[vbox-dev] Signing VirtualBox drivers for Windows 10
Mikhail Kovalev
mikhail.kovalev at gmail.com
Thu Mar 23 08:34:10 GMT 2017
Hi Klaus,
thnx a lot for your advice. It worked out perfectly well.
Mikhail
On Tue, Mar 21, 2017 at 9:57 PM Klaus Espenlaub <klaus.espenlaub at oracle.com>
wrote:
> Hi Mikhail,
>
>
> On 21.03.2017 19:03, Mikhail Kovalev wrote:
>
> Hi,
>
> we are trying to make a VirtualBox build for Windows 10 anniversary
> update. We did sign all the drivers (all .sys files) at the Microsoft Dev
> portal and the installation goes through without a problem.
> However, when trying to start a VM, we always get an error "Failed to load
> VMMR0.r0" with error code "VERR_LDR_IMAGE_HASH".
>
> It also needs to be signed, including page hash... suspect that the
> partially misleading error code is due to the lack of page hashes, but
> there's more, see below.
>
> The "vmmr0.r0" file is signed with our SHA2 cert (as well as all the other
> installation files are, except for the drivers which are dual-signed by our
> cert and by the Microsoft cert from Dev portal). In the Windows audit log I
> see the message that the code integrity check for "vmmr0.r0" failed. If my
> understanding of the code is correct, the file is being loaded via "ZwSetSystemInformation".
> So, does it have to be signed by the Dev portal as well?
>
> Exactly. It goes into the kernel, so the kernel signing rules apply. We're
> not drilling holes into the signature checking rules of the Windows kernel.
>
> But it looks like the Dev portal will only sign the ".sys" files. Could
> anyone give a hint on a possible solution here?
>
> How about using the low tech solution of renaming the file before
> submitting and renaming it back afterwards? The signature doesn't include
> the filename as such, only the file content...
>
> Unfortunately we don't have a signing cert that was issued before July 29,
> 2015, so we cannot use the same "workaround" with the old cert as the
> Oracle is using now for the VirtualBox releases.
>
> We're happy that we could go with this intermediate step, as we already
> had to do enough magic when our previous cert expired. All this dev portal
> stuff is not easy in big corps. We need to do this major miracle soon
> enough.
>
> Klaus
>
> Thnx for any help,
> Mikhail
>
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> https://www.virtualbox.org/mailman/listinfo/vbox-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20170323/d931f4fe/attachment.html>
More information about the vbox-dev
mailing list