[vbox-dev] Signing VirtualBox drivers for Windows 10

Klaus Espenlaub klaus.espenlaub at oracle.com
Tue Mar 21 20:57:20 UTC 2017

Hi Mikhail,

On 21.03.2017 19:03, Mikhail Kovalev wrote:
> Hi,
> we are trying to make a VirtualBox build for Windows 10 anniversary 
> update. We did sign all the drivers (all .sys files) at the Microsoft 
> Dev portal and the installation goes through without a problem.
> However, when trying to start a VM, we always get an error "Failed to 
> load VMMR0.r0" with error code "VERR_LDR_IMAGE_HASH".
It also needs to be signed, including page hash... suspect that the 
partially misleading error code is due to the lack of page hashes, but 
there's more, see below.
> The "vmmr0.r0" file is signed with our SHA2 cert (as well as all the 
> other installation files are, except for the drivers which are 
> dual-signed by our cert and by the Microsoft cert from Dev portal). In 
> the Windows audit log I see the message that the code integrity check 
> for "vmmr0.r0" failed. If my understanding of the code is correct, the 
> file is being loaded via "ZwSetSystemInformation". So, does it have to 
> be signed by the Dev portal as well?
Exactly. It goes into the kernel, so the kernel signing rules apply. 
We're not drilling holes into the signature checking rules of the 
Windows kernel.
> But it looks like the Dev portal will only sign the ".sys" files. 
> Could anyone give a hint on a possible solution here?
How about using the low tech solution of renaming the file before 
submitting and renaming it back afterwards? The signature doesn't 
include the filename as such, only the file content...
> Unfortunately we don't have a signing cert that was issued before July 
> 29, 2015, so we cannot use the same "workaround" with the old cert as 
> the Oracle is using now for the VirtualBox releases.
We're happy that we could go with this intermediate step, as we already 
had to do enough magic when our previous cert expired. All this dev 
portal stuff is not easy in big corps. We need to do this major miracle 
soon enough.

> Thnx for any help,
> Mikhail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20170321/a1fb3a8a/attachment.html>

More information about the vbox-dev mailing list