<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Mikhail,<br>
<br>
<div class="moz-cite-prefix">On 21.03.2017 19:03, Mikhail Kovalev
wrote:<br>
</div>
<blockquote
cite="mid:CAB8+GYCcLS+Lf_OTXBHwetrq5JG_=-SNtqx6QDR68BvjiS2rGA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Hi,</div>
<div><br>
</div>
<div>we are trying to make a VirtualBox build for Windows 10
anniversary update. We did sign all the drivers (all .sys
files) at the Microsoft Dev portal and the installation goes
through without a problem. </div>
<div>However, when trying to start a VM, we always get an error
"Failed to load VMMR0.r0" with error code
"VERR_LDR_IMAGE_HASH".</div>
</div>
</blockquote>
It also needs to be signed, including page hash... suspect that the
partially misleading error code is due to the lack of page hashes,
but there's more, see below.<br>
<blockquote
cite="mid:CAB8+GYCcLS+Lf_OTXBHwetrq5JG_=-SNtqx6QDR68BvjiS2rGA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>The "vmmr0.r0" file is signed with our SHA2 cert (as well
as all the other installation files are, except for the
drivers which are dual-signed by our cert and by the Microsoft
cert from Dev portal). In the Windows audit log I see the
message that the code integrity check for "vmmr0.r0" failed.
If my understanding of the code is correct, the file is being
loaded via "<span style="white-space:pre-wrap">ZwSetSystemInformation". So, does it have to be signed by the Dev portal as well?</span></div>
</div>
</blockquote>
Exactly. It goes into the kernel, so the kernel signing rules apply.
We're not drilling holes into the signature checking rules of the
Windows kernel.<br>
<blockquote
cite="mid:CAB8+GYCcLS+Lf_OTXBHwetrq5JG_=-SNtqx6QDR68BvjiS2rGA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span style="white-space:pre-wrap">But it looks like the Dev portal will only sign the ".sys" files. Could anyone give a hint on a possible solution here?</span></div>
</div>
</blockquote>
How about using the low tech solution of renaming the file before
submitting and renaming it back afterwards? The signature doesn't
include the filename as such, only the file content...<br>
<blockquote
cite="mid:CAB8+GYCcLS+Lf_OTXBHwetrq5JG_=-SNtqx6QDR68BvjiS2rGA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><span style="white-space:pre-wrap">Unfortunately we don't have a signing cert that was issued before July 29, 2015, so we cannot use the same "workaround" with the old cert as the Oracle is using now for the VirtualBox releases.</span></div>
</div>
</blockquote>
We're happy that we could go with this intermediate step, as we
already had to do enough magic when our previous cert expired. All
this dev portal stuff is not easy in big corps. We need to do this
major miracle soon enough.<br>
<br>
Klaus<br>
<blockquote
cite="mid:CAB8+GYCcLS+Lf_OTXBHwetrq5JG_=-SNtqx6QDR68BvjiS2rGA@mail.gmail.com"
type="cite">
<div class="moz-signature">
<div><span style="white-space:pre-wrap">
</span></div>
<div><span style="white-space:pre-wrap">Thnx for any help,</span></div>
<div><span style="white-space:pre-wrap">Mikhail</span></div>
<!-- This signature was generated by the MyDesktop Oracle Business Signature utility version 5.0 -->
</div>
</blockquote>
</body>
</html>