[Bug]: Driver Fails to install untrusted root certificate

Question

[Bug]: Driver Fails to install untrusted root certificate

Opened this issue 19 days ago · 2 comments

AtomicBlom commented 19 days ago

Which OS?

Win11 Pro

Which release?

24H2

Describe the bug

Hi guys, I was super stoked to see ARM64 support was added as supported platform. I'm running on a Surface Pro 11 (Snapdragon(R) X 12-core X1E80100) and I've been trying to install it and even though the certificate is installed in the trusted root certificate authorities, windows refuses to acknowledge it as a valid certificate. I've validated that the signing of the DLL has the same thumbprint as the one installed in the root certification authority.

I've tried googling around and there are a few reports that seem to suggest that ARM64 is perhaps more stringent with driver signing. Are there additional steps I need to follow to get the driver loading?

Steps to reproduce

Run the certificate .bat as administrator
Follow the beta driver instructions.

Expected behavior

Driver installs successfully

Log File (Beta Only)

[Boot Session: 2024/11/28 17:03:31.576]

[Device Install (DiInstallDevice) - ROOT\DISPLAY\0002]
Section start 2024/11/28 17:05:24.659
cmd: "C:\WINDOWS\system32\mmc.exe" C:\WINDOWS\system32\devmgmt.msc
ndv: Flags: 0x00000002
dvi: Class GUID of device changed to: {4d36e968-e325-11ce-bfc1-08002be10318}.
sto: {Setup Import Driver Package: c:\virtualdisplaydriver\mttvdd.inf} 17:05:24.664
inf: Provider: MikeTheTech
inf: Class GUID: {4D36E968-E325-11CE-BFC1-08002BE10318}
inf: Driver Version: 10/16/2024,8.35.1.29
inf: Catalog File: MttVDD.cat
sto: {Copy Driver Package: c:\virtualdisplaydriver\mttvdd.inf} 17:05:24.670
sto: Driver Package = c:\virtualdisplaydriver\mttvdd.inf
sto: Flags = 0x00000007
sto: Destination = C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}
sto: Copying driver package files to 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}'.
flq: {FILE_QUEUE_COMMIT} 17:05:24.673
flq: Copying 'c:\virtualdisplaydriver\MttVDD.dll' to 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\MttVDD.dll'.
flq: Copying 'c:\virtualdisplaydriver\mttvdd.inf' to 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\mttvdd.inf'.
flq: Copying 'c:\virtualdisplaydriver\MttVDD.cat' to 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\MttVDD.cat'.
flq: {FILE_QUEUE_COMMIT - exit(0x00000000)} 17:05:24.702
sto: {Copy Driver Package: exit(0x00000000)} 17:05:24.703
ump: Import flags: 0x00000000
pol: {Driver package policy check} 17:05:24.714
pol: {Driver package policy check - exit(0x00000000)} 17:05:24.715
sto: {Stage Driver Package: C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\mttvdd.inf} 17:05:24.715
inf: Provider = MikeTheTech
inf: Class GUID = {4d36e968-e325-11ce-bfc1-08002be10318}
inf: Class Version = 2.0
inf: Driver Version = 10/16/2024,8.35.1.29
inf: Catalog File = MttVDD.cat
inf: Version Flags = 0x00000003
inf: {Query Configurability: C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\mttvdd.inf} 17:05:24.720
! inf: Using WDF schema version 2.23 when section requires version 2.25. Section = [MyDevice_Install.NT.Wdf]
inf: Driver package uses WDF.
inf: Driver package 'mttvdd.inf' is configurable.
inf: {Query Configurability: exit(0x00000000)} 17:05:24.721
flq: {FILE_QUEUE_COMMIT} 17:05:24.723
flq: Copying 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\MttVDD.dll' to 'C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\MttVDD.dll'.
flq: Copying 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\mttvdd.inf' to 'C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\mttvdd.inf'.
flq: Copying 'C:\Users\STEVEB1\AppData\Local\Temp{13d179ff-eafc-5b47-9e34-1753a1b06b2b}\MttVDD.cat' to 'C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\MttVDD.cat'.
flq: {FILE_QUEUE_COMMIT - exit(0x00000000)} 17:05:24.751
sto: {DRIVERSTORE IMPORT VALIDATE} 17:05:24.752
sig: Driver package catalog is valid.
sig: {_VERIFY_FILE_SIGNATURE} 17:05:24.758
sig: Key = mttvdd.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\mttvdd.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\MttVDD.cat
! sig: Verifying file against specific (valid) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 17:05:24.773
sig: {_VERIFY_FILE_SIGNATURE} 17:05:24.774
sig: Key = mttvdd.inf
sig: FilePath = C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\mttvdd.inf
sig: Catalog = C:\WINDOWS\System32\DriverStore\Temp{3b8a702a-c37e-024d-9c37-1e073a748157}\MttVDD.cat
! sig: Verifying file against specific Authenticode(tm) catalog failed.
! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 17:05:24.784
!!! sig: Driver package catalog file certificate does not belong to Trusted Root Certificates, and Code Integrity is enforced.
!!! sig: Driver package failed signature validation. Error = 0x800B0109
sto: {DRIVERSTORE IMPORT VALIDATE: exit(0x800b0109)} 17:05:24.785
!!! sig: Driver package failed signature verification. Error = 0x800B0109
!!! sto: Failed to import driver package into Driver Store. Error = 0x800B0109
sto: {Stage Driver Package: exit(0x800b0109)} 17:05:24.787
sto: {Setup Import Driver Package - exit (0x800b0109)} 17:05:24.791
!!! ndv: Driver package import failed for device.
ndv: Installing NULL driver.
ump: {Plug and Play Service: Device Install for ROOT\DISPLAY\0002}
! dvi: Installing NULL driver!
dvi: {Core Device Install} 17:05:24.799
dvi: {Configure Device - ROOT\DISPLAY\0002} 17:05:24.800
dvi: Device Status: 0x01802001
dvi: Parent Device: HTREE\ROOT\0
dvi: Install Device: Configuring device. 17:05:24.802
dvi: Configuration: null
dvi: Install Device: Configuring device completed. 17:05:24.804
dvi: Device Status: 0x01802401 [0x1c - 0xc0000490]
dvi: Install Device: Starting device 'ROOT\DISPLAY\0002'. 17:05:24.804
dvi: Install Device: Starting device completed. 17:05:24.814
! dvi: Device not started (unknown reason): Device has no problem.
dvi: {Configure Device - exit(0x00000000)} 17:05:24.817
dvi: {Core Device Install - exit(0x00000000)} 17:05:24.819
ump: {Plug and Play Service: Device Install exit(00000000)}
<<< Section end 2024/11/28 17:05:24.823
<<< [Exit status: FAILURE(0x00000109)]

