ACK
On Fri, Mar 15, 2013 at 04:23:10PM +0200, Zeeshan Ali (Khattak) wrote:
> From: "Zeeshan Ali (Khattak)" <zeeshanak@xxxxxxxxx>
>
> While I thought that I had solved the problem of Windows requiring
> signed device drivers and QXL driver being unsigned, I could't be more
> wrong:
>
> * The registry key magic I used for disabling driver signature checks
> on XP seems to be far from reliable. I tested it many many times but
> on a weird broken version of XP home edition that I can't seem to
> have access to anymore. I now tested against both home and professional
> editions both with and without this registry key magic and I observed
> the same result in both cases: Drivers do get installed but they remain
> unused by the OS after installation. The only reliable way of
> effectively disabling signture checks during installation is through
> the 'DriverSigningPolicy' option in .sif file, which means disabling
> signature checks permanently.
> * On Windows 7, disabling integrity checks and test signing after
> drivers' installation disables the already installed drivers too if
> they are not signed.
> * The reason I thought QXL was functional at first was that automatic
> resolution setting was working. Turns out that unlike on Linux, on
> windows automatic resolution setting only requires spice-vdagent where
> as QXL is only required for arbitrary resolutions.
>
> So to make QXL working out of the box, I'm afraid we don't have any
> choice but to disable driver signature checks permanently. Since
> signature checks is a security measure from vendors, we need to leave
> it to applications to decide whether they want to do this or not.
> ---
> data/install-scripts/windows-cmd.xml | 19 +++----------------
> data/install-scripts/windows-sif.xml | 8 ++++++++
> osinfo/libosinfo.syms | 3 +++
> osinfo/osinfo_install_config.c | 33 +++++++++++++++++++++++++++++++++
> osinfo/osinfo_install_config.h | 6 ++++++
> 5 files changed, 53 insertions(+), 16 deletions(-)
>
> diff --git a/data/install-scripts/windows-cmd.xml b/data/install-scripts/windows-cmd.xml
> index e8ffc35..c45c543 100644
> --- a/data/install-scripts/windows-cmd.xml
> +++ b/data/install-scripts/windows-cmd.xml
> @@ -14,6 +14,7 @@
> <param name="script-disk" policy="optional"/>
> <param name="post-install-drivers-disk" policy="optional"/>
> <param name="post-install-drivers-location" policy="optional"/>
> + <param name="driver-signing" policy="optional"/>
> </config>
> <avatar-format>
> <mime-type>image/bmp</mime-type>
> @@ -71,27 +72,13 @@ REGEDIT /S <xsl:call-template name="script-disk"/>:\windows.reg
> </xsl:if>
>
> <xsl:call-template name="post-install-drivers-disk"/>:
> -<xsl:choose>
> - <xsl:when test="os/version < 6.0">
> -reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f
> - </xsl:when>
> - <xsl:otherwise>
> +<xsl:if test="config/driver-signing = 'false' and os/version > 5.1">
> bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
> bcdedit.exe -set TESTSIGNING ON
> - </xsl:otherwise>
> -</xsl:choose>
> +</xsl:if>
>
> for %%i in ("<xsl:call-template name="post-install-drivers-disk"/>:<xsl:value-of select="config/post-install-drivers-location"/>\*.cmd") do cmd /c %%i
>
> -<xsl:choose>
> - <xsl:when test="os/version < 6.0">
> -reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000001 /f
> - </xsl:when>
> - <xsl:otherwise>
> -bcdedit.exe -set loadoptions EENABLE_INTEGRITY_CHECKS
> -bcdedit.exe -set TESTSIGNING OFF
> - </xsl:otherwise>
> -</xsl:choose>
> EXIT
> </xsl:template>
> </xsl:stylesheet>
> diff --git a/data/install-scripts/windows-sif.xml b/data/install-scripts/windows-sif.xml
> index 630df56..2bccc5d 100644
> --- a/data/install-scripts/windows-sif.xml
> +++ b/data/install-scripts/windows-sif.xml
> @@ -10,6 +10,7 @@
> <param name="admin-password" policy="optional"/>
> <param name="reg-product-key" policy="required"/>
> <param name="user-realname" policy="required"/>
> + <param name="driver-signing" policy="optional"/>
> </config>
> <template>
> <xsl:stylesheet
> @@ -30,6 +31,9 @@
> OemSkipEula=Yes
