[PATCH 2/3] install-config, winxp, win7: API to enable/disable driver signing

["Zeeshan Ali (Khattak)" <zeeshanak@xxxxxxxxx>]

From: "Zeeshan Ali (Khattak)" <zeeshanak@xxxxxxxxx>

While I thought that I had solved the problem of Windows requiring
signed device drivers and QXL driver being unsigned, I could't be more
wrong:

* The registry key magic I used for disabling driver signature checks
  on XP seems to be far from reliable. I tested it many many times but
  on a weird broken version of XP home edition that I can't seem to
  have access to anymore. I now tested against both home and professional
  editions both with and without this registry key magic and I observed
  the same result in both cases: Drivers do get installed but they remain
  unused by the OS after installation. The only reliable way of
  effectively disabling signture checks during installation is through
  the 'DriverSigningPolicy' option in .sif file, which means disabling
  signature checks permanently.
* On Windows 7, disabling integrity checks and test signing after
  drivers' installation disables the already installed drivers too if
  they are not signed.
* The reason I thought QXL was functional at first was that automatic
  resolution setting was working. Turns out that unlike on Linux, on
  windows automatic resolution setting only requires spice-vdagent where
  as QXL is only required for arbitrary resolutions.

So to make QXL working out of the box, I'm afraid we don't have any
choice but to disable driver signature checks permanently. Since
signature checks is a security measure from vendors, we need to leave
it to applications to decide whether they want to do this or not.
---
 data/install-scripts/windows-cmd.xml | 19 +++----------------
 data/install-scripts/windows-sif.xml |  8 ++++++++
 osinfo/libosinfo.syms                |  3 +++
 osinfo/osinfo_install_config.c       | 25 +++++++++++++++++++++++++
 osinfo/osinfo_install_config.h       |  6 ++++++
 5 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/data/install-scripts/windows-cmd.xml b/data/install-scripts/windows-cmd.xml
index e8ffc35..c45c543 100644
--- a/data/install-scripts/windows-cmd.xml
+++ b/data/install-scripts/windows-cmd.xml
@@ -14,6 +14,7 @@
       <param name="script-disk" policy="optional"/>
       <param name="post-install-drivers-disk" policy="optional"/>
       <param name="post-install-drivers-location" policy="optional"/>
+      <param name="driver-signing" policy="optional"/>
     </config>
     <avatar-format>
       <mime-type>image/bmp</mime-type>
@@ -71,27 +72,13 @@ REGEDIT /S <xsl:call-template name="script-disk"/>:\windows.reg
 </xsl:if>
 
 <xsl:call-template name="post-install-drivers-disk"/>:
-<xsl:choose>
-  <xsl:when test="os/version &lt; 6.0">
-reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f
-  </xsl:when>
-  <xsl:otherwise>
+<xsl:if test="config/driver-signing = 'false' and os/version &gt; 5.1">
 bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
 bcdedit.exe -set TESTSIGNING ON
-  </xsl:otherwise>
-</xsl:choose>
+</xsl:if>
 
 for %%i in ("<xsl:call-template name="post-install-drivers-disk"/>:<xsl:value-of select="config/post-install-drivers-location"/>\*.cmd") do cmd /c %%i
 
