">>>> As I'm totally stuck at the moment, really appreciate if someone can<br style="" class="">>>> give<br style="" class="">>>> me some direction on this issue.<br style="" class="">>>><br style="" class="">>>> Btw, VBox 4.3.14 does not work for me as its GUI refuses to start.<br style="" class="">>>><br style="" class="">>>> Thanks.<br style="" class="">>>><br style="" class="">>>> -Ray<br style="" class="">><br style="" class="">> _______________________________________________<br style="" class="">> vbox-dev mailing list<br style="" class="">> <a style="" class="" ymailto="mailto:vbox-dev@virtualbox.org"
href="mailto:vbox-dev@virtualbox.org">vbox-dev@virtualbox.org</a><br style="" class="">> <a style="" class="" href="https://www.virtualbox.org/mailman/listinfo/vbox-dev" target="_blank">https://www.virtualbox.org/mailman/listinfo/vbox-dev</a><br style="" class="">><br style="" class=""><br style="" class=""><br style="" class=""><br style="" class="">_______________________________________________<br style="" class="">vbox-dev mailing list<br style="" class=""><a style="" class="" ymailto="mailto:vbox-dev@virtualbox.org" href="mailto:vbox-dev@virtualbox.org">vbox-dev@virtualbox.org</a><br style="" class=""><a style="" class="" href="https://www.virtualbox.org/mailman/listinfo/vbox-dev" target="_blank">https://www.virtualbox.org/mailman/listinfo/vbox-dev</a><br style="" class=""><br style="" class=""><br style="" class=""></div> </div> </div> </blockquote><div></div> </div></body></html>