feat: sign driver binary and validate signatures of binary and cat

microsoft · Feb 1, 2024 · a15c1e2 · a15c1e2
1 parent c5302a4
commit a15c1e2
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -191,6 +191,16 @@ To display help and see the full list of supported CLI args to forward to Cargo:
 
 `cargo make help`
 
+### Driver Package Signature Verification
+
+The `WDK_BUILD_ENABLE_SIGNTOOL_VERIFY` [cargo-make environment variable](https://github.com/sagiegurari/cargo-make?tab=readme-ov-file#environment-variables) can be set to `true` to enable tasks that handle signature verification of the generated `.sys` and `.cat` files. `signtool verify` requires the certificate to be installed as in the `Trusted Root Certification Authorities` for this verification to function. These tasks are not enabled by default as the default behavior of `WDR` is to sign with a generated test certificate. These test certificates are typically only installed into `Trusted Root Certification Authorities` on computers dedicated to testing drivers, and not personal development machines, given the security implications of installing your own root certificates.
+
+If you understand these implications, and have installed the test certificate, then you may validate the signatures as follows:
+
+```
+cargo make --env WDK_BUILD_ENABLE_SIGNTOOL_VERIFY=true
+```
+
 ## Crates.io Release Policy
 
 Releases to crates.io are not made after every change merged to main. Releases will only be made when requested by the community, or when the `windows-drivers-rs` team believes there is sufficient value in pushing a release.

diff --git a/crates/sample-kmdf-driver/README.md b/crates/sample-kmdf-driver/README.md
@@ -21,7 +21,7 @@
 2. Install the Certificate on the DUT:
    1. Double click the certificate
    2. Click Install Certificate
-   3. Select a Store Location __(Either Store Location is Fine)__ -> Next
+   3. Store Location: Local Machine -> Next
    4. Place all certificates in the following Store -> Browse -> Trusted Root Certification Authorities -> Ok -> Next
    5. Repeat 2-4 for Store -> Browse -> Trusted Publishers -> Ok -> Next
    6. Finish

diff --git a/rust-driver-makefile.toml b/rust-driver-makefile.toml
@@ -339,24 +339,54 @@ wdk_build::cargo_make::copy_to_driver_package_folder(
 );
 '''
 
-[tasks.signtool]
+[tasks.signtool-sign]
 private = true
-dependencies = ["inf2cat", "generate-certificate"]
+dependencies = ["generate-certificate"]
 command = "signtool"
 args = [
   "sign",
   "/v",
   "/s",
-  "WDRTestCertStore",                                                                                  # TODO: this should be a parameter
+  "WDRTestCertStore",                      # TODO: this should be a parameter
   "/n",
-  "WDRLocalTestCert",                                                                                  # TODO: this should be a parameter
+  "WDRLocalTestCert",                      # TODO: this should be a parameter
   "/t",
   "http://timestamp.digicert.com",
   "/fd",
   "SHA256",
-  "${WDK_BUILD_OUTPUT_DIRECTORY}/${CARGO_MAKE_CRATE_FS_NAME}_package/${CARGO_MAKE_CRATE_FS_NAME}.cat",
+  "${WDK_BUILD_SIGNTOOL_SIGN_INPUT_FILE}",
 ]
 
+[tasks.sign-sys]
+private = true
+dependencies = ["copy-sys-to-package"]
+env = { "WDK_BUILD_SIGNTOOL_SIGN_INPUT_FILE" = "${WDK_BUILD_OUTPUT_DIRECTORY}/${CARGO_MAKE_CRATE_FS_NAME}_package/${CARGO_MAKE_CRATE_FS_NAME}.sys" }
+run_task = "signtool-sign"
+
+[tasks.sign-cat]
+private = true
+dependencies = ["inf2cat", "sign-sys"]
+env = { "WDK_BUILD_SIGNTOOL_SIGN_INPUT_FILE" = "${WDK_BUILD_OUTPUT_DIRECTORY}/${CARGO_MAKE_CRATE_FS_NAME}_package/${CARGO_MAKE_CRATE_FS_NAME}.cat" }
+run_task = "signtool-sign"
+
+[tasks.signtool-verify]
+private = true
+condition = { env_true = ["WDK_BUILD_ENABLE_SIGNTOOL_VERIFY"] }
+command = "signtool"
+args = ["verify", "/v", "/pa", "${WDK_BUILD_SIGNTOOL_VERIFY_INPUT_FILE}"]
+
+[tasks.verify-signature-sys]
+private = true
+dependencies = ["sign-sys"]
+env = { "WDK_BUILD_SIGNTOOL_VERIFY_INPUT_FILE" = "${WDK_BUILD_OUTPUT_DIRECTORY}/${CARGO_MAKE_CRATE_FS_NAME}_package/${CARGO_MAKE_CRATE_FS_NAME}.sys" }
+run_task = "signtool-verify"
+
+[tasks.verify-signature-cat]
+private = true
+dependencies = ["sign-cat"]
+env = { "WDK_BUILD_SIGNTOOL_VERIFY_INPUT_FILE" = "${WDK_BUILD_OUTPUT_DIRECTORY}/${CARGO_MAKE_CRATE_FS_NAME}_package/${CARGO_MAKE_CRATE_FS_NAME}.cat" }
+run_task = "signtool-verify"
+
 [tasks.package-driver]
 private = true
 dependencies = [
@@ -365,7 +395,10 @@ dependencies = [
   "copy-inf-to-package",
   "copy-map-to-package",
   "copy-certificate-to-package",
-  "signtool",
+  "sign-sys",
+  "verify-signature-sys",
+  "sign-cat",
+  "verify-signature-cat",
   "infverif",
 ]