Sign your unsigned drivers - Damn It
Jun
8
Written by:
6/8/2012 2:09 PM
The drivers saga continues...
For a driver to be ranked correctly by the windows 7 setup it should be signed, and for Windows 7 x64 deployments it really needs to be signed. However, sometimes vendors don't provide signed drivers, or you need to modify a driver for a specific device, and when you do, you break the signing. The solution is to sign the driver yourself.
In this example you sign an unsigned driver for Windows 7 named b57nd60a.inf (yes, it's the Broadcom NetXtreme Desktop driver) for the fictive company ViaMonstra. The scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.
This means if you for example try to add the driver to the Windows 7 driver store using pnputil -a b57nd60a.inf you will be met by the following.
Signing drivers - Overview
- Get the tools
- Create the certificate and private key
- Create the catalog file
- Sign and timestamp the driver
- Install the certificate
Signing drivers - Detailed steps
Again, in this example you sign an unsigned driver named b57nd60a.inf for the fictive company ViaMonstra. Remember that the scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.
Step 1 - Get the tools
- Go to www.microsoft.com/downloads, download and then install the Windows SDK for Windows 7
- Go to www.microsoft.com/downloads, download and then install the Windows Driver Kit 7.1.0
Step 2 - Create the certificate and private key
- Create a folder named C:\ViaMonstraDriversCert
- Start the command prompt and type the following commands, press Enter after each command.
cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"
makecert -r -sv C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -n CN="ViaMonstra" C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer
Assign a password of
P@ss0wrd
cert2spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc
pvk2pfx -pvk C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -pi P@ssw0rd -spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc -pfx C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx -po P@ssw0rd
Step 3 - Create the catalog file
- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf and b57nd60a.sys file to it.
- Start the command prompt and type the following commands, press Enter after each command.
cd /d "C:\WinDDK\7600.16385.1\bin\selfsign"
inf2cat.exe /driver:"C:\ViaMonstraDriversCert\Broadcom" /os:7_X64 /verbose
Running inf2cat.exe
Step 4 - Sign and timestamp the driver
- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf file to it.
- Start the command prompt and type the following commands, press Enter after each command.
cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"
signtool sign /f C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx /p P@ssw0rd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\ViaMonstraDriversCert\Broadcom\b57nd60a.cat
Running the Signtool
Step 5 - Install the certificate
To trust the certificate on a single computer (current signing certificate is private, and not yet trusted by the operating system) start the command prompt and type the following commands, press Enter after each command.
certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine ROOT
certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine TRUSTEDPUBLISHER
Note: you can also use certutil to install the certificate
Now when you try running pnputil -a b57nd60a.inf you will be met by the following:
Enterprise configurations - Group Policy
Using certmgr or certutil to install certificates may be cool, but deploying certificates using group policy makes more sense for the enterprise. To create a group policy do the following:
Using Group Policy Management, create a new group policy and link it to an OU where you have a test machine.
Computer Configuration / Windows Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities
Import the C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer certificate
Also import the certificate in the Trusted Publishers container
References:
MSDN docs on driver ranking:
How Windows Ranks Drivers (Windows Vista and Later)
http://msdn.microsoft.com/en-us/library/windows/hardware/ff546225%28v=vs.85%29.aspx
/ Johan
3 comment(s) so far...
Re: Sign your unsigned drivers - Damn It
You are absolutely correct, pushing a cert via GPO won't help if you inject drivers during deployment... only for running pnputil or dpinst to push out drivers as an "application". For adding drivers during deployment the certificate needs to go in the reference image
/ Johan
By Arwidmark on
6/22/2012 5:15 AM
|
Re: Sign your unsigned drivers - Damn It
Printer drivers is another area there this could be very usefull.
Color/Black and White, duplex settings and so on correctly set in accordance to your policies.....
By mats on
6/22/2012 11:32 AM
|
Re: Sign your unsigned drivers - Damn It
I have been wanting to re-sign drivers for a long time, but never wanted to invest the time to figure out how to do it, thanks.
This is especially useful with NIC drivers where you might want to adjust some default settings different from the manufacturer (like powersave/sleeping.)
I am thinking of signing the certs with one issued from the domain CA - that way all domain clients will automatically trust the drivers without further action. You also mention deploying these certs via a GPO. In both methods though, this gets the certs to the client too late during OS deployment, doesn't it? The client, when it is looking for drivers during the OSD deployment is not going to be joined to the domain yet - so it will neither trust the Domain root cetrificate authority nor will it have applied the cert via a GPO yet.
Right?
I wonder if we can even import a root CA via TS prior to the PnP driver detection phase. Maybe it has to go into the WIM build process so that it is baked into Windows from the start?
By tmiller on
6/12/2012 12:05 PM
|