virtio-win / virtio-win-pkg-scripts

Scripts for packaging virtio-win drivers
GNU General Public License v2.0
2.03k stars 158 forks source link

virtio-win-0.1.217 - issue NetKVM Windows 2k12R2 driver #65

Open kurgans0 opened 2 years ago

kurgans0 commented 2 years ago

Environment

Issue Impossible to install driver on this path .\NetKVM\2k12R2\amd64\

Windows message Windows found driver software for your device but encountered an error while attempting install it. Red Hat VirtIO Ethernet Adapter A problem was encountered while attempting to add the driver to the store.

Workaround It's working with the driver 2008 R2 (.\NetKVM\2k8R2\amd64)

Source driver virtio-win-0.1.217.iso

BentHaase commented 2 years ago

Likely related to #33 and #59 - seems to be issues with the latest "stable" iso and broken driver signature for older OS drivers.

jgottula commented 2 years ago

It also appears that some drivers (irrespective of OS, I believe) are just self-signed in 0.1.217-1, compared to 0.1.215-2, for absolutely no reason whatsoever. virtio-win/kvm-guest-drivers-windows#769

YanVugenfirer commented 2 years ago

Microsoft retired cross-signing certificates. Any certificate, other than WHQL certification, will be treated as test signing from now own. For Windows 10 we are providing attestation signed drivers. But MS don't have attestation signing for previous OSes.

MatthiasSeu commented 2 years ago

the used self signed certificate is a fault, because the OS did not allow the installation with used RedHat Inc. certificate with following hint: A certificates basic constraint extension has not been observed: image

But why usign differnt certificatres at all , because the newer drivers from 2k16 and newer used a certificate where the chain and rootCA is ok.

from my perspectice this newer certificate should also work for the older OS, or not?

YanVugenfirer commented 2 years ago

@MatthiasSeu Unfortunately Microsoft retired cross signing certificates that were used to sign older OSes. Windows 10 drivers are signed with attestation signing through Microsoft HW portal. Microsoft isn't signing older OS drivers with attestation signing.

MatthiasSeu commented 2 years ago

@YanVugenfirer But with this certificate, it's defently inpossible to install the drivers for os w2k12r2 and later. At the Moment, we use drivers where the certificate is expired, but when you pre-import it into trustet publisher and root ca, you can install it wihtout any troubles via pnputil.

Now I have 2 questions:

  1. Is it complete inpossible to use the old certificate for the new generated drivers for OS w2k12r2 and later?
  2. When question 1 ist inpossible to implemnt, is it possible to make a package, where the old w2k12r12 and later drivers are included, and for the newer os the last one.

Because othervise you can face out the older os versions, or i am wrong?

CaryJ commented 2 years ago

I have tried to install the certificate from the .sys file but still can't get the driver to work.

Why does it still think there is a problem with the signature after I have installed the certificate? Is there another work-around for this (besides disabling signature checking)?

Update: based on @YanVugenfirer 's comment above I discovered I can install the drivers after setting testsigning: $ bcdedit /set testsigning on I would still prefer a method to install the drivers without having to set this.