Driver signature not valid when SecureBoot is enabled

[digi24]

Hello,

I had the problem that multiple of the signed driver packages installed, but then showed up as invalid signature in the device manager. The strange thing was, that in the details, the signing certificate and the upstream certificates showed up as vaild. This was very frustrating, because Windows did not give the reason for the invalid signature.

I then looked at the cause of this: (i have no experience with this, so do not rely on me)

1. Download Signtool from Windows SDK
2. Signtool /verify /pa is ok (Default Authentication Verification Policy)
3. but without the /pa (Windows driver policy for verification) it reports the root certificate is invalid.

Turning off Secure Boot resolves the issue: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-

Maybe somebody could verify this and add a note to the signed downloads or use a Microsoft certificate when the current certificate expires.

[johannesthoma]

Hi digi24.

Thanks for your bug report. I am currently failing enabling SecureBoot on my PC so I cannot reproduce the issue for now. However for your application is SecureBoot a requirement? I am not sure if we can support it in the next months ... as far as I know it would require Microsoft reviewing the driver.

Do you know how to enable SecureBoot on a PC? One has to install keys but how do I do that?

Thanks again,

• Johannes

[digi24]

Hello Johannes,

Secure Boot should just be an option in your UEFI settings and not applicable if you use BIOS. With Windows, that should be about it, no need for installing keys. It is the default setting on Microsoft Surface devices or some business-use marketed laptops.

As far as my usage is concerned, I am just a user, I think those things like Secure Boot and TPM are useful and try to reap the fruits, So, no, it is not a requirement, just a nice to have thing. The reason I opened this ticket was the frustration, when trying to evaluate WinDRBD multiple times in the past and not receiving a useful error message. (But as I said, I am not an expert on Windows, so maybe I am wrong) I had an excellent experience with DRBD in the past, saving a traffic intensive project through about five disk failures, and I did not expect to see unexplainable errors like this.

[johannesthoma]

Good to know that WinDRBD will not load with SecureBoot on, seems that no one else has done this before. I will keep on trying and talk to Phillip Reisner maybe we can find a solution to support SecureBoot with WinDRBD. I will keep you updated.

Thanks for evaluating WinDRBD if you have further questions please let me know I am here to help,

Best regards,

• Johannes

[johannesthoma]

Hi we are starting to run tests with hardware lab kit in order to get our key cross signed by Microsoft. We are just starting so this can take several weeks / months to complete. It would be helpful if you can tell us which Windows version you are using (we currently test only with Windows Server 2019) Thanks a lot,

• Johannes

[johannesthoma]

Hi please let us know if loading windrbd.sys 1.1.0-rc1 (or any later version) loads with SecureBoot enabled and close this issue if yes. You can download an installer from the Linbit homepage,

Thanks a lot,

• Johannes

[digi24]

Hello Johannes.
thank you very much. I am currently not able to test the actual functionality, but the signature problem seems to be solved. I could successfully install the driver on Windows 11 Pro with SecureBoot enabled.

[johannesthoma]

Hi @digi24 thank you for confirming this. Could you maybe post the result of drbdadm --version ?

[digi24]

Hi @digi24 thank you for confirming this. Could you maybe post the result of drbdadm --version ?

DRBDADM_BUILDTAG=GIT-hash:\ 329d1bbac430fff9188acd4d9998e96ff7158151scripts/unsnapshot-resync-target-lvm.sh\ user/windrbd/windrbd.c\ build\ by\ johannes@linbit-wdrbd-2020\,\ 2022-05-04\ 17:25:58
DRBDADM_API_VERSION=2
DRBD_KERNEL_VERSION_CODE=0x090020
DRBD_KERNEL_VERSION=9.0.32
DRBDADM_VERSION_CODE=0x091500
DRBDADM_VERSION=9.21.0
WINDRBD_VERSION=windrbd-1.1.0-rc1

(I will test it within the next 2-3 weeks)

[johannesthoma]

Thank you, if you could do more tests that would be awesome, but the SecureBoot issue seems to be fixed now.