[Libosinfo] [PATCH 2/3] install-config, winxp, win7: API to enable/disable driver signing
Zeeshan Ali (Khattak)
zeeshanak at gnome.org
Thu Mar 14 02:16:58 UTC 2013
From: "Zeeshan Ali (Khattak)" <zeeshanak at gnome.org>
While I thought that I had solved the problem of Windows requiring
signed device drivers and QXL driver being unsigned, I could't be more
wrong:
* The registry key magic I used for disabling driver signature checks
on XP seems to be far from reliable. I tested it many many times but
on a weird broken version of XP home edition that I can't seem to
have access to anymore. I now tested against both home and professional
editions both with and without this registry key magic and I observed
the same result in both cases: Drivers do get installed but they remain
unused by the OS after installation. The only reliable way of
effectively disabling signture checks during installation is through
the 'DriverSigningPolicy' option in .sif file, which means disabling
signature checks permanently.
* On Windows 7, disabling integrity checks and test signing after
drivers' installation disables the already installed drivers too if
they are not signed.
* The reason I thought QXL was functional at first was that automatic
resolution setting was working. Turns out that unlike on Linux, on
windows automatic resolution setting only requires spice-vdagent where
as QXL is only required for arbitrary resolutions.
So to make QXL working out of the box, I'm afraid we don't have any
choice but to disable driver signature checks permanently. Since
signature checks is a security measure from vendors, we need to leave
it to applications to decide whether they want to do this or not.
---
data/install-scripts/windows-cmd.xml | 19 +++----------------
data/install-scripts/windows-sif.xml | 8 ++++++++
osinfo/libosinfo.syms | 3 +++
osinfo/osinfo_install_config.c | 25 +++++++++++++++++++++++++
osinfo/osinfo_install_config.h | 6 ++++++
5 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/data/install-scripts/windows-cmd.xml b/data/install-scripts/windows-cmd.xml
index e8ffc35..c45c543 100644
--- a/data/install-scripts/windows-cmd.xml
+++ b/data/install-scripts/windows-cmd.xml
@@ -14,6 +14,7 @@
<param name="script-disk" policy="optional"/>
<param name="post-install-drivers-disk" policy="optional"/>
<param name="post-install-drivers-location" policy="optional"/>
+ <param name="driver-signing" policy="optional"/>
</config>
<avatar-format>
<mime-type>image/bmp</mime-type>
@@ -71,27 +72,13 @@ REGEDIT /S <xsl:call-template name="script-disk"/>:\windows.reg
</xsl:if>
<xsl:call-template name="post-install-drivers-disk"/>:
-<xsl:choose>
- <xsl:when test="os/version < 6.0">
-reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f
- </xsl:when>
- <xsl:otherwise>
+<xsl:if test="config/driver-signing = 'false' and os/version > 5.1">
bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON
- </xsl:otherwise>
-</xsl:choose>
+</xsl:if>
for %%i in ("<xsl:call-template name="post-install-drivers-disk"/>:<xsl:value-of select="config/post-install-drivers-location"/>\*.cmd") do cmd /c %%i
-<xsl:choose>
- <xsl:when test="os/version < 6.0">
-reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000001 /f
- </xsl:when>
- <xsl:otherwise>
-bcdedit.exe -set loadoptions EENABLE_INTEGRITY_CHECKS
-bcdedit.exe -set TESTSIGNING OFF
- </xsl:otherwise>
-</xsl:choose>
EXIT
</xsl:template>
</xsl:stylesheet>
diff --git a/data/install-scripts/windows-sif.xml b/data/install-scripts/windows-sif.xml
index 630df56..2bccc5d 100644
--- a/data/install-scripts/windows-sif.xml
+++ b/data/install-scripts/windows-sif.xml
@@ -10,6 +10,7 @@
<param name="admin-password" policy="optional"/>
<param name="reg-product-key" policy="required"/>
<param name="user-realname" policy="required"/>
+ <param name="driver-signing" policy="optional"/>
</config>
<template>
<xsl:stylesheet
@@ -30,6 +31,9 @@
OemSkipEula=Yes
OemPreinstall=No
TargetPath=\WINDOWS
+<xsl:if test="config/driver-signing = 'false'">
+ DriverSigningPolicy=Ignore
+</xsl:if>
Repartition=Yes
WaitForReboot=No
UnattendSwitch=Yes
@@ -78,6 +82,7 @@
<param name="user-realname" policy="required"/>
<param name="hostname" policy="required"/>
<param name="script-disk" policy="optional"/>
+ <param name="driver-signing" policy="optional"/>
</config>
<template>
<xsl:stylesheet
@@ -142,6 +147,9 @@
TargetPath=\WINNT
</xsl:otherwise>
</xsl:choose>
+<xsl:if test="config/driver-signing = 'false'">
+ DriverSigningPolicy=Ignore
+</xsl:if>
Repartition=Yes
WaitForReboot="No"
UnattendSwitch="Yes"
diff --git a/osinfo/libosinfo.syms b/osinfo/libosinfo.syms
index df2ba90..0942290 100644
--- a/osinfo/libosinfo.syms
+++ b/osinfo/libosinfo.syms
@@ -403,6 +403,9 @@ LIBOSINFO_0.2.6 {
global:
osinfo_device_driver_get_signed;
osinfo_device_driver_set_signed;
+
+ osinfo_install_config_get_driver_signing;
+ osinfo_install_config_set_driver_signing;
} LIBOSINFO_0.2.3;
/* Symbols in next release...
diff --git a/osinfo/osinfo_install_config.c b/osinfo/osinfo_install_config.c
index 1712be5..f6d2561 100644
--- a/osinfo/osinfo_install_config.c
+++ b/osinfo/osinfo_install_config.c
@@ -641,6 +641,31 @@ const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInsta
OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION);
}
+/**
+ * osinfo_install_config_set_driver_signing:
+ * @config: the install config
+ * @signing: boolean value
+ *
+ * If a script requires drivers to be signed, this function can be used to
+ * disable that security feature. WARNING: Disable driver signing may very well
+ * mean disabling it permanently.
+ */
+void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
+ gboolean signing)
+{
+ osinfo_entity_set_param_boolean(OSINFO_ENTITY(config),
+ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
+ signing);
+}
+
+gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config)
+{
+ return osinfo_entity_get_param_value_boolean_with_default
+ (OSINFO_ENTITY(config),
+ OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
+ TRUE);
+}
+
/*
* Local variables:
* indent-tabs-mode: nil
diff --git a/osinfo/osinfo_install_config.h b/osinfo/osinfo_install_config.h
index d650a0a..b3cfa7e 100644
--- a/osinfo/osinfo_install_config.h
+++ b/osinfo/osinfo_install_config.h
@@ -67,6 +67,8 @@
#define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK "post-install-drivers-disk"
#define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION "post-install-drivers-location"
+#define OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING "driver-signing"
+
typedef struct _OsinfoInstallConfig OsinfoInstallConfig;
typedef struct _OsinfoInstallConfigClass OsinfoInstallConfigClass;
typedef struct _OsinfoInstallConfigPrivate OsinfoInstallConfigPrivate;
@@ -193,6 +195,10 @@ void osinfo_install_config_set_post_install_drivers_location(OsinfoInstallConfig
const gchar *location);
const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInstallConfig *config);
+void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
+ gboolean signing);
+gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config);
+
#endif /* __OSINFO_INSTALL_CONFIG_H__ */
/*
* Local variables:
--
1.8.1.4
More information about the Libosinfo
mailing list