ErnestCoskrey-9897 avatar image
0 Votes"
ErnestCoskrey-9897 asked ErnestCoskrey-9897 edited

Driver Signing for pre-Windows 2016 questions

I have some questions about what the recommendations are for generating a signed driver for Windows 2016 and earlier.

I set up the HCK test server (2008 R2) and test system(2012 R2), installed my driver, ran the appropriate tests, and generated an HCKX.

I do NOT have access to my EV Certificate on the HCK test server. I generated an unsigned .hckx file, and am trying to use the HLK Studio (which DOES have access to our EV Certificate) to sign it. Ideally, I'd like to end up with a driver that runs on Windows 2008 R2 (x64) through Windows 2022.

We've run the HLK tests against Windows 2019 successfully, and I am able to submit that to the Hardware Dev Center and get a signed driver that works on 2016, 2019, and 2022.

I was attempting to use the "merge" capabilities in the HLK Studio to bring in the .hckx file that we created on the HCK controller system. To do this, I created a new project and chose "Connect", and loaded the previous .hlkx file. Then I chose "merge" and added the .hckx file. I cleared the Drivers Folder that was pointing to my user TEMP directory, and added a single Drivers folder that contains the driver that we tested on both systems (2012 R2 and 2019). The Driver Properties lists both "Windows Server v10.0 17763" and "Windows Server v6.3" - I highlighted both of those, and added the English locale. Then I added a Symbols folder.

I signed the resulting .hlkx file with our EV Certificate and uploaded it for signing at the HW Dev Center.

The resulting download contains a signed copy of the driver, but the Microsoft signature is SHA256 (which I don't believe will work on 2012 R2). I tried installing it on a 2012 R2 system - won't boot.

Any idea what I need to do differently to get this to work? Thanks!

Here's a recap of what I've tried - maybe there's something obvious (to someone) that I'm missing.

I've signed my driver with a valid Sectigo cross-signing certificate, with both sha-1 and sha-2, and both signatures timestamped.

I tested this driver under HCK on a Windows 2012 R2 test system, and everything passed. In HCK Studio, I generated an unsigned .hckx file (because I don't have access to the EV certificate on the HCK controller). I copied this hckx to my HLK controller system, and started HLK Studio there. I created a new project, and connected to the hckx. From there I created a package (hklx), adding my driver and symbols folders, and signing the package with the EV Certificate.

Then I logged into the Hardware Dev Center and chose Submit New Hardware. I uploaded the signed hklx. I didn't choose any of the "Requested Signatures" check boxes, and saw that Windows Server 2012 R2 is displayed in the Certification section. I filled in the rest of the form and let the submission proceed.

When the process finished, I downloaded my signed files. I extracted the driver from the zip archive and saw that it now has 3 signatures (2 from my cross-signing certificate, plus one from Microsoft). I installed this on a Windows 2012 R2 system and rebooted and the boot failed to load my driver - I had to go in and repair the system by replacing my driver with an older released version.

I've tried the same thing with choosing "Windows 2008 R2 x64" checkbox in the "Requested Signatures" section. But that doesn't result in a working driver either.

Ernie Coskrey

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers