The WHQL Test Signature program is also supported for test signing. Program participants can submit driver packages for WHQL test signatures. The signature on the test-signed catalog files are generated by a certificate issued under the Microsoft Test Root Authority. In Windows Vista, the Microsoft Test Root Authority is accepted when the Windows Vista boot configuration setting enables test signing.
Test-signed kernel-mode binaries will not load on Windows Vista systems by default. The digital signatures on test-signed binaries are not valid on Windows Vista systems by default because the kernel-mode code-signing policy does not accept and does not trust test-signing certificates.
Use the BCDEdit command-line tool to enable test signing. To use BCDEdit, the user must be a member of the Administrator group on the system and run the command from an elevated command prompt. An elevated command prompt can be launched by creating a desktop shortcut to cmd.exe, right-clicking the shortcut, and then clicking Run as administrator.
The following shows an example of running BDCEdit at the command prompt:
// Accept test signed kernel mode signatures
Bcdedit.exe –set TESTSIGNING ON
// Do not accept test signed kernel mode signatures
Bcdedit.exe –set TESTSIGNING OFF
The TESTSIGNING boot configuration option determines whether Windows Vista accepts test-signed kernel-mode binaries. The option is not defined by default, which means that digital signatures on test-signed kernel-mode drivers will not verify and will not load. When Windows Vista accepts test-signed kernel-mode binaries, some premium content that is protected may not be accessible on the system.
Troubleshooting
You can take specific steps to identify and troubleshoot potential problems related to verifying kernel-mode code signatures. This section provides information on troubleshooting problems with driver-signing enforcement. The main tools for troubleshooting driver-signing problems are:
Detecting driver load errors.
Enabling Code Integrity diagnostic system log events.
The Toaster sample in the WDK is used as an example. It can be found in the WDK under the src\general\toaster directory.
The Toaster sample installs a device driver (toaster.sys) that, for this example, is not signed. The symptom of a problem with the unsigned driver is that the Toaster device fails to start. By using Device Manager, you can check the status of the Toaster device and view the driver status, as shown in Figure 3.
The device failed to start because the device driver was not signed and kernel-mode signing enforcement blocked the driver from loading into the kernel. To definitively identify the source of the problem, we set up the system to enable signing enforcement diagnostics as described in the following section.
Figure 3. Unsigned driver error
|
