我已经在线阅读了很多有关驱动程序签名工作的讨论,并且答案似乎几乎是明确的,您不能加载无符号或自签名驱动程序,而不启用测试模式。然而,我所链接的答案,特别是Roger Lipscombe的一个评论似乎提出了一个矛盾的观点:
If you want to use this for signing drivers,you need to import the CA
certificate into the machine store. My example imports it into the
user store,which is fine for most software,for test/internal
purposes.
对我来说,只要将CA证书导入到机器存储区,我可以安装具有自签名证书的驱动程序(由自签名CA颁发)。我不必对系统进行任何其他更改(通过在启动菜单上按F8禁用测试模式,弄乱启动配置标志,如TESTSIGNING或NOINTEGRITYCHECKS)。
我对么?当人们需要加载没有提供适当的数字签名的驱动程序(如旧的打印机驱动程序等)时,如果有的话,这种方法没有被广泛使用的障碍是什么。相反,人们依靠启动测试模式或第三方软件(DSEO)来篡改您的系统文件来运行此类驱动程序。
这种方法的缺点是什么?上述SO问题中描述的过程需要管理员权限,但是安装驱动程序也需要它们。信任自签名CA可能是一个安全风险 – 但不会禁用所有签名检查更大的安全风险?
司机必须交叉签字。创建自己的CA并将其添加到机器存储将不够,因为新创建的CA将不被Windows信任链信任。
Driver Signing Requirements for Windows
In Windows Vista and Windows Server 2008,new features take advantage of code-signing technologies,and new requirements for security in the operating system enforce the use of digital signatures for some kinds of code.
Components must be signed by a certificate that Windows “trusts” as described in the white papers on this site.
提到的白皮书之一是Digital Signatures for Kernel Modules on Windows
,描述了加载过程,并解释了为什么自签名不足够:
When a driver is loaded into kernel memory,Windows Vista verifies the digital signature of the driver image file. Depending on the type of driver,this can be either the signed hash value in the catalog file or an embedded signature in the image file itself. The cross-certificates that are used when signing the kernel driver package are used for the load-time signature verification; each certificate in the path is checked up to a trusted root in the kernel. The load-time signature check does not have access to the Trusted Root Certificate Authorities certificate store. Instead,it must depend on the root authorities that are built into the Windows Vista kernel.
如前所述,这也在Requirements for Device Driver Signing and Staging页面上概述:
The 64-bit versions of Windows 7 and Windows Server 2008 R2 have special signature requirements for kernel mode device drivers. If you use a 64-bit version of Windows,then you cannot create your own certificate for signing. Instead,you must use a Software Publishing Certificate that chains to an approved certification authority (CA).
用于签名内核模式驱动程序的有效CA可以在以下页面找到: