[vbox-dev] Windows hardening in 4.3.15
Klaus Espenlaub
klaus.espenlaub at oracle.com
Tue Jul 29 18:43:06 UTC 2014
José,
On 29.07.2014 15:53, José Massada wrote:
> Hi,
>
> The new hardening code breaks VirtualBox when trying to load a custom
> built PDM module (VERR_LDRIV_NOT_SIGNED). This is a custom virtual PCI
> device that we've been using for quite some time now.
Yes, that signing requirement is a change which had to be done in 4.3.14.
> I've looked at the code and I see that some unsigned dlls are being
> ignored if they are in certain system paths. I tried loading it from
> \\SystemRoot\\System32\\ but with no luck.
There's no signing exemption for PDM modules, so there's no point in
moving them to such a directory.
> Linux version works fine when installed to a root owned system path.
That's comparing apples and oranges, as the systems have a vastly
different basic security system design and need different approaches for
hardening.
> Am I to assume that I'll have to, somehow, sign the dll?
Correct. You need a cert suitable for Windows kernel driver signing,
nothing else is accepted. There are very few CAs which offer this (as it
needs to be cross-signed by Microsoft).
> Too much hardening maybe?
No, this is intentional and required for the hardening to work. It won't
go away in future builds.
Klaus
> Cheers,
> Jose
More information about the vbox-dev
mailing list