Test sign kdbazis.dll for improved usability in targets
misterzed88 opened this issue · 5 comments
Thanks for the great work with keeping VirtualKD alive! I would like to add a small feature request.
It would be nice if kdbazis.dll was test signed, just like it was in the original VirtualKD fork. A test signed DLL is more easily accepted in the target (I have only tested with Windows 7, but what is written below may also apply to other versions).
An x86 OS accepts the DLL automatically. An x64 OS can be made to accept by enabling the test signing boot menu option (either in the default entry, or in a separate entry):
bcdedit /set testsigning on
Test signing mode is also enabled when connecting with a kernel debugger. (which is convenient since kernel debugging is the main use of VirtualKD).
In both x86/x64 the system can be started from a simple menu selection, avoiding the need for the F8 signature disable step.
Test signing can be done with the signtool.exe /sign option, using a self-signed certificate created with makecert.exe, as described in the WDK documentation.
I have to sign kdclient as part of maintaining support for the latest version of VirtualBox. I don't mind also signing kdbazis as well and will do that for the next release.
Very good, thanks! That will benefit other users.
kdbazis is now test signed in 2021.0.
Unfortunately, the fix does not solve the original problem. The signature must be with a self-signed test certificate, as described in the WDK documentation for test signing. The current signature uses a CA chain, but not even installing the CA as a trusted root helps in this case.
So the current signature still requires the user to disable driver signature enforcement. Otherwise the system rejects the driver and enters recovery mode.