Joseph L. Casale schrieb:
The cleanest approach is to sign the stuff and set the windows in testsigning
mode, then add a second boot entry and all is fine.
florian
Florian,
What's the procedure to sign these, I have the signtool and a test cert created
in a new store, but how do you sign them after install?
Thanks,
jlc
You have to sign the driver files (before installing them).
I'll have to look for a mail i send james, found and copied the
significant part under the line.;)
Florian
--------------------------------------------
Here they are:
It is quite easy, you have to setup a sw singing cert in your store
(cert + priv key), may be also the RootCert of the CA issued the cert,
then you have to deliver this cert with the drivers in order to get the
servers to trust the ca or tell us where the ca publishes there certificate.
then just do the following (this is when PWD is winlh).
inline cert the drivers (boot test sign):
signtool sign /v /n Florian /t
http://timestamp.verisign.com/scripts/timestamp.dll i386\xenhide.sys
i386\xennet.sys i386\xenpci.sys i386\xenvbd.sys amd64\xenhide.sys
amd64\xennet.sys amd64\xenpci.sys amd64\xenvbd.sys
Florian is the firstname of the name used in my University cert, so
replace with something that referenzes your certified name (used to
locate the key-ring to use), also have a look on the files, mayber you
have to add/remove some files to/from the list.
generating catalog:
inf2cat /drv:. /os:Vista_X86,Server2008_X86,Vista_X64,Server2008_X64
(name follows the entry in the *.inf)
signing catalog:
signtool sign /v /n Florian /t
http://timestamp.verisign.com/scripts/timestamp.dll xengplpv.cat
So now put the CA (if it is not trusted already in your and the machines
trusted CA store using mmc with cert snapin) may be you have to do this
before signing.
bcdedit:
allow testsigned drivers (for boot):
bcdedit /set testsigning 1
copy boot entry in order to enable gplpv:
bcdedit /copy {default} /d GPLPV
enable gplpv bootoption on this entry:
bcdedit /set {f7cbfade-2567-11dd-8eae-00163e000003} loadoptions GPLPV
the id could determined using:
bcdedit (when the other entry is active)
or always using bcdedit /v (shows all ids just look for description
field to determine which entry is the correct one)
florian
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
| 
Home