This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Disabling driver signature enforcement for Windows DomU

To: Xen User-List <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [Xen-users] Disabling driver signature enforcement for Windows DomUs
From: "Fajar A. Nugraha" <fajar@xxxxxxxxx>
Date: Thu, 7 May 2009 09:57:30 +0700
Delivery-date: Wed, 06 May 2009 19:58:54 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <ED96552F-795E-42A7-ABB0-CD884106318F@xxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <ED96552F-795E-42A7-ABB0-CD884106318F@xxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
On Thu, May 7, 2009 at 12:37 AM, Adam Wead <awead@xxxxxxxxxxx> wrote:
>  Here's a breakdown of what I did:
> - started with clean install of Windows Server 2008 Enterprise (64-bit)
> - installed latest GplPV drivers, verified everything was working with the
> driver enforcement enabled at each boot

Which version did you use?
I tried, then upgrading to (which SHOULD be safe),
but ended up destroying my Windows installation :P
Good thing it was a test instance. That's part of the reason why most
of my Windows deployment still use 0.9.12-pre13 (at least until I can
test a safe way to upgrade them).

> - as per DSEO instructions, disabled all User Account Controls via windows
> secpol.msc snap-in
> - installed DSEO and enabled test mode
> - reboot
> - GplPV drivers came up disabled, so I reinstalled the GplPV drivers, then

That's the weird part. GPLPV should already be signed with James
Harper's certificate (and looking at file properties tells me that).
But as it is, on my last test xen-vbd works but xen-net does not.

> ran DSEO and test singed each xen file under C:\Windows\system32\drivers
> which was about 4 files total

I wonder what they use for testsign. AFAIK Windows 2008 SDK's file
(which is the "official" way to do testsigning) can't be partially
redistibuted. Did they use openssl?

> - reboot
> - OS booted up without prompting for driver enforcement override
> - re-enabled the User Account Controls, and rebooted to verify that
> everything was still working
> I'd be curious to know if this works or not for anyone else.  For now, I'm
> moving on to do more tests on my windows DomU, and hoping that I can put the
> driver enforcement issue behind me.

Thanks for the info.



Xen-users mailing list

<Prev in Thread] Current Thread [Next in Thread>