From: "Zeeshan Ali (Khattak)" <zeeshanak@xxxxxxxxx> While I thought that I had solved the problem of Windows requiring signed device drivers and QXL driver being unsigned, I could't be more wrong: * The registry key magic I used for disabling driver signature checks on XP seems to be far from reliable. I tested it many many times but on a weird broken version of XP home edition that I can't seem to have access to anymore. I now tested against both home and professional editions both with and without this registry key magic and I observed the same result in both cases: Drivers do get installed but they remain unused by the OS after installation. The only reliable way of effectively disabling signture checks during installation is through the 'DriverSigningPolicy' option in .sif file, which means disabling signature checks permanently. * On Windows 7, disabling integrity checks and test signing after drivers' installation disables the already installed drivers too if they are not signed. * The reason I thought QXL was functional at first was that automatic resolution setting was working. Turns out that unlike on Linux, on windows automatic resolution setting only requires spice-vdagent where as QXL is only required for arbitrary resolutions. So to make QXL working out of the box, I'm afraid we don't have any choice but to disable driver signature checks permanently. Since signature checks is a security measure from vendors, we need to leave it to applications to decide whether they want to do this or not. --- data/install-scripts/windows-cmd.xml | 19 +++---------------- data/install-scripts/windows-sif.xml | 8 ++++++++ osinfo/libosinfo.syms | 3 +++ osinfo/osinfo_install_config.c | 25 +++++++++++++++++++++++++ osinfo/osinfo_install_config.h | 6 ++++++ 5 files changed, 45 insertions(+), 16 deletions(-) diff --git a/data/install-scripts/windows-cmd.xml b/data/install-scripts/windows-cmd.xml index e8ffc35..c45c543 100644 --- a/data/install-scripts/windows-cmd.xml +++ b/data/install-scripts/windows-cmd.xml @@ -14,6 +14,7 @@ <param name="script-disk" policy="optional"/> <param name="post-install-drivers-disk" policy="optional"/> <param name="post-install-drivers-location" policy="optional"/> + <param name="driver-signing" policy="optional"/> </config> <avatar-format> <mime-type>image/bmp</mime-type> @@ -71,27 +72,13 @@ REGEDIT /S <xsl:call-template name="script-disk"/>:\windows.reg </xsl:if> <xsl:call-template name="post-install-drivers-disk"/>: -<xsl:choose> - <xsl:when test="os/version < 6.0"> -reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f - </xsl:when> - <xsl:otherwise> +<xsl:if test="config/driver-signing = 'false' and os/version > 5.1"> bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS bcdedit.exe -set TESTSIGNING ON - </xsl:otherwise> -</xsl:choose> +</xsl:if> for %%i in ("<xsl:call-template name="post-install-drivers-disk"/>:<xsl:value-of select="config/post-install-drivers-location"/>\*.cmd") do cmd /c %%i -<xsl:choose> - <xsl:when test="os/version < 6.0"> -reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000001 /f - </xsl:when> - <xsl:otherwise> -bcdedit.exe -set loadoptions EENABLE_INTEGRITY_CHECKS -bcdedit.exe -set TESTSIGNING OFF - </xsl:otherwise> -</xsl:choose> EXIT </xsl:template> </xsl:stylesheet> diff --git a/data/install-scripts/windows-sif.xml b/data/install-scripts/windows-sif.xml index 630df56..2bccc5d 100644 --- a/data/install-scripts/windows-sif.xml +++ b/data/install-scripts/windows-sif.xml @@ -10,6 +10,7 @@ <param name="admin-password" policy="optional"/> <param name="reg-product-key" policy="required"/> <param name="user-realname" policy="required"/> + <param name="driver-signing" policy="optional"/> </config> <template> <xsl:stylesheet @@ -30,6 +31,9 @@ OemSkipEula=Yes OemPreinstall=No TargetPath=\WINDOWS +<xsl:if test="config/driver-signing = 'false'"> + DriverSigningPolicy=Ignore +</xsl:if> Repartition=Yes WaitForReboot=No UnattendSwitch=Yes @@ -78,6 +82,7 @@ <param name="user-realname" policy="required"/> <param name="hostname" policy="required"/> <param name="script-disk" policy="optional"/> + <param name="driver-signing" policy="optional"/> </config> <template> <xsl:stylesheet @@ -142,6 +147,9 @@ TargetPath=\WINNT </xsl:otherwise> </xsl:choose> +<xsl:if test="config/driver-signing = 'false'"> + DriverSigningPolicy=Ignore +</xsl:if> Repartition=Yes WaitForReboot="No" UnattendSwitch="Yes" diff --git a/osinfo/libosinfo.syms b/osinfo/libosinfo.syms index df2ba90..0942290 100644 --- a/osinfo/libosinfo.syms +++ b/osinfo/libosinfo.syms @@ -403,6 +403,9 @@ LIBOSINFO_0.2.6 { global: osinfo_device_driver_get_signed; osinfo_device_driver_set_signed; + + osinfo_install_config_get_driver_signing; + osinfo_install_config_set_driver_signing; } LIBOSINFO_0.2.3; /* Symbols in next release... diff --git a/osinfo/osinfo_install_config.c b/osinfo/osinfo_install_config.c index 1712be5..f6d2561 100644 --- a/osinfo/osinfo_install_config.c +++ b/osinfo/osinfo_install_config.c @@ -641,6 +641,31 @@ const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInsta OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION); } +/** + * osinfo_install_config_set_driver_signing: + * @config: the install config + * @signing: boolean value + * + * If a script requires drivers to be signed, this function can be used to + * disable that security feature. WARNING: Disable driver signing may very well + * mean disabling it permanently. + */ +void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config, + gboolean signing) +{ + osinfo_entity_set_param_boolean(OSINFO_ENTITY(config), + OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, + signing); +} + +gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config) +{ + return osinfo_entity_get_param_value_boolean_with_default + (OSINFO_ENTITY(config), + OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING, + TRUE); +} + /* * Local variables: * indent-tabs-mode: nil diff --git a/osinfo/osinfo_install_config.h b/osinfo/osinfo_install_config.h index d650a0a..b3cfa7e 100644 --- a/osinfo/osinfo_install_config.h +++ b/osinfo/osinfo_install_config.h @@ -67,6 +67,8 @@ #define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK "post-install-drivers-disk" #define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION "post-install-drivers-location" +#define OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING "driver-signing" + typedef struct _OsinfoInstallConfig OsinfoInstallConfig; typedef struct _OsinfoInstallConfigClass OsinfoInstallConfigClass; typedef struct _OsinfoInstallConfigPrivate OsinfoInstallConfigPrivate; @@ -193,6 +195,10 @@ void osinfo_install_config_set_post_install_drivers_location(OsinfoInstallConfig const gchar *location); const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInstallConfig *config); +void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config, + gboolean signing); +gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config); + #endif /* __OSINFO_INSTALL_CONFIG_H__ */ /* * Local variables: -- 1.8.1.4 _______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo