On 9/7/20 11:28 PM, Zebediah Figura wrote:
On 9/7/20 11:13 PM, Zebediah Figura wrote:
This is a set of four patches I wrote in the process of trying to make it possible for our tests to install and run PnP drivers. Some context on that follows:
Normally 64-bit Windows prevents unsigned drivers from being installed. This requirement can be overridden temporarily in boot options, but supposedly not for PnP drivers (though I haven't tested this).
It requires a lot of code, but it is actually possible to generate a catalog file, sign it with a self-signed certificate, add that certificate to the trusted publisher and root stores, and thereby install a test driver without prompting any dialog boxes. The basic process is described in more detail by Microsoft here:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/introducti...
It's harder for us, of course, because we don't really have access to those tools; instead we have to reverse-engineer them and replicate them in C code. Fortunately I already have a working test that is able to at least call SetupCopyOEMInf() successfully; hopefully actual driver code won't present any additional difficulty...
One of the caveats I forgot to mention is that the target machine still (apparently?) has to be configured to allow test-signing. Fortunately, that configuration is relatively easy to do, can be done from the command line, and persists across reboots. Specifically, one must run "bcdedit -set testsigning on".
Predictably, I spoke too soon, but eventually I have managed to successfully programmatically test-sign drivers and run them on 64-bit Windows 7. I've attached basic patches, some of which still need some work before being ready for upstreaming, but which should be sufficient to demonstrate and test the process.
So right now, all we need in order to run these tests on the testbot is for (all) of the machines to be configured to turn on test-signing. This can be done in a terminal by running `bcdedit /set testsigning on`. François, does this seem like something that can be reasonably done?
Just to clarify, some of the motivations for this:
* It's actually possible to disable signature checking all together. (I believe this does also apply to PnP drivers, despite the documentation). The option doesn't persist across boots, however. That's not necessarily a problem for the testbot, as long as we just use snapshots from a boot with signature checking disabled, but it's a bit of an annoyance when testing locally, especially when crashing the kernel is easy. Still, maybe this option is preferable.
* This allows us to actually test ntoskrnl functions on current Windows, including functions only recently introduced. This is especially desirable as, having removed the XP test VM, we now only have one or two machines actually running the ntoskrnl tests. It also allows us to add tests for the PnP infrastructure, which is more than a little complex and I think deserves the tests. Included in this is wdfldr, which is both a newer feature and one that interacts heavily with PnP. I have an incomplete implementation in my local tree, but the API is quite large, and although we have access to a permissively-licensed source, it would be rather nice to have proper tests for it.