> OemPreinstall=No
> TargetPath=\WINDOWS
> +<xsl:if test="config/driver-signing = 'false'">
> + DriverSigningPolicy=Ignore
> +</xsl:if>
> Repartition=Yes
> WaitForReboot=No
> UnattendSwitch=Yes
> @@ -78,6 +82,7 @@
> <param name="user-realname" policy="required"/>
> <param name="hostname" policy="required"/>
> <param name="script-disk" policy="optional"/>
> + <param name="driver-signing" policy="optional"/>
> </config>
> <template>
> <xsl:stylesheet
> @@ -142,6 +147,9 @@
> TargetPath=\WINNT
> </xsl:otherwise>
> </xsl:choose>
> +<xsl:if test="config/driver-signing = 'false'">
> + DriverSigningPolicy=Ignore
> +</xsl:if>
> Repartition=Yes
> WaitForReboot="No"
> UnattendSwitch="Yes"
> diff --git a/osinfo/libosinfo.syms b/osinfo/libosinfo.syms
> index df2ba90..0942290 100644
> --- a/osinfo/libosinfo.syms
> +++ b/osinfo/libosinfo.syms
> @@ -403,6 +403,9 @@ LIBOSINFO_0.2.6 {
> global:
> osinfo_device_driver_get_signed;
> osinfo_device_driver_set_signed;
> +
> + osinfo_install_config_get_driver_signing;
> + osinfo_install_config_set_driver_signing;
> } LIBOSINFO_0.2.3;
>
> /* Symbols in next release...
> diff --git a/osinfo/osinfo_install_config.c b/osinfo/osinfo_install_config.c
> index 1712be5..5a9627a 100644
> --- a/osinfo/osinfo_install_config.c
> +++ b/osinfo/osinfo_install_config.c
> @@ -641,6 +641,39 @@ const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInsta
> OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION);
> }
>
> +/**
> + * osinfo_install_config_set_driver_signing:
> + * @config: the install config
> + * @signing: boolean value
> + *
> + * If a script requires drivers to be signed, this function can be used to
> + * disable that security feature. WARNING: Disabling driver signing may very
> + * well mean disabling it permanently.
> + */
> +void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
> + gboolean signing)
> +{
> + osinfo_entity_set_param_boolean(OSINFO_ENTITY(config),
> + OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
> + signing);
> +}
> +
> +/**
> + * osinfo_install_config_get_driver_signing:
> + * @config: the install config
> + *
> + * Returns: %TRUE if driver signing is currently enabled, %FALSE otherwise, see
> + * #osinfo_install_config_set_driver_signing() for more details about driver
> + * signing.
> + */
> +gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config)
> +{
> + return osinfo_entity_get_param_value_boolean_with_default
> + (OSINFO_ENTITY(config),
> + OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING,
> + TRUE);
> +}
> +
> /*
> * Local variables:
> * indent-tabs-mode: nil
> diff --git a/osinfo/osinfo_install_config.h b/osinfo/osinfo_install_config.h
> index d650a0a..b3cfa7e 100644
> --- a/osinfo/osinfo_install_config.h
> +++ b/osinfo/osinfo_install_config.h
> @@ -67,6 +67,8 @@
> #define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_DISK "post-install-drivers-disk"
> #define OSINFO_INSTALL_CONFIG_PROP_POST_INSTALL_DRIVERS_LOCATION "post-install-drivers-location"
>
> +#define OSINFO_INSTALL_CONFIG_PROP_DRIVER_SIGNING "driver-signing"
> +
> typedef struct _OsinfoInstallConfig OsinfoInstallConfig;
> typedef struct _OsinfoInstallConfigClass OsinfoInstallConfigClass;
> typedef struct _OsinfoInstallConfigPrivate OsinfoInstallConfigPrivate;
> @@ -193,6 +195,10 @@ void osinfo_install_config_set_post_install_drivers_location(OsinfoInstallConfig
> const gchar *location);
> const gchar *osinfo_install_config_get_post_install_drivers_location(OsinfoInstallConfig *config);
>
> +void osinfo_install_config_set_driver_signing(OsinfoInstallConfig *config,
> + gboolean signing);
> +gboolean osinfo_install_config_get_driver_signing(OsinfoInstallConfig *config);
> +
> #endif /* __OSINFO_INSTALL_CONFIG_H__ */
> /*
> * Local variables:
> --
> 1.8.1.4
>
> _______________________________________________
> Libosinfo mailing list
> Libosinfo@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libosinfo
Attachment:
pgpCmBgjEofaR.pgp
Description: PGP signature
_______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo
