[vbox-dev] Windows hardening in 4.3.15
José Massada
jose.massada at gmail.com
Wed Jul 30 13:01:44 GMT 2014
Hi Klaus,
Thanks for the quick reply.
I tried loading a test-signed PDM module for development (obviously with
test-signing enabled in the machine) but it fails with a "no trusted paths"
error. I'm guessing that even on development or test machines you require
the module to be cross-signed with the Microsoft cert?
I'm also guessing you don't debug custom PDM modules with release versions
of VirtualBox. Is there any way I can do this without having to sign debug
binaries?
Thanks,
Jose
On Tue, Jul 29, 2014 at 7:43 PM, Klaus Espenlaub <klaus.espenlaub at oracle.com
> wrote:
> José,
>
> On 29.07.2014 15:53, José Massada wrote:
> > Hi,
> >
> > The new hardening code breaks VirtualBox when trying to load a custom
> > built PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom virtual PCI
> > device that we've been using for quite some time now.
>
> Yes, that signing requirement is a change which had to be done in 4.3.14.
>
> > I've looked at the code and I see that some unsigned dlls are being
> > ignored if they are in certain system paths. I tried loading it from
> > \\SystemRoot\\System32\\ but with no luck.
>
> There's no signing exemption for PDM modules, so there's no point in
> moving them to such a directory.
>
> > Linux version works fine when installed to a root owned system path.
>
> That's comparing apples and oranges, as the systems have a vastly
> different basic security system design and need different approaches for
> hardening.
>
> > Am I to assume that I'll have to, somehow, sign the dll?
>
> Correct. You need a cert suitable for Windows kernel driver signing,
> nothing else is accepted. There are very few CAs which offer this (as it
> needs to be cross-signed by Microsoft).
>
> > Too much hardening maybe?
>
> No, this is intentional and required for the hardening to work. It won't
> go away in future builds.
>
> Klaus
>
> > Cheers,
> > Jose
>
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> https://www.virtualbox.org/mailman/listinfo/vbox-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20140730/be67371c/attachment.html>
More information about the vbox-dev
mailing list