[vbox-dev] Windows hardening in 4.3.15

Klaus Espenlaub klaus.espenlaub at oracle.com
Mon Aug 4 07:58:58 UTC 2014


On 30.07.2014 15:01, José Massada wrote:
> Hi Klaus,
> Thanks for the quick reply.
> I tried loading a test-signed PDM module for development (obviously with
> test-signing enabled in the machine) but it fails with a "no trusted
> paths" error. I'm guessing that even on development or test machines you
> require the module to be cross-signed with the Microsoft cert?

Should work, will ask the dev if any other steps are required.

> I'm also guessing you don't debug custom PDM modules with release
> versions of VirtualBox. Is there any way I can do this without having to
> sign debug binaries?

We don't have any custom PDM modules in the strict sense, because that's 
what "custom" implies. We are definitely testing with external PDM 
modules (in particular the USB 2.0 support which is part of the 
extension pack), but those are all "properly signed".

> Thanks,
> Jose
> On Tue, Jul 29, 2014 at 7:43 PM, Klaus Espenlaub
> <klaus.espenlaub at oracle.com <mailto:klaus.espenlaub at oracle.com>> wrote:
>     José,
>     On 29.07.2014 15:53, José Massada wrote:
>      > Hi,
>      >
>      > The new hardening code breaks VirtualBox when trying to load a custom
>      > built PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom
>     virtual PCI
>      > device that we've been using for quite some time now.
>     Yes, that signing requirement is a change which had to be done in
>     4.3.14.
>      > I've looked at the code and I see that some unsigned dlls are being
>      > ignored if they are in certain system paths. I tried loading it from
>      > \\SystemRoot\\System32\\ but with no luck.
>     There's no signing exemption for PDM modules, so there's no point in
>     moving them to such a directory.
>      > Linux version works fine when installed to a root owned system path.
>     That's comparing apples and oranges, as the systems have a vastly
>     different basic security system design and need different approaches for
>     hardening.
>      > Am I to assume that I'll have to, somehow, sign the dll?
>     Correct. You need a cert suitable for Windows kernel driver signing,
>     nothing else is accepted. There are very few CAs which offer this (as it
>     needs to be cross-signed by Microsoft).
>      > Too much hardening maybe?
>     No, this is intentional and required for the hardening to work. It won't
>     go away in future builds.
>     Klaus
>      > Cheers,
>      > Jose

More information about the vbox-dev mailing list