-<xsl:choose>
-  <xsl:when test="os/version &lt; 6.0">
-reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000001 /f
-  </xsl:when>
-  <xsl:otherwise>
-bcdedit.exe -set loadoptions EENABLE_INTEGRITY_CHECKS
-bcdedit.exe -set TESTSIGNING OFF
-  </xsl:otherwise>
-</xsl:choose>
 EXIT
 	</xsl:template>
       </xsl:stylesheet>
diff --git a/data/install-scripts/windows-sif.xml b/data/install-scripts/windows-sif.xml
index 630df56..2bccc5d 100644
--- a/data/install-scripts/windows-sif.xml
+++ b/data/install-scripts/windows-sif.xml
@@ -10,6 +10,7 @@
       <param name="admin-password" policy="optional"/>
       <param name="reg-product-key" policy="required"/>
       <param name="user-realname" policy="required"/>
+      <param name="driver-signing" policy="optional"/>
     </config>
     <template>
       <xsl:stylesheet
@@ -30,6 +31,9 @@
     OemSkipEula=Yes
     OemPreinstall=No
     TargetPath=\WINDOWS
+<xsl:if test="config/driver-signing = 'false'">
+    DriverSigningPolicy=Ignore
+</xsl:if>
     Repartition=Yes
     WaitForReboot=No
     UnattendSwitch=Yes
@@ -78,6 +82,7 @@
       <param name="user-realname" policy="required"/>
       <param name="hostname" policy="required"/>
       <param name="script-disk" policy="optional"/>
+      <param name="driver-signing" policy="optional"/>
     </config>
     <template>
       <xsl:stylesheet
@@ -142,6 +147,9 @@
     TargetPath=\WINNT
   </xsl:otherwise>
 </xsl:choose>
+<xsl:if test="config/driver-signing = 'false'">
+    DriverSigningPolicy=Ignore
+</xsl:if>
     Repartition=Yes
     WaitForReboot="No"
     UnattendSwitch="Yes"
diff --git a/osinfo/libosinfo.syms b/osinfo/libosinfo.syms
index df2ba90..0942290 100644
--- a/osinfo/libosinfo.syms
+++ b/osinfo/libosinfo.syms
@@ -403,6 +403,9 @@ LIBOSINFO_0.2.6 {
     global:
 	osinfo_device_driver_get_signed;
 	osinfo_device_driver_set_signed;
+
+	osinfo_install_config_get_driver_signing;
+	osinfo_install_config_set_driver_signing;
 } LIBOSINFO_0.2.3;
 
 /* Symbols in next release...
diff --git a/osinfo/osinfo_install_config.c b/osinfo/osinfo_install_config.c
index 1712be5..f6d2561 100644
--- a/osinfo/osinfo_install_config.c
+++ b/osinfo/osinfo_install_config.c
@@ -641,6 +641,31 @@ const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInsta
              OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION);
 }
 
+/**
+ * osinfo_install_config_set_driver_signing:
+ * @config: the install config
+ * @signing: boolean value
+ *
+ * If a script requires drivers to be signed, this function can be used to
+ * disable that security feature. WARNING: Disable driver signing may very well
+ * mean disabling it permanently.
+ */
+void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
+                                              gboolean signing)
+{
+    osinfo_entity_set_param_boolean(OSINFO_ENTITY(config),
+                                    OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
+                                    signing);
+}
+
+gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config)
+{
+    return osinfo_entity_get_param_value_boolean_with_default
+            (OSINFO_ENTITY(config),
+             OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
+             TRUE);
+}
+
 /*
  * Local variables:
  *  indent-tabs-mode: nil
diff --git a/osinfo/osinfo_install_config.h b/osinfo/osinfo_install_config.h
index d650a0a..b3cfa7e 100644
--- a/osinfo/osinfo_install_config.h
+++ b/osinfo/osinfo_install_config.h
@@ -67,6 +67,8 @@
 #define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK "post-install-drivers-disk"
 #define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION "post-install-drivers-location"
 
+#define OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING "driver-signing"
+
 typedef struct _OsinfoInstallConfig        OsinfoInstallConfig;
 typedef struct _OsinfoInstallConfigClass   OsinfoInstallConfigClass;
 typedef struct _OsinfoInstallConfigPrivate OsinfoInstallConfigPrivate;
@@ -193,6 +195,10 @@ void osinfo_install_config_set_post_install_drivers_location(OsinfoInstallConfig
                                                              const gchar *location);
 const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInstallConfig *config);
 
+void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
+                                              gboolean signing);
+gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config);
+
 #endif /* __OSINFO_INSTALL_CONFIG_H__ */
 /*
  * Local variables:
-- 
1.8.1.4

_______________________________________________
Libosinfo mailing list
Libosinfo@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libosinfo