Windows CE and Windows Mobile (January 29, 2008)
Chat Topic: Windows CE and Windows Mobile
Date: Tuesday, January 29, 2008
Please note: Portions of this transcript have been edited for clarity
Sue Loh [MS] (Moderator):
Welcome to today’s public chat. Our chat today covers the topic of Windows Embedded CE 6.0!
We are pleased to welcome our Experts for today’s chat. I will have them introduce themselves now.
**Introductions:
MikeCal [msft] (Expert):**
I'm Mike Calligaro, and I'm a developer working on our kernel debugger and diagnostics tools.
GLanger_MS (Expert):
Hi, I'm Glen Langer, program manager for BSPs on the Windows Embedded CE team.
ArianeJa_MSFT (Expert):
Hi, I'm Ariane Jansen. I'm a developer on the file systems team.
Ryan Ward [MSFT] (Expert):
I'm Ryan Ward and I'm a Test Developer for the Platform Builder IDE team.
Karel Danihelka [MS] (Expert):
I'm Karel Danihelka and I work as developer in Microsoft for Automotive group.
Sing Wee [MS] (Expert):
Hi, I'm Sing Wee, part of the General Embedded BSP Test Team.
Sue Loh [MS] (Moderator):
Hi, I’m Sue Loh, a developer in the Windows Devices Core team at Microsoft. I work on the remote tools team, and have previous experience with the kernel and file system. I’m also moderating today’s chat. I hope we can answer some questions for you today!
Greg Scott [MS] (Expert):
Hi, I'm Greg Scott, a developer on the networking team.
WesB [MSFT] (Expert):
Hello, I am Wes Barcalow and I work on the Windows Devices Core BSP/Drivers team.
AmmonL [MSFT] (Expert):
Hello, I'm Ammon Larson, a developer on the Windows Mobile shell team.
Sue Loh [MS] (Moderator):
Let’s begin the chat!
Start of chat:
Karel Danihelka [MS] (Expert):
Q: On Windows Mobile you support a two-tier security policy. I haven’t been able to find if this exists on Windows CE and if not is it possible to import the support? MSDN says it’s on Windows Mobile but not CE.
A: It exists in Windows CE 4.x and 5.x. It isn't active on Windows CE 6.0.
Karel Danihelka [MS] (Expert):
Q: It isn't active on Windows CE 6? Does that mean that you can turn it on some how? If so how do you turn on 2 tier support?
A: No, you can't - all user processes are untrusted. All kernel code is trusted.
Sue Loh [MS] (Moderator):
Q: It isn't active on Windows CE 6? Does that mean that you can turn it on some how? If so how do you turn on 2 tier support?
A: I would word my answer differently than Karel’s. Windows CE 6 does not have the equivalent “untrusted” mode previous versions had. There is still a security model, but it boils down to a 1-tier model: either you can’t run at all or you’re “trusted.” The set of things a “trusted” application can do got a bit smaller; there are operations that “trusted” applications used to be able to do on older versions that are now restricted to kernel mode.
Karel Danihelka [MS] (Expert):
Q: Is there somewhere I can find the effects of disabling full-kernel mode to support trusted environment creation on Windows CE (OEMCertifyModuleInit, OEMCertifyModule)? We are worried about adverse side effects. Thanks!
A: I'm not sure what exactly you need to know - generally if you disable full kernel mode (which is good idea in general) - process will not be able access other process address space. If you need to do and your process it trusted it has to call SetPermission (and when it is done revert back to original setting).
BorMing_MS (Expert):
Q: So I think you are saying certificates aren't used to determine a user process (untrusted) or kernal( trusted)? How is this determined by the CreateProcess and credentials passed in?
A: Certificate is used to determine if a process is trusted or not. Disable all-k-mode and enable trust model are actually 2 different thing. You can disable all-k-mode without enable trust model. In which case, all processes are "trusted", but they won't be able to access kernel addresses unless you explictly call "SetKMode". The immediate effect is that some driver might break if they use kernel address directly to access registers.
MikeCal [msft] (Expert):
Q: We have some processes that need to be able to access other processes (our architects determined this) so does turning off all kernel processes? Where can we find out more info on this? Why isn't it done automatically if it's a good idea? Does turning off all kernel processes disable kernel processes in general?
A: We're having a bit of trouble understanding your question. Here's an attempt at and answer, but if I'm not answering what you're asking, please let me know. All KMode makes all processes run in Kernel mode. The main thing that does is allow standard user processes to access physical memory. If you turn off All KMode, user mode apps that currently access physical memory directly will stop working (none of our apps should do this). Things in the kernel than need to be in kernel mode, however, will stay in kmode and keep running.
John Spaith [MS] (Expert):
Q: We developped a program for CE 5 that save a Network Share on our headless device, it doesn`t work anymore on CE 6. The only function we use are CredWrite to save the credentials and WNetAddConnection3 to map the network drive. Who can help me solve this?
A: I'm afraid the developer who owns the WNet* API's is not in yet. I'd recommend taking it to the newsgroup microsoft.public.windowsce.platbuilder. I'm asking the developer to check the group over the next few days to work with you on this. Sorry we don't have a better story now for you.
AmmonL [MSFT] (Expert):
Q: I am unable to find support in CAPI (at least directly) for CRL(certificate revocation lists)in Windows CE. I see functions under CAPI can have CRL flags, but nothing to import a new CRL etc… How are CRLs imported in windows CE/mobile?
A: Have you tried using CertAddCRLContextToStore? I believe that's supported on CE.
Matt Lyons [MSFT] (Expert):
Q: I am unable to find support in CAPI (at least directly) for CRL(certificate revocation lists)in Windows CE. I see functions under CAPI can have CRL flags, but nothing to import a new CRL etc… How are CRLs imported in windows CE/mobile?
A: While CAPI includes APIs for CRLs, Windows Mobile does not support them, nor do we support OCSP at this time. Depending on what you are trying to revoke certificates for, we have different solutions. For example, lookup the LoaderRevocation Configuraiton Service Provider for information on how to revoke certificates used for code signing.
See https://msdn2.microsoft.com/en-us/library/aa922816.aspx for the list of unsupported CAPI 2 APIs in Windows CE.
Matt Lyons [MSFT] (Expert):
Q: Can you share any best practices for Windows CE developers implenting security features, specifically we are trying to determine if our product code should run under least privilege, if it is even available, a CE best practices document would be great.
A: For Windows CE, some of the strongest security measures are those involving certmod (https://msdn2.microsoft.com/en-us/library/aa909421.aspx). Specifically, certmod can allow you to block code from running on your device if it is not properly signed. Depending upon your device purpose, allowing untrusted code to run may be excessively dangerous, even if you run in a less trusted context.Stepping back from there, some best practices start to become more generic around developing software. https://msdn2.microsoft.com/en-us/library/aa935093.aspx has a good list for CE.
https://msdn2.microsoft.com/en-us/library/aa916925.aspx also has some good file system security tips. In general, I'd suggest doing a search for security best practices on MSDN: https://search.live.com/results.aspx?q=site:msdn2.microsoft.com+Windows+CE+security+best+practices&lf=0&rf=0&FORM=MSRE. There is a lot of content out there.
Matt Lyons [MSFT] (Expert):
Q: We have written a OCSP provider for XP using CAPI, We will look at the url you sent to see if it would be possible to port it over for use in CE. Thanks.
A: Ok - I am not familiar enough with all of the CAPI code to say whether your OCSP provider will work, but I have my doubts. While it might officially plug in (i.e., the CAPI APIs might not give you back error codes), certificate revocation through CAPI has not been expected to work by consumers of CAPI. Therefore these consumers of CAPI 2 APIs are unlikely to be properly checking for revocation for their purposes. At this time, revocation is done on a per usage basis (e.g., code signing, SMIME, etc.).
GLanger_MS (Expert):
Q: What smartcard support does CE 6.0 have?
A: USB card reader support was added with Windows Embedded 6.0 R2.
Sing Wee [MS] (Expert):
Q: What smartcard support does CE 6.0 have?
A: As Glen said, 6R2 has USB smartcard support. In particular, we added USB CCID support: https://msdn2.microsoft.com/en-us/library/aa925922.aspx
Sue Loh [MS] (Moderator):
Q: CETK Question: In PB 5.0, when I attempt to connect to CETK, I get the "Platform Manger was unable to start clientside program", but all my other remote tools work fine. Any ideas? (can't run clientside on the device either)
A: Are you connecting over your PB/KITL connection, or over ActiveSync? What CPU? Most of the PlatMan problems I've seen involved PlatMan being confused over the CPU type, thinking it didn't have device-side binaries for that tool.
MikeCal [msft] (Expert):
Q: CETK Question(cont): KITL Release on an IMX31. Clientside gets copied to the device, but can't launch.
A: Are you developing the BSP for the IMX31 or are you getting it from a silicon provider? KITL has BSP dependencies, so your best bet would be to start with the BSP provider and make sure those parts are implemented.
MikeCal [msft] (Expert):
Q: CETK Question(cont_2): BSP and PB Solution were provided and Built on my machine. KITL works just fine, I have used File Viewer, Reg Editor and Process viewer without issue. I can even run my custom apps from Target Control.
A: Sorry, I lost you. Which part doesn't work then?
Sing Wee [MS] (Expert):
Q: CETK Question(cont_3): If there are Sysgen variables needed to use CETK, would you point me to the appropriate documentation so I can verify they are included in the build
A: I have seen something similar to this before. Do you have VMINI in your image?
Sing Wee [MS] (Expert):
Q: CETK Question(cont_3): If there are Sysgen variables needed to use CETK, would you point me to the appropriate documentation so I can verify they are included in the build
A: Please ignore the comment about VMINI. I checked my notes, and the situation was *not* the same.
Sue Loh [MS] (Moderator):
Q: CETK Question(cont_3): If there are Sysgen variables needed to use CETK, would you point me to the appropriate documentation so I can verify they are included in the build
A: CETK runs over the PlatMan connection, which requires:
SYSGEN_WINSOCK=1
SYSGEN_TOOLHELP=1
Those are the sysgen variables required by PlatMan, not CETK specifically. CETK should be able to run with no additional sysgen's beyond that. The fact that you have run other remote tools without problems means it’s probably not a problem with PlatMan or with missing sysgen’s.
Sue Loh [MS] (Moderator):
Q: CETK Question(cont_4): "Tools -> Windows CE Test Kit" isn't working
A: I think we are going to have to take this question offline. I'll private-message you my email address.
BorMing_MS (Expert):
Q: Is it true that CE 6.0 the scheduler being implemented using an algorithm with O(n) complexity?
A: No, CE scheduler is O(1).
BorMing_MS (Expert):
Q: Are CE 4.x and 5.x scheduler also O(1)?
A: yes. CE is hard realtime from CE3.0. The scheduler is O(1) since.
russellk_MSFT (Expert):
Q: why is c/c++ runtime not an independent dll? and part of coredll
A: Historically, it was added to COREDLL to save size (no additional DLL overhead). As of CE6, COREDLL's import library (COREDLL.LIB) no longer exports the CRT API. The API has been instead moved to CORELIBC.LIB. This allows someone (such as Visual Studio) to easily offer an alternative CRT if desired. Also, as of CE6, the floating point runtime library implementation for ARM was moved to FPCRT.DLL to allow substitution. However, the interface to this still exported by CORELIBC.LIB and forwarded to FPCRT.DLL through COREDLL.DLL. Is that complicated enough? :)
Sing Wee [MS] (Expert):
Q: When I run a CETK test or I do not have a device connected to CETK, the "edit command line" option is grayed out or not available. How do I see what commandline is currently running, or the default commandline for a device without connecting to it?
A: You can find this information from your desktop registry. Drill down to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CETT\WinCE 6.00\Test Kits\Windows Embedded CE Test Catalog\Tests
JFurdell [MSFT] (Expert):
Q: I have Mobile windows device center 6 and vista home premium PC. My phone used to sync but now has lost the partnership and vista sees it as an "unidentified device". Is there a way I can manually load the device to get MDC working again?
A: You have to get Vista to recognize the device. This sounds like a driver problem of some kind. If the device shows up in Device Manager, try checking its status there, or removing/re-adding it. You can also try removing/re-adding the related drivers (e.g. USB drivers).
Sue Loh [MS] (Moderator):
Q: The device shows but it will not connect and there are no partnerships available to add . I have uninstalled and reinstalled several times. How do I get vista to allow me to manually add a device in the mobile device center? Is there a way since it is an unidentified device? Which driver do I need to reload?
A: I don't know device center very well but you might try disconnecting it, deleting your partnership inside the device center, and reconnecting.
John Spaith [MS] (Expert):
Q: We develop data acquisition / control applications with Win CE. Can you point me to an article or sample code that demonstrates how one would expose a SOAP web service that interfaces to a managed process on the same box (for remote management puposes)?
A: As I see it there's 2 ways. Easiest would be if you could get the process itself to host the SOAP server, so everything would be managed in the 1st place. I'm a native dev so I don't know if Compact Framework would support that or not. The native way to do this would be to use the SOAP toolkit, which allows native development (available on embedded OS only, not Windows Mobile). Then have the SOAP object you write pass the request to a managed process through some IPC mechanism. I talk about how you could hypothetically do this to implement asp.net from our web server at https://blogs.msdn.com/cenet/archive/2006/08/23/715468.aspx, same concepts. Clearly my native<-> managed is way harder, so even if you had to roll some of your own SOAP logic in managed it may be easier solution.
Sue Loh [MS] (Moderator):
Hello everyone, we are just about out of time.Thank you for joining us today for our Windows Embedded CE 6.0 chat today! A special thank you to the product group members for coming out.
Please check https://msdn2.microsoft.com/en-us/chats/default.aspx for the list of upcoming chats.
If you still have unanswered questions, let me suggest that you post them on one of our newsgroups, such as Microsoft.public.windowsce.platbuilder.
.gif)
Top of page