[Device Install (DiInstallDevice) - ROOT\DISPLAY\0002]
Section start 2024/11/28 17:05:24.823
cmd: "C:\WINDOWS\system32\mmc.exe" C:\WINDOWS\system32\devmgmt.msc
ndv: Flags: 0x00000004
ump: {Plug and Play Service: Device Install for ROOT\DISPLAY\0002}
! dvi: Installing NULL driver!
dvi: {Core Device Install} 17:05:24.831
dvi: {Configure Device - ROOT\DISPLAY\0002} 17:05:24.832
dvi: Device Status: 0x01802001
dvi: Config Flags: 0x00000000
dvi: Parent Device: HTREE\ROOT\0
dvi: Install Device: Configuring device. 17:05:24.833
dvi: Configuration: null
dvi: Install Device: Configuring device completed. 17:05:24.835
dvi: Device Status: 0x01802401 [0x1c - 0xc0000490]
dvi: Install Device: Starting device 'ROOT\DISPLAY\0002'. 17:05:24.836
dvi: Install Device: Starting device completed. 17:05:24.838
! dvi: Device not started (unknown reason): Device has no problem.
dvi: {Configure Device - exit(0x00000000)} 17:05:24.840
dvi: {Core Device Install - exit(0x00000000)} 17:05:24.841
ump: {Plug and Play Service: Device Install exit(00000000)}
<<< Section end 2024/11/28 17:05:24.845
<<< [Exit status: SUCCESS]

[Delete Device - ROOT\DISPLAY\0002]
Section start 2024/11/28 17:05:26.894
cmd: "C:\WINDOWS\system32\mmc.exe" C:\WINDOWS\system32\devmgmt.msc
dvi: Query-and-Remove succeeded
<<< Section end 2024/11/28 17:05:26.902
<<< [Exit status: SUCCESS]

Contact Details

No response

Answer 1 · 2024-11-28T10:22:47.000Z

Yeh, we're aware of the issue. ~~However we're not sure why it won't work, so its hard to figure it out~~, since it works fine on an earlier version of windows (As seen in screenshot). Only way as of now if to disable driver signing enforcement or to enable test signing in terminal (bcdedit /set testsigning on) , but neither of them are ideal. You may be able to enable driver signing again after and keep the driver running until you uninstall it, just disable it when its not needed.

Edit:

Microsoft restricted driver signing rules to not validate certs in the systems trusted root certificates and validates against a different internal trust store which the user doesn't have access to. Aka following similar rules as S mode of windows (More restrictive) being one of them.

Windows s mode driver signing requirements
Driver packages must be digitally signed with a Windows, WHQL, ELAM, or Store certificate from the Windows Hardware Developer Center Dashboard

And based off driver signing requirements for windows s mode, it states driver packages must be digitally signed with a windows,whql, wlam or store cert, so no. Custom root certs no longer are checked in windows arm64

based off your provided error log, we can see below that the certificate is processed however will refuse to work since its not by a trust provider

sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Basically, the TL;DR of it is, Microsoft are annoying and won't let custom root certs work only ones in existing store so will refuse to accept it as a valid signature

Answer 2 · 2024-12-01T07:58:21.000Z

Thanks so much for taking the time to respond, and a bit of a shame that's how things are, but also understandable.

In my case the Surface Pro 11 is owned by my company, so I don't think they'll appreciate me disabling driver signing or enabling test signing on the device. (Though I technically could...)

You've answered my question perfectly, if you'd like to close off this issue, or perhaps keep it open in case we can get some notification if the situation changes, I'd also be open hitting that sponsor button if it made it possible to get the driver through WHQL or whatever process needs to happen to get a properly signed driver.