The 64-bit version of Windows Vista requires all kernel mode drivers or services to pass a validation.  In this follow-up of building USB driver in the Micro Framework, I’ll briefly outline the necessary steps to sign a driver that meets the requirement. These steps are intended for users working in a development environment.  If you are planning to distribute drivers to third-parties, you should submit the driver for a WHQL signature or use a software publisher certificate. For more information about the bigger picture, review the kernel-mode signing guide on the WHQL website.

Let’s get on with the technical process.  I’ve assumed you have a 64-bit Micro Framework USB driver built.  If not, you’ll need to use the WDK and the WDK setup script, SETENV.BAT, to build the porting kit sample driver for an x64 (64-bit) Vista operating system. See the prior
blog for detailed steps.

1.       Open a command prompt with administrative privileges.

2.       Run the command to enable test signed kernel mode drivers.
 BCDEDIT /SET TESTSIGNING ON

3.       Confirm the setting is correct by listing the Windows Boot Loader settings.
 BCDEDIT /ENUM

4.       Reboot to enable the new boot loader setting.
SHUTDOWN –t 60 –r
Notice the desktop background displays a new water mark after the reboot.

5.       Open a command prompt and run the WDK SETENV.BAT command.
C:\apps\WDK\bin\SETENV.BAT C:\apps\WDK fre x64

6.       Change directory to the porting kit root.

7.       Set up the certificates folder.
MD Certificates
CD Certificates

8.       Generate a self-signed certificate and private key.
Makecert –r –pe –ss MFCertificateStore –n “CN=MicroFrameworkOEM” OEMCertificate.cer

9.       Open a MMC console and snap-in certificates for the current user. You will see the MFCertificateStore containing a private key and certificate. The certificate containing the public key is in a file called OEMCertificate.cer.

10.   Add the certificate to the trusted publisher store.
Using the MMC certificate snap-in, right-click on the Trusted Publisher folder. Select import. Browse to the PK\Certificates\OEMCertificate.cer file.

11.   Next, create a CAT file. First change directories to the Drivers\Vista64 folder. This folder contains the 64-bit USB driver under amd64 and the INF file.
CD  BUILDOUTPUT\DRIVERS\VISTA64

12.   Edit the INF file so that the version is 6.0.0.1 (or later as it matches the OS) and the driver date string is current.

 

13.   Create a CAT file. The parameter to the “/driver” option must be the full path. Confirm the INF2CAT status output displays success with no warnings or errors.
INF2CAT /driver:C:\PK\Buildoutput\Drivers\Vista64\ /OS:Vista_x64

14.   Sign the CAT file. The tool will use the the private key stored safely in the workstation certificate store.
SIGNTOOL sign /v /s MFCertificateStore /n MicroframeworkOEM /t
http://timestamp.verisign.com/scripts.timestamp.dll MFUSB_PortingKitSample.cat

15.   Verify the digital signature.
SIGNTOOL verify /kp /c MFUSB_PortingKitSample.cat amd64\MFUSB_PortingKitSample.sys

16.   Plug in the Micro Framework device and install the newly signed driver. You’ll notice a pop-up that asks for permission to install the driver.

The steps above provide a process for signing 64-bit drivers that I use for Vista 64-bit testing. It is good to know the steps.  But combined with the prior blog describing USB driver building, the labor to perform all these steps is too time-consuming. We’ll follow-up at a later time how to automate most if not all steps using the POWERSHELL toolset.

Jeff Simon
.Net Micro Framework
SDET - Porting Kit